Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy
Researchers at Lookout have discovered a new Android surveillance tool which we attribute with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). Named BouldSpy for the “BoulderApplication” class which configures the tool’s command and control (C2), we have been tracking the spyware since March 2020. Starting in 2023, the malware has drawn the attention of security researchers on Twitter and by others in the threat intelligence community characterizing it as an Android botnet and ransomware. While BouldSpy includes ransomware code, Lookout researchers assess that it is unused and nonfunctional, but could indicate ongoing development or an attempt at misdirection on the part of the actor.
Based on our analysis of exfiltrated data from C2 servers for the spyware, BouldSpy has victimized more than 300 people, including minority groups such as Iranian Kurds, Baluchis, Azeris, and possibly Armenian Christian groups. The evidence we have gathered implies that the spyware may also have been used in efforts to counter and monitor illegal trafficking activity related to arms, drugs, and alcohol.
We believe FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy to further monitor the target on release. In our research, we obtained and reviewed a large quantity of exfiltrated data that included photos and device communications, such as screenshots of conversations, recordings of video calls, as well as SMS logs. Our analysis also revealed photos of drugs, firearms, and official FARAJA documents that indicate potential law enforcement use of the malware. However, much of the victim data points to its broader usage, which indicates targeted surveillance efforts towards minorities within Iran. Notably, much of the malware’s activities occurred during the height of the Mahsa Amini protests in late 2022.
We believe BouldSpy to be a new malware family based on the relatively small number of samples that we’ve obtained, as well as the lack of maturity around its operational security, such as unencrypted C2 traffic, hardcoded plaintext C2 infrastructure details, a lack of string obfuscation, and failure to conceal or remove intrusion artifacts. Until now, to the best of our knowledge the apps that we discovered and described in this article were never distributed through Google Play.
BouldSpy represents yet another surveillance tool taking advantage of the personal nature of mobile devices. The spyware is especially concerning given Iran's human rights track record. Lookout Mobile Endpoint Security and Lookout Life customers are protected from this threat.
Deployment and capabilities
The first locations exfiltrated from the victims are, with few exceptions, concentrated near Iranian provincial police stations, Iranian Cyber Police stations, Law Enforcement Command facilities, and border control posts. Based on this, we theorize that a victim’s device is confiscated once detained or arrested, and then subsequently physically infected with BouldSpy.
The FARAJA actor provides user friendly features on its C2 panel to perform device management of victims and build new custom BouldSpy malware applications, with the malware operator able to choose between a default package name of “com.android.callservice” (posing as an Android system service related to handling phone calls), or can trojanize various legitimate applications by inserting the “com.android.callservice” package. By setting up operations in this way, Iranian police officers or other personnel that have low technical skills can easily generate new malware samples, which makes it easier to ramp up deployment operations with minimal training.
Some of the apps BouldSpy impersonates include CPU-Z, a mobile CPU benchmarking tool, Currency Converter Pro, a Persian-language interest calculator, and an app named Fake Call which is a prank app that generates fake phone calls or text messages. In April 2023, we also acquired a sample that trojanized Psiphon, a popular VPN app that has over 50 million downloads.
Given the likelihood of physical installation as the initial vector for BouldSpy, it’s possible that BouldSpy victims had legitimate versions of these apps installed when their devices were confiscated, and that those apps were trojanized in order to avoid detection by the victim.
Notable surveillance capabilities
- Getting all account usernames available on the device and their associated types (such as Google, Telegram, WhatsApp and others)
- List of installed apps
- Browser history and bookmarks
- Live call recordings
- Call logs
- Take photos from the device cameras
- Contact lists
- Device information (IP address, SIM card information, Wi-Fi information, Android version, and device identifiers)
- List of all files and folders on the device
- Clipboard content
- Location from GPS, network, or cell provider
- SMS messages (sent, received and drafts)
- Record audio from the microphone
- Take screenshots
A notable capability of BouldSpy is that it can record voice calls over multiple Voice over IP (VoIP) apps as well as the standard Android phone app. These include:
- Blackberry BBM
- mail.ru VoIP calls
- Telegram VoIP
- Microsoft Office 365 VoIP functionality
- Slack VoIP
Persistent background activities
Most of BouldSpy’s surveillance actions happen in the background by abusing Android accessibility services. It also relies heavily on establishing a CPU wake lock and disabled battery management features to prevent the device from shutting down the spyware’s activities. As a result, victims could expect their device battery to drain much faster than normal. Once installed, the spyware will seek to establish a network connection to its C2 server and exfiltrate any cached data from the victim’s device to the server.
These actions occur when the user opens the app, or when the device is booted or rebooted. To make sure it can take actions frequently and consistently, BouldSpy uses a background service to handle most of the surveillance functionality. As illustrated in the below figure, the service restarts itself when its parent activity is stopped by either the user or the Android system.
Insecure C2 communication
We found that BouldSpy has the ability to encrypt files for exfiltration, but uses unencrypted web traffic between victim devices and the C2. This insecure implementation by the threat actor makes network analysis and detection easier by exposing the whole C2 communication in clear text.
Ability to run additional code
BouldSpy also has the ability to run arbitrary code, and download and run additional custom code from the C2, or run code within other apps as needed. This gives the malware additional options, such as the ability to improve its collection capabilities, introduce functionalities, or set up persistence in other apps.
Aside from the normal C2 via a web server, BouldSpy can also receive commands via SMS from a control phone, which is a fairly unique feature. This enables the spyware to surveil victims even in poorly-developed regions that lack internet availability, but are still reachable over standard cell networks.
SMS commands follow a format starting with asterisk (*) and ending with the hashtag/pound sign (#) with arbitrary text between them. The commands usually start with a three-digit number and are split into separate parameters which are separated by asterisks. The known commands are listed in the table below.
BouldSpy samples ship with ransomware code borrowed from an open source Android ransomware project named CryDroid. However, Lookout researchers assess this code as unused and nonfunctional. This code might be a sign of an ongoing development or a false flag artifact to misdirect analysts.
Command and Control Infrastructure
Lookout found BouldSpy C2 servers at IP addresses 192.99.251[.]51, 192.99.251[.]50, 192.99.251[.]49, 192.99.251[.]54, 84.234.96[.]117, and 149.56.92[.]127. Of these, only 192.99.251[.]51 and 84.234.96[.]117 are currently active. A common feature of these is the use of port 3000 to access the C2’s administration panel, which requires authentication. From analyzing these servers, we were able to uncover the following victim information:
- 66,000 call logs
- 15,000 installed apps
- 100,000 contacts
- 3,700 user accounts
- 3,000 downloaded files
- 9,000 keylogs
- 900 locations
- 400,000 text messages
- 2,500 photos
We believe that there are likely more victims and associated data collected because exfiltration data on C2 servers are often cleared.
Indicators of Compromise (IOCs)
BouldSpy Sample SHA1s:
Command and Control: