July 24, 2019

New Surveillanceware Developed by Russian Defence Contractor

Two men sitting outside office looking at smartphone.

Monokle is a new and sophisticated set of custom Android surveillanceware tools developed by the Russia-based company, Special Technology Centre, Ltd, which was sanctioned by the U.S. Government in connection to interference in the 2016 US presidential elections.

Lookout discovered Monokle in 2018 and our research indicates that these tools are part of a targeted set of campaigns and are developed by the St. Petersburg, Russia-based company, Special Technology Centre, Ltd. (STC), which is notable for providing material support to the GRU in its interference in the 2016 U.S. Presidential election.

Monokle possesses remote access trojan (RAT) functionality, uses advanced data exfiltration techniques and has the ability to install an attacker-specified certificate to the trusted certificates store on an infected device that would facilitate man-in-the-middle (MITM) attacks. This ability is something that Lookout researchers have never seen in the wild before.

Special Technology Centre, Ltd:  A Russian defense contractor & developer of Monokle

In late 2016, the amendment to Executive Order 13964 issued by then President Barack Obama, imposed sanctions on STC as one of three companies that provided material support to the Main Intelligence Directorate (GRU) for alleged interference in the 2016 U.S. presidential election. STC is a private defense contractor in Russia known for producing Unmanned Aerial Vehicles (UAVs) and Radio Frequency (RF) equipment for supply to the Russian military, as well as other government customers.

Lookout research shows that STC is developing both offensive and defensive Android security software, as it has discovered previously unknown mobile software development and surveillance capabilities. It is through STC’s connection to its own Android antivirus solution, called Defender, that Lookout can establish conclusively that STC is the developer of Monokle.

Monokle: advanced mobile surveillanceware used in highly targeted attacks

Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years.  Monokle is an advanced mobile surveillanceware that compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrating this information to command and control infrastructure. While most of its functionality is typical of mobile surveillanceware, Monokle is a unique and advanced mobile surveillance tool because it:

  • Uses existing methods in novel ways in order to be extremely effective at data exfiltration, even without root access. In particular, it makes extensive use of the Android accessibility services to exfiltrate data from third party applications.
  • Installs an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.
  • Uses predictive-text dictionaries to get a sense of the topics of interest to a target.
  • Has the ability to record the device’s screen during a screen unlock event, allowing it to compromise a user’s PIN, pattern or password.

Monokle appears in a very limited set of applications which implies attacks using Monokle are highly targeted. Many of these applications are trojanized and include legitimate functionality, so user suspicion is not aroused. Lookout data indicates this tool is still being actively deployed.

Mobile surveillance is on the rise

In 2015, Lookout and Citizen Lab reported on Pegasus, one of the most sophisticated nation-state mobile surveillanceware threats Lookout has discovered.. Since then, Lookout has reported on a number of advanced surveillance tools – from Stealth Mango to Dark Caracal – indicating that mobile surveillanceware is not only on the rise, but increasingly evolving with new and novel functions.

As we continue to move toward a post-perimeter world, nation-states and enterprises alike need to adopt a security structure that protects against the ever-evolving threat of mobile surveillanceware.

*Lookout customers have been protected against Monokle since early 2018.

Get more in-depth details about and analysis on Monokle, by downloading the technical report.


Apurva Kumar

Former Security Intelligence Engineer

Apurva Kumar was a Security Intelligence Engineer at Lookout between 2017 and 2021.

Entry Type
Threat Guidances
Threat Type
Platform(s) Affected
Threat Guidances

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.