Android Spyware BouldSpy Linked to Iranian Government

Written by

A new Android surveillance tool discovered by data protection experts at Lookout and further discussed by Zimperium has been attributed to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Called BouldSpy, the mobile malware has been used by threat actors to target minority groups and potentially those involved in illegal trafficking activities, according to an advisory published by the Zimperium on Wednesday.

“BouldSpy has extensive surveillance capabilities, such as recording calls, capturing photos, and monitoring account usernames across various platforms,” explained Zimperium security researcher Nicolás Chiaraviglio.

BouldSpy keeps its application alive by turning off battery management and establishing CPU wake locks while simultaneously leveraging Android accessibility services to perform most of its surveillance actions. 

“By abusing CPU wake locks and disabling battery management features, the spyware prevents the device from shutting down its activities, causing faster battery drainage for victims,” Chiaraviglio explained.

“Once installed, BouldSpy establishes a network connection with its command and control (C2) server, and exfiltrates cached data from the victim’s device. A background service manages most of the surveillance functionality and restarts itself when its parent activity is stopped by either the user or the Android system.”

Read more on Android malware here: New Android Banking Trojan'Nexus' Promoted As MaaS

Zimperium has cautioned that BouldSpy is highly risky to both individuals and the general public due to its advanced surveillance capabilities.

“The targeted surveillance of minority groups within Iran may lead to further discrimination and suppression, amplifying existing social and political tensions,” Chiaraviglio wrote.

At the time of writing, Zimperium has observed a limited number of BouldSpy samples, all distributed outside the Google Play Store via third-party services.

“The spyware has not been distributed through Google Play, making it more challenging for users to identify and avoid. Moreover, this shows the danger of sideloading applications from unknown third-party sources,” Chiaraviglio said.

The Zimperium advisory comes weeks after the threat actor known as Mint Sandstorm was observed weaponizing N-day vulnerabilities to target US critical infrastructure.

Article updated on 05/05/2023 to reflect that BouldSpy was first discovered by Lookout.

What’s hot on Infosecurity Magazine?