The article originally appeared in the American Forbes. Russian Forbes publishes its full translation.

Experts have discovered a spyware software for Android, presumably created by one of the key suppliers of tracking systems for the Russian authorities. It hides in fake apps that masquerade as Evernote, Google Play, Pornhub and other popular apps for Android.

According to a report released Wednesday by the canadian office specializing in cyber-security company Lookout, the source of the malicious applications was the company with the nondescript name of “Special technology center” (STC). The St. Petersburg company was under the spotlight after he came under American sanctions during the Obama administration in connection with hacker attacks aimed at intervention in the elections of 2016.

The experts found that the STTS developed the virus collected passwords and turn the phones into listening devices. The virus called Monokle, can record image displays on the locked phones to store passwords, view dictionaries autodial and get to know the interests of the victim as well as record calls and listen to the microphone of the infected phone. Malware infects Android phones from 2016, and early last year, her activity has increased.

The virus is hidden in fake versions of these apps such as Google Play, Evernote, Skype, the service is encrypted correspondence Signal and PornHub.

After analyzing a sample of copied apps, Lookout said that a target Monokle are most likely English speaking people, the inhabitants of the Caucasus and those who are interested in radical Syrian group Ahrar al-sham (banned in Russia). The last conclusion came from the fact that the victims have installed the application called Ahrar Maps. All who are interested in messenger UzbekChat also could become victims of the virus.

Given the large demand for applications to determine exactly which group of native English speakers came under attack, it is impossible, admits Adam Bauer, senior engineer Lookout for national intelligence. “It is difficult to draw conclusions because it is a very popular app,” says Bauer.

He could not say as well as victims to download malware instead of the original application. Bauer reported that Apple and Google were notified of the results of the study.

Apple did not respond to a request for comment. Google said that none of these applications has never been offered in the Google Play Store. In addition, Android users will receive a warning message if Google Play Protect notice on their device to malware, the company said.

What is STC?

The researchers argue that Monokle is a product of the “Special technology center” company, which deals with tracking and cyber security, and fell under US sanctions. In the list of sanctions published in December 2016, the company said little — only that she helped the Russian office of military intelligence, the GRU, “to carry out technical intelligence”.

After the imposition of sanctions Forbes USA found out about this company anymore. One source knowledgeable about the company’s activities and wished to remain anonymous, told Forbes USA that the company is managed by graduates of the Military Academy of communications in St. Petersburg, educational institutions under the Ministry of defence, which is a five minute drive from the headquarters of STC.

In the company’s constitutional documents consulted by Forbes USA, Director of STC named Alexander Mityanin. In his interview with provides a brief biography, which mentions that Mitanin studied at the military Academy and awarded medals of the Ministry of defence.

In addition, Mitanin named Director of STC in the brochure issued by the conference of the Russian government contractors Federalismo. This document States that STC was founded in 2001 and that the company supplies multi-functional system of radio control for “all Federal agencies of the Russian Federation”. It also has licenses for development and production of weapons and military equipment. The brochure explains the image of the drone, a surveillance van and other spy equipment.

In extracts from register (1, 2), the General Director of the organization named Mikhailov V. A., and President Alexander. On these managers know very little. According to Lookout, the company employs up to 1500 staff.

At the time of publication of STC did not respond to a request to comment.

The number of companies, also in the sanctions list of Obama in 2016, was the company e-learning materials (“Digital weapons and protection”, formerly known as EsageLab). When Forbes USA talked with its founder, Alisa Shevchenko (aka Esage) soon after the imposition of sanctions, she said that has nothing to do with hacking attacks on the 2016 elections, and added that he believes that she was made a scapegoat.

Read more about the project Alisa Shevchenko, read the material: Contract hacking: how a hacker has built the business by banks and corporations

The US government still has not explained what, in his opinion, she, STC and the other contractor under the name “Professional Association of designers of systems Informatics” played in the attack on Democratic national Committee and the release of thousands of emails with sensitive information.

From Android to iPhone

Spyware detection tool on Android shows that STC is expanding its capabilities of tracking that were sent to intercept radio and satellite signals, not hacking smartphones. Indeed, the company is perhaps known primarily as a manufacturer of the drone “Orlan-10”, which is used by the Russian army.

But the impression is that STC is starting to work not only with Google but also with mobile programs for the iPhone from Apple. Forbes USA found ads 2017 that STC is looking for iOS developers and Android. Lookout also announced that they found evidence that STTS were developed and the viruses for the iPhone. In the code of the malware for Android was a piece related to the Apple Keychain, where iOS stores passwords. Looks like other code fragments intercepted information from Apple HealthKit and iCloud. Lookout believes that these references could be included in the code, because now the work on viruses for the iPhone based on a similar infrastructure.

In addition, Lookout says that the STC is developing instruments of cyber security for the authorities. The company’s experts said that they were able to trace the origin of the virus to STTS, because he used some of the same servers and signing certificates (their task is to ensure the authenticity of the application) that antivirus Defender for Android, also developed by the Russian contractor. According to Lookout, the Defender was sold to the government.

Surveillance of social networks and the study of the relations of the Runet from a global network: what hackers found in archive “secret contractor FSB”

In the same week, when a study was published Lookout, it became known that the attack was subjected to another contractor of the Russian authorities, Sytech, and terabytes of files associated with his work for the FSB, was leaked. Like the US, Russia is difficult to keep secret their clandestine operations.

Translation Natalia Balabanchevo

Read more •••


Please enter your comment!
Please enter your name here