Discovered by Lookout Threat Lab, BouldSpy is a newly identified Android malware attributed to the Iranian government, specifically the Law Enforcement Command of the Islamic Republic of Iran, known as FARAJA. In operation since at least March 2020, BouldSpy is notable for its command and control (C2) capabilities and has recently garnered attention from security researchers on Twitter and in the broader threat intelligence community. Although identified as both a botnet and ransomware, its ransomware component is currently inactive, which could suggest ongoing development or an attempt to mislead investigators.
Targeted Surveillance
Focus on Minority Groups
BouldSpy has targeted over 300 individuals, focusing on minority groups within Iran, including Iranian Kurds, Baluchis, Azeris, and Armenian Christian communities. The spyware has been used to monitor these groups, underscoring its significance beyond conventional law enforcement purposes. Exfiltrated data from BouldSpy’s C2 servers supports this targeted surveillance. These communities, already vulnerable, face intensified scrutiny and risks as a result of BouldSpy’s surveillance capabilities. This kind of targeted surveillance not only infringes on privacy but also amplifies the marginalization of these minority groups.
The data gathered is extensive and intrusive, providing the attackers with significant insights into the personal lives of their victims. By focusing on these minority groups, BouldSpy appears to serve as a tool for systemic monitoring and repression. This surveillance method poses severe human rights concerns, as it creates an environment of fear and control. Such targeted actions demonstrate a broader strategy to suppress dissent and monitor populations perceived as political or social threats.
Political Implications
BouldSpy gained prominence during the Mahsa Amini protests in late 2022, with a notable increase in its operations. This period underscores the utility of the malware in politically charged environments and highlights its role in systematic surveillance activities. The deployment of BouldSpy during these protests indicates its strategic use for political monitoring, particularly in the face of growing unrest and demands for political reform. Such usage not only aids suppression but also collects valuable intelligence on protesters and activists.
The timing of BouldSpy’s heightened activity during the Mahsa Amini protests further emphasizes its importance to state authorities. The data collected during such politically sensitive times can be exploited to track, harass, or detain individuals involved in dissenting activities. This underscores the broader dangers of using technology as a tool for political repression, raising important questions about accountability and the ethical implications of such surveillance practices.
Technical Characteristics
Immature Operational Security
The technical analysis of BouldSpy reveals its characteristics as a novel malware strain. Several indicators support this classification, including the absence of advanced features such as encrypted C2 traffic, hardcoded plaintext C2 infrastructure details, string obfuscation, and capabilities to remove intrusion artifacts. These elements point to an immature level of operational security, further cementing BouldSpy’s standing as a relatively new threat. Its simplistic design might allow easier detection and mitigation by cybersecurity defenses yet poses significant risks due to its covert activities.
Despite its immature operational security, BouldSpy’s surveillance capabilities should not be underestimated. The lack of encryption for C2 communications, for example, eases the task of network analysis and detection but also reflects a relatively unsophisticated development stage. However, even in its nascent form, BouldSpy’s potential for harm is substantial, given its extensive data collection functions and focus on vulnerable populations.
Espionage Capabilities
BouldSpy leverages Android accessibility services to conduct espionage activities covertly. It creates a CPU wake lock and deactivates battery management functions to ensure continuous operation, resulting in faster battery drainage for affected devices. This tactic keeps the spyware active even while the device appears idle. Upon installation, BouldSpy connects to its C2 server to begin data exfiltration. Although BouldSpy can encrypt files for exfiltration, its C2 communication occurs over unencrypted web traffic, which exposes the C2 interactions in clear text and eases network analysis and detection.
The spyware’s reliance on Android accessibility services for its operations highlights a sophisticated understanding of the operating system, allowing it to remain relatively hidden from users. By ensuring continuous operation through the manipulation of power management, BouldSpy can sustain its espionage activities without interruption, providing the attackers with an uninterrupted stream of data. This method, although draining for the device’s battery, ensures that surveillance can proceed with minimal user awareness.
Data Collection and Victim Management
Extensive Data Harvesting
Data analysis from BouldSpy’s C2 servers revealed significant amounts of victim information, including call logs, installed apps, contacts, user accounts, downloaded files, keylogs, locations, text messages, and photos. This extensive data collection underscores the spyware’s comprehensive surveillance capabilities. The volume and variety of data harvested provide a detailed picture of the victims’ personal and professional lives, adding layers of complexity to the threat they face. The amassed data, including sensitive personal and communication information, could be used for blackmail, intimidation, or further cyber attacks.
This level of data collection is deeply invasive, with the potential to cause significant harm to the affected individuals. The detailed records of contacts, communications, and even physical locations enable attackers to target not just the primary victim but their entire network of associates. Such comprehensive surveillance can lead to broader societal impacts by fostering a climate of fear and mistrust among these already marginalized communities.
User-Friendly C2 Panel
FARAJA’s threat actor manages the malware through a user-friendly C2 panel that allows for victim device management and the development of customized BouldSpy applications. The malware masquerades as legitimate apps such as CPU-Z, Interest Calculator, Currency Converter Pro, Fake Call, Call Service, and Psiphon, enhancing its ability to evade detection. This approach not only aids in the distribution of the malware but also ensures its persistence on the infected devices by leveraging applications that users trust and use regularly.
The user-friendly nature of the C2 panel facilitates efficient management of the malware, enabling operators to execute surveillance activities with relative ease. The ability to develop customized BouldSpy applications and disguise them as legitimate apps further compounds the threat by increasing the likelihood of successful infections. This adaptability and ease of use make BouldSpy a potent tool for ongoing surveillance and data exfiltration.
Broader Implications
Potential for Wider Surveillance
Security analysts suggest that BouldSpy may have additional victims and more extensive data collection activities due to the routine deletion of exfiltration data from its C2 servers. This notion implies a broader undiscovered scope of surveillance, raising significant concerns about the reach and impact of this malware. The routine deletion of data might indicate attempts by the operators to cover their tracks, complicating efforts to fully understand the extent of BouldSpy’s operations and the actual number of victims.
The potential for wider surveillance underscores the critical need for coordinated efforts among governments, technology companies, and civil society to address this threat. The undiscovered extent of BouldSpy’s reach calls for robust investigative measures and enhanced defensive strategies to mitigate the risks posed by this and similar malware.
Need for Vigilance
Identified by Lookout Threat Lab, BouldSpy is a newly discovered Android malware linked to the Iranian government, specifically the Law Enforcement Command of the Islamic Republic of Iran, known as FARAJA. Active since at least March 2020, BouldSpy is remarkable for its command and control (C2) capabilities. Recently, it has drawn significant attention from security researchers on social media platforms like Twitter and within the broader threat intelligence community. While BouldSpy has been categorized as both a botnet and ransomware, its ransomware functionality is currently inactive. This could imply that further development is underway or an attempt to divert investigators’ focus. The inactive ransomware component might also be a strategic move by those behind it to mask their true intentions or to refine the malware further before deploying it more widely. The ongoing analysis and discussions about BouldSpy underscore the evolving nature of cyber threats and the importance of vigilant cybersecurity practices.