A recent blog post has uncovered a dangerous new Android surveillance tool called BouldSpy, attributed with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). This spyware targets minority groups and potentially those involved in illegal trafficking activities. BouldSpy has extensive surveillance capabilities, such as recording calls, capturing photos, and monitoring account usernames across various platforms. This blog post delves into the capabilities and dangers of BouldSpy and emphasizes how our on-device machine learning technology can protect our customers from this threat.
BouldSpy relies on aggressively keeping the application alive by disabling battery management and establishing CPU wake locks while taking advantage of Android accessibility services to carry out most of its surveillance actions. By abusing CPU wake locks and disabling battery management features, the spyware prevents the device from shutting down its activities, causing faster battery drainage for victims. Once installed, BouldSpy establishes a network connection with its command and control (C2) server and exfiltrates cached data from the victim’s device. A background service manages most of the surveillance functionality and restarts itself when its parent activity is stopped by either the user or the Android system.
The emergence of BouldSpy poses significant risks to targeted individuals and the broader community due to its extensive surveillance capabilities. The spyware can gather sensitive information and communications, violating the privacy of its victims. Furthermore, BouldSpy has been linked to the Iranian government, raising concerns over state-sponsored surveillance and potential human rights abuses. The association of BouldSpy with Iran’s Law Enforcement Command (FARAJA) is particularly concerning, given the country’s human rights track record. The targeted surveillance of minority groups within Iran may lead to further discrimination and suppression, amplifying existing social and political tensions.
BouldSpy is a new malware family, given the limited number of samples disclosed (20) and its apparent lack of maturity in operational security. The spyware has not been distributed through Google Play, making it more challenging for users to identify and avoid. Moreover, this shows the danger of sideloading applications from unknown third party sources. Zimperium detects all known variants of BouldSpy using our on-device machine learning engine. Furthermore, since the classifiers used to perform the detection were not trained on BouldSpy samples, it’s safe to assume that similar unknown variants will also be detected.
Zimperium’s dynamic on-device detection engine continually scans mobile applications installed on users’ devices to identify malicious capabilities, such as those found in BouldSpy. By staying up-to-date with the latest discoveries in the cybersecurity landscape, such as the findings from the recent blog post, our on-device machine learning solution provides timely protection to our customers against emerging cyber threats,including unknown new samples of BouldSpy.