Iranian Surveillance Operations Use BouldSpy to Track Minority Groups

BouldSpy: Using the new surveillance tool

• The malware’s C2 panel allows attackers to control victim devices and build custom BouldSpy apps that impersonate Android system services, CPU-Z, Psiphon, and Fake Call.
• For the initial vector, it is possible that BouldSpy targeted victims with genuine versions of the above-mentioned apps installed. These apps were then trojanized to avoid detection.
• The malware performs its activities in the background by abusing Android accessibility services, whenever a user opens one of the targeted apps or when the device is booted or rebooted.

Who are the victims?

• BouldSpy has been in use since at least 2020 and has already targeted more than 300 people, including minority groups such as the Baluchis, Iranian Kurds, Azeris, and Armenian Christians.
• The victims were in close proximity to Iranian provincial police stations, cyber police stations, border control posts, and law enforcement command facilities. 
• Further, experts believe that once a victim is detained or arrested, their devices are physically infected with BouldSpy.

Capabilities of BouldSpy

• The malware records phone calls, takes photos using the phone’s camera, logs keystrokes, gets device location, and records audio. It can further record voice calls over multiple VoIP apps.
• Additionally, it can run arbitrary code, download and run additional code obtained from the C&C, and run code within other apps. It has ransomware code, taken from the open-source project CryDroid.
• Along with normal C2 via a web server, this spyware can receive commands via SMS from a control phone. This allows the spyware to surveil victims in poorly-developed regions lacking internet.

Conclusion