Keypoints
- Lookout attributes a new Android spyware family, BouldSpy, to Iran’s Law Enforcement Command (FARAJA) and has tracked it since March 2020.
- Over 300 confirmed victims based on C2 exfiltration data, including minority groups; evidence suggests devices are physically infected during detention or confiscation near police/checkpoints.
- BouldSpy operators can generate trojanized apps (default package com.android.callservice) via a C2 panel to impersonate legitimate apps like CPU‑Z and Psiphon, easing low‑skill deployment.
- Extensive surveillance feature set: account enumeration, installed apps, browser history, call/log recording (including many VoIP apps), screenshots, keylogging, SMS, contacts, files, clipboard, microphone, and location.
- Persistence and stealth techniques include abusing Android accessibility services, CPU wake locks, disabling battery management, a background service that restarts on onDestroy, and boot/start handlers.
- Network operations use insecure plaintext HTTP to C2 servers (common admin port 3000), enabling easy network analysis; BouldSpy can also receive SMS commands and download and run arbitrary code from C2.
MITRE Techniques
- [Not specified] No MITRE ATT&CK technique IDs were explicitly named in the article – ‘Most of BouldSpy’s surveillance actions happen in the background by abusing Android accessibility services.’
Indicators of Compromise
- [Sample SHA1s] BouldSpy sample hashes – 5168610b73f50661b998e95a74be25bfe749b6ef, af999714aec75a64529c59f1e8de4c669adfa97a, and 21 more hashes.
- [IP Addresses] Command-and-control servers – 192.99.251[.]51, 84.234.96[.]117 (others: 192.99.251[.]49, .50, .54, 149.56.92[.]127).
- [Package/App names] Trojans and default package – com.android.callservice (default), trojanized legitimate apps such as Psiphon, CPU‑Z.
- [Network/Port] C2 admin panel port – port 3000 used to access C2 administration panel (requires authentication); C2 traffic observed in plaintext HTTP POSTs.
BouldSpy is deployed primarily via physical access to Android devices: operators appear to trojanize existing legitimate apps or build new APKs through a C2 management panel that defaults to the package name com.android.callservice. This operator panel can produce samples impersonating apps (CPU‑Z, Currency Converter Pro, Fake Call, Psiphon), enabling low‑skill personnel to generate and install implants. Initial infections correlate with locations near police stations and border checkpoints, which supports a model of device confiscation and manual installation during detention or inspection.
Technically, BouldSpy achieves persistent, high‑fidelity surveillance by abusing Android accessibility services and running a persistent background service that re‑creates its MainService on onDestroy(), acquires CPU wake locks, and disables battery optimizations to avoid being suspended. The malware enumerates accounts and installed apps, captures browser history, takes photos and screenshots, records audio and live calls (including many VoIP apps such as WhatsApp, Telegram, Skype, Viber, and others), logs SMS, collects GPS/cell/wifi location, keylogs, clipboard data, and lists files and folders. It supports two control channels: HTTP(S)/HTTP‑based C2 communication (observed as unencrypted plaintext POSTs containing commands, job IDs, and “data[]” exfil fields) and SMS command reception using asterisk(*)…# delimited commands with parameterized fields, allowing control without an active internet connection.
Network and operational details useful for detection: C2 infrastructure includes IPs 192.99.251[.]49/.50/.51/.54, 84.234.96[.]117, and 149.56.92[.]127 (admin panels commonly on port 3000). The implants can download and execute arbitrary code/modules from C2 to extend functionality or persist via other apps. Samples include unused CryDroid‑derived ransomware code, indicating development artifacts or possible misdirection. Analysts should prioritize detection of plaintext HTTP POST patterns to known C2 IPs, APKs using the com.android.callservice package, and the listed sample hashes for triage and containment.
Read more: https://www.lookout.com/threat-intelligence/article/iranian-spyware-bouldspy