Skip to content

S0407 Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.1

Item Value
ID S0407
Associated Names
Type MALWARE
Version 1.2
Created 04 September 2019
Last Modified 01 November 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1640 Account Access Removal Monokle can reset the user’s password/PIN.1
mobile T1638 Adversary-in-the-Middle Monokle can install attacker-specified certificates to the device’s trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.2
mobile T1429 Audio Capture Monokle can record audio from the device’s microphone and can record phone calls, specifying the output audio quality.1
mobile T1616 Call Control Monokle can be controlled via phone call from a set of “control phones.”1
mobile T1645 Compromise Client Software Binary Monokle can remount the system partition as read/write to install attacker-specified certificates.1
mobile T1533 Data from Local System Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.1
mobile T1617 Hooking Monokle can hook itself to appear invisible to the Process Manager.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.1
mobile T1544 Ingress Tool Transfer Monokle can download attacker-specified files.1
mobile T1417 Input Capture -
mobile T1417.001 Keylogging Monokle can record the user’s keystrokes.1
mobile T1430 Location Tracking Monokle can track the device’s location.1
mobile T1406 Obfuscated Files or Information Monokle uses XOR to obfuscate its second stage binary.1
mobile T1644 Out of Band Data Monokle can be controlled via email and SMS from a set of “control phones.”1
mobile T1636 Protected User Data -
mobile T1636.001 Calendar Entries Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.1
mobile T1636.002 Call Log Monokle can retrieve call history.1
mobile T1636.003 Contact List Monokle can retrieve the device’s contact list.1
mobile T1513 Screen Capture Monokle can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. Monokle can also abuse accessibility features to read the screen to capture data from a large number of popular applications.1
mobile T1418 Software Discovery Monokle can list applications installed on the device.1
mobile T1426 System Information Discovery Monokle queries the device for metadata such as make, model, and power levels.1
mobile T1422 System Network Configuration Discovery Monokle checks if the device is connected via Wi-Fi or mobile data.1
mobile T1421 System Network Connections Discovery Monokle can retrieve nearby cell tower and Wi-Fi network information.1
mobile T1512 Video Capture Monokle can take photos and videos.1

References