Overview
Syllabus
Intro
Special Technology Center (STC)
Surveillanceware Prevalence
Monokle-Agent
Dates when Monokle samples were signed
Observed samples
Targets
Detected Installations
Malicious Functionality
Android APIs
Direct App Database Access
Accessibility Service Usage
Screen Unlock Recording
Trusted Certificate Install
Hooking using Xposed
User-defined words for predictive text input
C2 Communication (Outbound TCP)
C2 Communication (SMS)
Thrift - Defining Interfaces
Thrift - Generating Code
Evidence of iOS components - GetKeychain/SetKeychain
Evidence of iOS components - Apns Registration
Overlap in signing certificates for Monokle and STC's APKs
Overlap in signing certificates with an STC employee's personal Android project
Android Software Development Projects by STC
Command and Control Infrastructure overlap
Job Postings
Developer, researcher ANDROID/IOS
Indicators of Compromise
Remediation and Forensic Options
Mobile Surveillanceware Trends
RS Conference 2020 San Francisco February 24-28 Moscone Center
Taught by
RSA Conference