Written by Sean Lyngaas

A contractor for the Russian military that was sanctioned for interfering in the 2016 U.S. election has developed Android malware that is being used in “highly-targeted” attacks that exfiltrate data using third-party applications, according to mobile security company Lookout.

The malware allegedly developed by the contractor, St. Petersburg-based Special Technology Center (STC), is capable of installing the attacker’s own software certificate in a certificate store and then using it for “man-in-the-middle” attacks, intercepting data before it reaches its intended recipient.

“This ability is something that Lookout researchers have never seen in the wild before,” Lookout’s Adam Bauer, Apurva Kumar, and Christoph Hebeisen said Wednesday.

The so-called “Monokle” malware is extremely invasive, according to Lookout. It can record a target device’s screen while the user is unlocking it, capturing the user’s PIN. It abuses Android’s accessibility features to harvest data from third-party apps. And it uses “predictive-text dictionaries” to figure out what a target user is interested in.

Discovered last year, the surveillance tool is still in active use, Lookout said. The malware shows up in a small number of trojan mobile apps, indicating it is being used in carefully crafted attacks, the researchers said. New samples were seen as recently as last month.

“We’ve seen evidence that Monokle has been under active development for years and have no reason to believe work isn’t continuing on it,” Hebeisen, Lookout’s head of threat research, told CyberScoop. He declined to say where the phones infected by Monokle were located.

Among the malware’s targets were people interested in Ahrar al-Sham, a militant group fighting the Syrian regime, and “individuals living in or associated with the Caucasus regions of Eastern Europe,” Lookout said.

STC was one of several Russian organizations or individuals sanctioned through a 2016 executive order from President Barack Obama for interfering in the presidential election. A White House statement at the time said that the STC helped Russia’s military intelligence service, the GRU, conduct signals intelligence operations.

STC did not immediately respond to a request for comment on Lookout’s findings. STC’s website boasts that, in 10 years in business, it has “gained a leading position” in the international market for radio-monitoring equipment.

Lookout researchers traced Monokle back to STC by examining the Russian company’s antivirus Android app. That application communicates with the same networking infrastructure that Monokle does, the researchers said. Hebeisen told CyberScoop that there’s no reason to think STC is limiting its focus to Android devices. “We have observed code, included in the Android applications, which points to the existence of an iOS version of the software.”

The discovery is part of a larger trend of companies and governments developing advanced mobile malware, Lookout pointed out. STC is one of several surveillance vendors that security researchers are tracking, including Israel-based NSO Group and the developers of the FinFisher kit.

“Monokle shows that it would be naive to think that mobile surveillance-ware is a rare capability of nation-states,” Hebeisen said.