Smartphones of Iran’s protest detainees targeted with spyware

The malware has been identified as I3mon, which can perform all kinds of spying operations.

In recent months, there has been a growing number of protests in Iran after Mahsa Amini’s death. And while these protests have been met with a heavy crackdown by the government, it seems that they may have also been targeted by spying malware.

According to Voice of America (VoA), spyware has been detected on the Android cellphones of some individuals recently detained for protesting against the government. 

It is worth noting that on September 16th, 2022, a 22-year-old Iranian woman named Mahsa Amini died in Tehran, Iran, under Police custody. Amini was arrested for failure to follow government-mandated forms of the Hijab.

The malware, identified as I3mon, can perform all kinds of spying operations. It comes with an installation file (com.etechd.l3mon.apk).

VoA obtained a copy of the spyware. In its report, the agency noted that the malware was previously distributed on different forums and titles such as Telegram with Free Internet.

On the other hand, cybersecurity firms like Kaspersky and Dr. Web have already categorized the malware as a trojan of the Android malware family. Dr. Web dubbed the malware as “Android.SmsSpy.88.origin” back in August 2015.

Smartphones of Iran's protest detainees targeted with spyware
VirusTotal result of the spyware

How Infection Occurs?

I3mon is very common spyware among cybercriminals. They frequently deploy it to steal ID and credit card details and obtain sensitive data such as passwords. It is generally distributed via infected links, emails, or third-party platforms.

The malware may also be distributed under the guise of legitimate apps or hidden in apps available on Google Play Store. But it may also be manually installed on the device. It can be installed on computers and virtual servers to target cloud users.

Furthermore, the spyware is designed in JavaScript and is cloud-based. Moreover, the spyware uses a nodeJS environment and is licensed as open-source software.

VoA’s Persian language report claims that the malware on the devices of Iranian protestors was activated on a German server, and the data from the victim’s cellphone was transmitted outside of Iran.

Spyware Capabilities

If the phone is infected, it can allow attackers to access the phonebook, call logs, internet connection, microphone conversations, and SMS sent/received by the victim. In addition, it can record audio, send out location data, sub-access lists, installed apps lists, monitor typed words live, and access notification lists and mobile Wi-Fi connection details.

Smartphones of Iranian protesters targeted with spyware
Spyware disguised as a fake Adobe Flash app for Android asking for administrative privileges and stealing PayPal and banking credentials (Dr.Web)

Security experts suggest users adopt preventive measures and install authentic antivirus software. If they haven’t installed the antivirus, it becomes essential to keep checks on battery overcharging and app accessibility features because the malware could be hidden behind an app and may cause the battery to drain quickly.

If you suspect a malware infection, run a factory reset or get the device checked by an expert.

In conclusion, this discovery raises severe concerns about the government’s use of surveillance against its own citizens. It also highlights the need for better protection for protesters and dissidents in Iran and elsewhere.

  1. Irani and Chinese State Hackers Exploiting Log4j Vulnerability
  2. Iran State-Run TV’s Live Transmission Hacked by Edalate Ali Hackers
  3. Iranian Hackers Spread RatMilad Android Spyware Disguised as VPN
  4. Hackers turn to Signal, Telegram, Dark Web to assist Iranian protestors
  5. Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
Related Posts