Researchers at the Lookout Threat Lab have discovered a new Android surveillance tool attributed to the Islamic Republic's Police (FARAJA).
The company that offers insight into mobile threats has been tracking a spyware named BouldSpy since March 2020, which configures the tool’s command and control (C2).
Since 2023, security and intelligence researchers have described the malware as an Android botnet and ransomware.
Lookout researchers evaluate that BouldSpy includes ransomware code, but it is unused and nonfunctional, indicating ongoing development or misdirection by the actor.
“BouldSpy has victimized more than 300 people, including minority groups such as Iranian Kurds, Baluchis, Azeris, and possibly Armenian Christian groups,” said Lookout in a statement.
It appears that the spyware was also used to monitor and counter illegal trafficking activities related to weapons, drugs, and alcohol.
To further monitor the target after release, FARAJA likely installs BouldSpy on devices obtained during detention, adds Lookout.
Many of the malware's activities took place during protests following the death in custody of Mahsa Amini in 2022.
“The first locations exfiltrated from the victims are, with few exceptions, concentrated near Iranian provincial police stations, Iranian Cyber Police stations, Law Enforcement Command facilities, and border control posts. Based on this, we theorize that a victim’s device is confiscated once detained or arrested, and then subsequently physically infected with BouldSpy.”
It is still not clear how many people were detained during the nationwide protests in Iran. While thousands of young and teenage protesters were arrested in street demonstrations, hundreds of political activists, journalists and writers or artists have also been detained.