MonitorMinor: The Most Wicked Stalkerware?

MonitorMinor: The Most Wicked Stalkerware?

  • The stalkerware can get access to the hash sum for the screen unlock pattern or the password.
  • It can also monitor user activity on several instant messaging applications.

Security experts have spotted a new powerful stalkerware that tracks users’ activity on Gmail, WhatsApp, Instagram, and Facebook.

What happened?
Kaspersky researchers found the new MonitorMinor (Monitor.AndroidOS.MonitorMinor.c) stalkerware that can gather personal information and watch the user activity of its targets.

  • Experts noted that the malware can gather the victim’s current geolocation, intercept SMS and call data, and can also implement geofencing features.
  • It is being touted as a powerful malware because it also allows spying on other communication channels, such as instant messaging applications.

According to the experts, MonitorMinor is rare and could be the most powerful in its category.

What makes it so powerful?
According to the Kaspersky report, “In a 'clean' Android operating system, direct communication between apps is prevented by the sandbox, so stalkerware cannot simply turn up and gain access to, say, WhatsApp messages. This access model is called DAC (Discretionary Access Control).”

The stalkerware’s ability is backed by the presence of the SuperUser-type app (SU utility) which grants root access to the system. “The situation changes if a SuperUser-type app (SU utility) is installed, which grants root access to the system. It is the presence of this utility that the creators of MonitorMinor are counting on,” read the report.

Apps it can affect
After running the SU utility successfully, the stalkerware attempts to gain uninterrupted access to data from the following apps:

  • LINE: Free Calls & Messages
  • Gmail
  • Zalo – Video Call
  • Instagram
  • Facebook
  • Kik
  • Skype
  • Snapchat
  • JusTalk
  • BOTIM
  • Hangouts
  • Viber
  • Hike News & Content

What is it capable of?
MonitorMinor can extract the file "/data/system/gesture.key" from the device.

  • This can allow it to the access the hash sum for the screen unlock pattern or the password.
  • It is the first stalkerware that implements such a function to unlock the device.
  • Moreover, the persistence mechanism implemented by the actors is very efficient and leverages the root access.
  • The stalkerware can remount the system partition from read-only to read/write mode. It further copies itself to it, deletes itself from the user partition, and remounts the system back to read-only mode.

How does it control the device?
MonitorMinor can intercept events in the controlled apps even without gaining root access. Operators can monitor the clipboard and easily forward its contents. Through the stalkerware, the operators can:

  • Control the device using SMS commands
  • Record sound from the device’s microphone
  • View real-time video from the device’s cameras
  • View browsing history in Chrome
  • View the contacts list
  • View the system log
  • View usage statistics for certain apps
  • View the contents of the device’s internal storage

Final thoughts
Kaspersky has mapped out geographical distribution of installations across the globe.

  • India - 14.71% 
  • Mexico - 11.76% 
  • Germany, Saudi Arabia, and the UK - 5.88% 

The researchers also noted the presence of a Gmail account—in the body of MonitorMinor—that had an Indian name, suggesting that the developers could be of Indian origin.