{
	"id": "db015913-7358-4aa6-b7c3-bfe2217b9c9a",
	"created_at": "2026-04-06T00:22:20.259357Z",
	"updated_at": "2026-04-10T13:12:04.145669Z",
	"deleted_at": null,
	"sha1_hash": "6b77ae64f4f9e12efb25a18177089350089f6bd8",
	"title": "BouldSpy: Android Spyware Tied to Iranian Police Targets Minorities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1044059,
	"plain_text": "BouldSpy: Android Spyware Tied to Iranian Police Targets\r\nMinorities\r\nBy Lookout\r\nPublished: 2023-04-27 · Archived: 2026-04-05 23:41:42 UTC\r\nResearchers at Lookout have discovered a new Android surveillance tool which we attribute with moderate\r\nconfidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). Named BouldSpy for\r\nthe “BoulderApplication” class which configures the tool’s command and control (C2), we have been tracking the\r\nspyware since March 2020. Starting in 2023, the malware has drawn the attention of security researchers on\r\nTwitter and by others in the threat intelligence community characterizing it as an Android botnet and ransomware.\r\nWhile BouldSpy includes ransomware code, Lookout researchers assess that it is unused and nonfunctional, but\r\ncould indicate ongoing development or an attempt at misdirection on the part of the actor.\r\nBased on our analysis of exfiltrated data from C2 servers for the spyware, BouldSpy has victimized more than 300\r\npeople, including minority groups such as Iranian Kurds, Baluchis, Azeris, and possibly Armenian Christian\r\ngroups. The evidence we have gathered implies that the spyware may also have been used in efforts to counter and\r\nmonitor illegal trafficking activity related to arms, drugs, and alcohol. \r\nWe believe FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy to\r\nfurther monitor the target on release. In our research, we obtained and reviewed a large quantity of exfiltrated data\r\nthat included photos and device communications, such as screenshots of conversations, recordings of video calls,\r\nas well as SMS logs. Our analysis also revealed photos of drugs, firearms, and official FARAJA documents that\r\nindicate potential law enforcement use of the malware. However, much of the victim data points to its broader\r\nusage, which indicates targeted surveillance efforts towards minorities within Iran. Notably, much of the\r\nmalware’s activities occurred during the height of the Mahsa Amini protests in late 2022.\r\nRecovered exfiltration data from BouldSpy’s C2 server indicates that initial infection for some\r\nvictims takes place in close proximity to Iranian police stations or border patrol checkpoints, where\r\nhttps://www.lookout.com/blog/iranian-spyware-bouldspy\r\nPage 1 of 7\n\ndetention and physical access to mobile devices could be obtained.\r\nWe believe BouldSpy to be a new malware family based on the relatively small number of samples that we’ve\r\nobtained, as well as the lack of maturity around its operational security, such as unencrypted C2 traffic, hardcoded\r\nplaintext C2 infrastructure details, a lack of string obfuscation, and failure to conceal or remove intrusion artifacts.\r\nUntil now, to the best of our knowledge the apps that we discovered and described in this article were never\r\ndistributed through Google Play.\r\nBouldSpy represents yet another surveillance tool taking advantage of the personal nature of mobile devices. The\r\nspyware is especially concerning given Iran's human rights track record. Lookout Mobile Endpoint Security and\r\nLookout Life customers are protected from this threat. \r\nDeployment and capabilities\r\nThe first locations exfiltrated from the victims are, with few exceptions, concentrated near Iranian provincial\r\npolice stations, Iranian Cyber Police stations, Law Enforcement Command facilities, and border control posts.\r\nBased on this, we theorize that a victim’s device is confiscated once detained or arrested, and then subsequently\r\nphysically infected with BouldSpy.\r\nRecovered exfiltration data hints that victims came into contact with Iranian law enforcement.\r\nThe FARAJA actor provides user friendly features on its C2 panel to perform device management of victims and\r\nbuild new custom BouldSpy malware applications, with the malware operator able to choose between a default\r\npackage name of “com.android.callservice” (posing as an Android system service related to handling phone calls),\r\nor can trojanize various legitimate applications by inserting the “com.android.callservice” package. By setting up\r\noperations in this way, Iranian police officers or other personnel that have low technical skills can easily generate\r\nnew malware samples, which makes it easier to ramp up deployment operations with minimal training.\r\nSome of the apps BouldSpy impersonates include CPU-Z, a mobile CPU benchmarking tool, Currency Converter\r\nPro, a Persian-language interest calculator, and an app named Fake Call which is a prank app that generates fake\r\nphone calls or text messages. In April 2023, we also acquired a sample that trojanized Psiphon, a popular VPN app\r\nthat has over 50 million downloads. \r\nhttps://www.lookout.com/blog/iranian-spyware-bouldspy\r\nPage 2 of 7\n\nGiven the likelihood of physical installation as the initial vector for BouldSpy, it’s possible that BouldSpy victims\r\nhad legitimate versions of these apps installed when their devices were confiscated, and that those apps were\r\ntrojanized in order to avoid detection by the victim.\r\nApp icons associated with BouldSpy variants, from left to right: CPU-Z, Interest Calculator,\r\nCurrency Converter Pro, Fake Call, Call Service, Psiphon\r\nNotable surveillance capabilities\r\nGetting all account usernames available on the device and their associated types (such as Google,\r\nTelegram, WhatsApp and others)\r\nList of installed apps\r\nBrowser history and bookmarks \r\nLive call recordings\r\nCall logs\r\nTake photos from the device cameras \r\nContact lists\r\nDevice information (IP address, SIM card information, Wi-Fi information, Android version, and device\r\nidentifiers)\r\nList of all files and folders on the device\r\nClipboard content\r\nKeylogs\r\nLocation from GPS, network, or cell provider\r\nSMS messages (sent, received and drafts)\r\nRecord audio from the microphone\r\nTake screenshots\r\nA notable capability of BouldSpy is that it can record voice calls over multiple Voice over IP (VoIP) apps as well\r\nas the standard Android phone app. These include:\r\nWhatsApp\r\nBlackberry BBM\r\nTurkcell\r\nBOTIM\r\nKakao\r\nLINE\r\nmail.ru VoIP calls\r\nTelegram VoIP\r\nhttps://www.lookout.com/blog/iranian-spyware-bouldspy\r\nPage 3 of 7\n\nMicrosoft Office 365 VoIP functionality\r\nSkype\r\nSlack VoIP\r\nTango\r\nTextNow\r\nViber\r\nVonage\r\nWeChat\r\nTechnical analysis\r\nPersistent background activities\r\nMost of BouldSpy’s surveillance actions happen in the background by abusing Android accessibility services. It\r\nalso relies heavily on establishing a CPU wake lock and disabled battery management features to prevent the\r\ndevice from shutting down the spyware’s activities. As a result, victims could expect their device battery to drain\r\nmuch faster than normal. Once installed, the spyware will seek to establish a network connection to its C2 server\r\nand exfiltrate any cached data from the victim’s device to the server.\r\nThese actions occur when the user opens the app, or when the device is booted or rebooted. To make sure it can\r\ntake actions frequently and consistently, BouldSpy uses a background service to handle most of the surveillance\r\nfunctionality. As illustrated in the below figure, the service restarts itself when its parent activity is stopped by\r\neither the user or the Android system.\r\nWhen the activity is stopped with an “onDestroy()” call, a new Intent is created which restarts\r\n“MainService.” MainService handles most of BouldSpy’s surveillance functionality.\r\nInsecure C2 communication\r\nWe found that BouldSpy has the ability to encrypt files for exfiltration, but uses unencrypted web traffic between\r\nvictim devices and the C2. This insecure implementation by the threat actor makes network analysis and detection\r\neasier by exposing the whole C2 communication in clear text. \r\nhttps://www.lookout.com/blog/iranian-spyware-bouldspy\r\nPage 4 of 7\n\nThis is a screenshot of plaintext C2 traffic we observed. It’s a POST request to C2 server\r\n192.99.251[.]51 containing plaintext commands and associated job IDs, status, exfil (in the\r\n“data[]” field), whether the job was successful, and the app module (such as “Messages” or\r\n“LocationManager”) executing the data collection.\r\nAbility to run additional code\r\nBouldSpy also has the ability to run arbitrary code, and download and run additional custom code from the C2, or\r\nrun code within other apps as needed. This gives the malware additional options, such as the ability to improve its\r\ncollection capabilities, introduce functionalities, or set up persistence in other apps.\r\nSMS commands\r\nAside from the normal C2 via a web server, BouldSpy can also receive commands via SMS from a control phone,\r\nwhich is a fairly unique feature. This enables the spyware to surveil victims even in poorly-developed regions that\r\nlack internet availability, but are still reachable over standard cell networks. \r\nSMS commands follow a format starting with asterisk (*) and ending with the hashtag/pound sign (#) with\r\narbitrary text between them. The commands usually start with a three-digit number and are split into separate\r\nparameters which are separated by asterisks. The known commands are listed in the table below.\r\nhttps://www.lookout.com/blog/iranian-spyware-bouldspy\r\nPage 5 of 7\n\nBouldSpy samples ship with ransomware code borrowed from an open source Android ransomware project named\r\nCryDroid. However, Lookout researchers assess this code as unused and nonfunctional. This code might be a sign\r\nof an ongoing development or a false flag artifact to misdirect analysts.\r\nCommand and Control Infrastructure\r\nLookout found BouldSpy C2 servers at IP addresses 192.99.251[.]51, 192.99.251[.]50, 192.99.251[.]49,\r\n192.99.251[.]54, 84.234.96[.]117, and 149.56.92[.]127. Of these, only 192.99.251[.]51 and 84.234.96[.]117 are\r\ncurrently active. A common feature of these is the use of port 3000 to access the C2’s administration panel, which\r\nrequires authentication. From analyzing these servers, we were able to uncover the following victim information:\r\n66,000 call logs\r\n15,000 installed apps\r\n100,000 contacts\r\n3,700 user accounts\r\n3,000 downloaded files\r\n9,000 keylogs\r\n900 locations\r\n400,000 text messages\r\n2,500 photos\r\nWe believe that there are likely more victims and associated data collected because exfiltration data on C2 servers\r\nare often cleared. \r\nIndicators of Compromise (IOCs)\r\nBouldSpy Sample SHA1s:\r\n5168610b73f50661b998e95a74be25bfe749b6ef\r\naf999714aec75a64529c59f1e8de4c669adfa97a\r\n965d118cb80ccdbc6e95e530a314cb4b85ae1b42\r\nf3b135555ae731b5499502f3b69724944ab367d5\r\n02ac97b090a6b2a1b14bad839deec7d966f5642c\r\nda3c0cfd432b53a602ce7dc5165848b88411d9c9\r\n75a6c724f43168346b177a60c81ca179a436246f\r\n08fd24e4514793b29b7bd2c29f9e5c15ffc9bada\r\n73c93be188f88755ed690266063223e141fdb9ff\r\n7537ac1658100efaf6558eed4a3f732208b393ab\r\nhttps://www.lookout.com/blog/iranian-spyware-bouldspy\r\nPage 6 of 7\n\n7208dc915a800fe5c5eaf599084147a8afeba991\r\n8afc495b6632ce9ef812a971f71ae82d39d7e7e9\r\n43f5506b960914ab76ffaf531cdd51dd86df22f2\r\ndd66dcb8db678d10f9589a12745ec2e575e4f5eb\r\n69894818ba1dc8bfffe9fb384abf77d991379aaa\r\ndb650b0eaffa21b63ce84d31b2bd09720da9491e\r\n67a3def7ad736df94c8c50947f785c0926142b69\r\n63ff362f58c7b6dec8ea365a5dbc6a88ec09dacf\r\nbc826967c90acc08f1f70aa018f5d13f31521b92\r\n02c4969c45fd7ac913770f9db075eadf9785d3a7\r\n5446e0cf2de0a888571ef1d521b9ada7b34ef33e\r\n43a92743c8264a8d06724ab80139c0d31e8292ee\r\nCommand and Control:\r\n149.56.92[.]127\r\n192.99.251[.]49\r\n192.99.251[.]50\r\n192.99.251[.]51\r\n192.99.251[.]54\r\n84.234.96[.]117\r\nSource: https://www.lookout.com/blog/iranian-spyware-bouldspy\r\nhttps://www.lookout.com/blog/iranian-spyware-bouldspy\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.lookout.com/blog/iranian-spyware-bouldspy"
	],
	"report_names": [
		"iranian-spyware-bouldspy"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434940,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b77ae64f4f9e12efb25a18177089350089f6bd8.pdf",
		"text": "https://archive.orkl.eu/6b77ae64f4f9e12efb25a18177089350089f6bd8.txt",
		"img": "https://archive.orkl.eu/6b77ae64f4f9e12efb25a18177089350089f6bd8.jpg"
	}
}