According to a report by Voice of America (VoA), Iran’s protest detainees have been targeted with spyware on their Android devices. The spyware is known as I3mon, a relatively popular Android trojan. The malware is typically used by threat actors to obtain sensitive information like login credentials, banking accounts, and other identity information. I3mon also can be distributed multiple ways, including through infected links, emails, third-party platforms, or Google Play store apps, but it can also be manually installed. In the case of these Iranian protestors, I3mon was activated on a German server. It is unclear currently if this is the work of nation state actors or hacktivists, but nonetheless, it is concerning for Iranian protestors.
Installing a strong mobile antivirus solution is advised. Vetting apps before downloading them and monitoring application permissions are highly suggested as well. Unused apps that are given unnecessary permissions should be deleted as a preventative measure. If a device is believed to have been infected, getting a new device, or running a hard factory reset should be considered.
Smartphones of Iran’s protest detainees targeted with spyware