L3MON

L3MON is an Android malware with a remote administration Trojan (RAT) functionality. It misuses the Accessibility services to steal sensitive information and perform other actions. L3MON RAT can steal contacts, SMS messages, call logs, and files with various extensions from various directories. Also, it can steal sent and received WhatsApp and Signal messages, record audio, and more. Moreover, L3MON can forward received SMS messages and messages from email clients, Facebook, Instagram, and other apps.

Key Insights

L3MON uses Android's Accessibility services to do its dirty work. By masquerading as legitimate apps it tricks users into granting it the necessary permissions so it can run with elevated privileges. This allows the RAT to monitor user interactions and control device functions without being detected.

Data Exfiltration and Surveillance Capabilities

Once active L3MON gives attackers a whole range of tools to steal data and surveil. It can extract contacts, SMS messages, call logs, and files from various directories. It can also intercept messages from secure apps like WhatsApp and Signal, record ambient audio, and forward messages from email clients and social media apps. This allows attackers to gather a lot of personal and confidential information from the compromised device.

Distribution and Infection Vectors

L3MON is distributed through trojanized apps that masquerade as legitimate ones. For example, it has been found in fake versions of apps like 'Sathi Chat' which are clones of real messaging apps. These malicious apps are usually found on third-party websites or untrusted sources and trick users into downloading and installing them. Once installed L3MON connects to a command and control server and allows attackers to remotely control the infected device.

Known Variants

L3MON has been used as a base for other Android malware. XploitSPY is one of them and is also based on L3MON RAT and has similar features including data stealing capabilities. These variants inherit the core features of L3MON and add more malicious functionality to make them more effective.

Mitigation Strategies

Don't download apps from untrusted sources; use official app stores.
Update your device's OS and apps regularly to patch vulnerabilities.
Review app permissions carefully and be wary of apps that request excessive access, especially to Accessibility services.
Install mobile security software to detect and remove malware.

Targeted Industries or Sectors

L3MON targets individual Android users, not specific industries or sectors. Its distribution through trojanized apps suggests a wide attack vector to compromise as many devices as possible. However the data it collects can be used in various ways and can affect multiple sectors indirectly.

Associated Threat Actors

No specific threat actors have been linked to L3MON. Since L3MON is open source anyone can use it with different motives and targets. This makes attribution difficult as multiple individuals or groups can use the RAT independently.

References

Ready to uncover malware networks?

We can help you detect malware families and expose their hidden infrastructure blending into malicious networks and hosting providers.

Book your Demo Today

Ready to uncover malware networks?

We can help you detect malware families and expose their hidden infrastructure blending into malicious networks and hosting providers.

Book your Demo Today

Ready to uncover malware networks?

We can help you detect malware families and expose their hidden infrastructure blending into malicious networks and hosting providers.

Book your Demo Today

Hunt Intelligence, Inc.