S0407: Monokle
Analyst context for executives and security teams
Monokle matters because it represents mobile surveillanceware aimed at collecting sensitive information from Android devices, not just a generic malware family. The ATT&CK relationships show behaviors that can affect executive privacy, credential exposure, physical location privacy, communications confidentiality, and incident response visibility, including keylogging, audio/video/screen capture, call and contact access, location tracking, local data collection, and network discovery.
Executive priority
Treat this as a mobile security and high-risk-user protection issue. Leaders should ask whether managed mobile devices, executive devices, and privileged-user phones have enforceable application control, permission governance, mobile telemetry, and incident response procedures. The business risk is not limited to device compromise: the mapped behaviors can expose credentials, meetings, contacts, locations, calls, and local files that may support broader enterprise intrusion or sensitive information loss. Because ATT&CK provides no official detection guidance for this object, coverage should be validated through local telemetry and control evidence rather than assumed.
Technical view
ATT&CK lists Monokle as Android malware and relates it to a broad set of mobile techniques: obfuscation, keylogging, software and system discovery, network and Wi-Fi discovery, audio/video/screen capture, location tracking, local data collection, ingress tool transfer, call control, hooking, file deletion, calendar/call log/contact collection, adversary-in-the-middle, account access removal, out-of-band data, and client software binary compromise. SOC and IR teams should validate whether mobile EDR/MTD, MDM/UEM, Android permission state, app inventory, network metadata, and device forensic processes can observe these behavior classes. Detection should focus on suspicious combinations of permissions and behavior rather than a single indicator, especially where obfuscation, hooking, or file deletion may reduce artifact reliability.
Likely telemetry
- Android app inventory, package metadata, signing/certificate details, installation source, and version history
- MDM/UEM compliance state, device ownership, OS version, patch level, and administrator/profile changes
- Application permission grants and changes for microphone, camera, location, contacts, calendar, call log, phone, accessibility, VPN, storage, and background location where available
- Mobile threat defense or endpoint telemetry for suspicious app behavior, obfuscation, hooking/root-framework indicators, and file activity
- Network telemetry from device, MDM, secure web gateway, DNS, VPN, or cellular/Wi-Fi logs showing unusual connections or connectivity checks
Detection direction
- Baseline high-risk and managed Android devices for installed applications, risky permissions, third-party keyboard/accessibility use, VPN registration, administrator privileges, and unexpected background access.
- Correlate discovery behaviors with collection behaviors: app enumeration, system/network configuration checks, Wi-Fi discovery, and internet connectivity checks become more material when paired with microphone, camera, location, contacts, call log, or local file access.
- Treat obfuscation, hooking, and file deletion as visibility-risk signals; absence of artifacts should not be treated as proof of absence on rooted or tampered devices.
- Tune for false positives from legitimate enterprise VPNs, accessibility tools, conferencing apps, call-management apps, and device-management agents by validating publisher, signing, deployment source, user role, and business justification.
- Because no official ATT&CK detection text is supplied, require environment-specific validation through lab testing, mobile telemetry review, and incident response playbooks rather than relying on named-family detections alone.
Mitigation priorities
- Prioritize application allowlisting or managed app stores for corporate and high-risk-user Android devices.
- Enforce MDM/UEM controls for OS patching, device compliance, encryption, screen lock, unknown-source installation restrictions, and removal of noncompliant devices from enterprise access.
- Review and restrict high-risk permissions, especially accessibility, third-party keyboard, microphone, camera, location, contacts, calendar, call log, phone, VPN, storage, and background location access.
- Use conditional access and identity controls so a compromised mobile device does not automatically provide durable access to enterprise applications.
- Prepare mobile IR procedures: isolate from enterprise access, preserve device state where possible, collect MDM/MTD/network evidence, rotate exposed credentials, and assess exposure of contacts, calendar, calls, files, and locations.
Analyst notes and limits
The supplied ATT&CK object identifies Monokle as targeted, sophisticated mobile surveillanceware developed for Android, with code artifacts suggesting an iOS version may be in development. The platform field for this object is Android, so defensive validation should center on Android while noting that several related techniques are cross-platform in ATT&CK. The relationship set is unusually broad and supports a surveillance and discovery-focused defensive lens.
MITRE provides no official detection text, aliases, labels, or tactics for this object in the supplied fields. The relationships describe techniques used by Monokle but do not provide indicators, procedures, prevalence, active exploitation status, or guaranteed observables. Local device management scope, mobile telemetry quality, privacy/legal constraints, and forensic access will determine practical detection and response capability.
Monokle
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1644 | Out of Band Data | Monokle can be controlled via email and SMS from a set of "control phones."CitationLookout-Monokle |
| Mobile | T1406 | Obfuscated Files or Information | Monokle uses XOR to obfuscate its second stage binary.CitationLookout-Monokle |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | Monokle checks if the device is connected via Wi-Fi or mobile data.CitationLookout-Monokle |
| Mobile | T1421 | System Network Connections Discovery | Monokle can retrieve nearby cell tower and Wi-Fi network information.CitationLookout-Monokle |
| Mobile | T1512 | Video Capture | Monokle can take photos and videos.CitationLookout-Monokle |
| Mobile | T1417.001 | Keylogging Sub-technique | Monokle can record the user's keystrokes.CitationLookout-Monokle |
| Mobile | T1630.002 | File Deletion Sub-technique | Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.CitationLookout-Monokle |
| Mobile | T1640 | Account Access Removal | Monokle can reset the user's password/PIN.CitationLookout-Monokle |
| Mobile | T1617 | Hooking | Monokle can hook itself to appear invisible to the Process Manager.CitationLookout-Monokle |
| Mobile | T1533 | Data from Local System | Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.CitationLookout-Monokle |
| Mobile | T1513 | Screen Capture | |
| Mobile | T1616 | Call Control | Monokle can be controlled via phone call from a set of "control phones."CitationLookout-Monokle |
| Mobile | T1422 | System Network Configuration Discovery | Monokle checks if the device is connected via Wi-Fi or mobile data.CitationLookout-Monokle |
| Mobile | T1638 | Adversary-in-the-Middle | Monokle can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.CitationXiao-KeyRaider |
| Mobile | T1645 | Compromise Client Software Binary | Monokle can remount the system partition as read/write to install attacker-specified certificates.CitationLookout-Monokle |
| Mobile | T1636.003 | Contact List Sub-technique | Monokle can retrieve the device's contact list.CitationLookout-Monokle |
| Mobile | T1426 | System Information Discovery | Monokle queries the device for metadata such as make, model, and power levels.CitationLookout-Monokle |
| Mobile | T1430 | Location Tracking | Monokle can track the device's location.CitationLookout-Monokle |
| Mobile | T1544 | Ingress Tool Transfer | Monokle can download attacker-specified files.CitationLookout-Monokle |
| Mobile | T1636.001 | Calendar Entries Sub-technique | Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.CitationLookout-Monokle |
| Mobile | T1429 | Audio Capture | Monokle can record audio from the device's microphone and can record phone calls, specifying the output audio quality.CitationLookout-Monokle |
| Mobile | T1636.002 | Call Log Sub-technique | Monokle can retrieve call history.CitationLookout-Monokle |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | Monokle checks if the device is connected via Wi-Fi or mobile data.CitationLookout-Monokle |
| Mobile | T1418 | Software Discovery | Monokle can list applications installed on the device.CitationLookout-Monokle |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 94fd1c18efe4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout-Monokle
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
Open source URL -
[2]
mitre-attack S0407Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.