Cybersecurity software SecondEye is the latest tool to be used against citizens of Iran to track their behaviour, new research has revealed.

Civil unrest in Iran has led to protests around the world. (Photo by Ryan S. Thomas/Shutterstock)

SecondEye, which was developed in Iran, is marketed as a parenting or employee surveillance tool but has been converted into spyware called EyeSpy. The malware is deployed hidden in free VPN packages, which have increased in popularity since the Iranian government’s digital blackout, which has left citizens without access to the internet during the recent civil unrest.

EyeSpy malware spies on Iranian citizens

Once the spyware has been downloaded, the victim has effectively enabled round-the-clock digital surveillance on their device.

“The malware steals sensitive information from an infected system,” says the report published today by security vendor Bitdefender. “Stored passwords, crypto-wallet data, documents and images, contents from clipboard and logs of key presses” can all be monitored. This sort of access can lead to complete account takeovers, identity theft and financial loss.

“Moreover, by logging keypresses, attackers can obtain messages typed by the victim on social media or email, which can be used to blackmail victims,” it states. 

According to the findings, reports of the malware being deployed have escalated since a digital blackout was imposed by the Iranian government, cutting off internet access to many citizens. These measures were put in place in response to political unrest triggered by the death of 22-year-old Mahsa Amini in September, allegedly at the hands of Iranian police. Amini’s death led to protests on the streets of many Iranian cities and around the world.

“We believe that the attackers targeted VPN apps as Iranians have very limited options when it comes to purchasing VPN solutions,” says Bogdan Botezatu, director of threat research and reporting at Bitdefender. “Most countries don’t sell their products in Iran because of the technology embargo. However, starting with the protests in September, more and more Iranians have turned to VPN solutions to attempt to evade the digital blockade that is disrupting access to social networks, or by blocking encrypted DNS services and text messages for most of the country’s 84 million citizens.

“At this point attackers would have had much greater chances of unwary users downloading the tainted kits and installing the companion spyware app.” 

Cybersecurity and digital governance tracker NetBlocks noted obvious disturbances to Iran’s internet access in November, which likely preceded the surge in VPN use.

It is not known who is deploying EyeSpy, but most of the victims are in Iran, with some in Germany and the US, the Bitdefender research says.

EyeSpy is the latest malware tracking Iranians

Use of spyware has characterised the protests in Iran. In October, one month into the protests, security analysts at ESET announced that a known spyware campaign targeting Iranian citizens, called Domestic Kitten, had released a new variant masquerading as a translation app, dubbed Furball. The main purpose of this update appears to be to avoid detection by security software, ESET said at the time.

In November Tech Monitor reported that the Iranian government had been using a tool called SIAM to track its citizens. This used phones to locate protesters through their proximity to cell towers. It also slowed the usage of the phone to a crawl to better record the victim’s actions.

Downloading VPNs has been a popular way to evade this sort of attention, particularly during internet blackouts. “There are reports that protesters are using up to ten VPNs,” says Emily Taylor, associate editor of Chatham House and the CEO of cyber intelligence organisation Oxford Information Labs. “They end up having to hop between them, as a sort of a ‘Whac-A-Mole’ routine with the regime. Once the government gets onto one, it’s compromised and they have to move on to another.”

Indeed, the Iranian government takes the threat posed by VPNs so seriously that it may be on the verge of banning them altogether. Local reports suggest that the government’s Judiciary Department, in collaboration with the Ministry of Communications, is planning to take legal action against unauthorised sellers of the VPNs and other tools that help citizens circumvent online bans.

“That’s very much the authoritarian playbook,” Taylor says. “The regime is in defence mode against ongoing protests. What we are seeing is a picture of tightening controls and a real sharp focus on those protesters who face extraordinary risks due to the steps they are taking.

“There’s clearly a sort of technical arms race on both sides as each try to use technology to further their own objectives.”

Read more: Iran and Albania cut diplomatic ties over cyberattack