Iranian Opposition: IRGC Uses Globally-Available Messaging Apps to Spy on Citizens

Patrick Goodenough, CNS News, 15 February 2018

Rattled by recent protests against the 39-year-old regime, Iran’s Islamic Revolutionary Guard Corps (IRGC) is accelerating its cyber warfare capabilities, including embedding spyware into apps used by millions of Iranians, a new report claims. Those affected could potentially include expats in the West, who use the apps to contact relatives inside Iran.

The report by the exiled Iranian opposition group National Council of Resistance of Iran (NCRI)/People’s Mujahedeen Organization of Iran (MEK) says technology, mobile devices and message-sharing apps helped the protests that erupted in late December to spread to cities and towns across Iran, and enabled protestors to get their message to the outside world.

“The protesters’ use of cyber technology proved to be the regime’s Achilles’ Heel since it could not, despite a huge show of force, stop the expansion of protests.”

Alongside its violent crackdown on the unrest, the regime moved to restrict Internet access and block apps, particularly the popular encrypted cloud-based messaging app Telegram, which millions of Iranians use – and which offers an optional message “self-destruct” function.

According to the report, the IRGC and ministry of intelligence and security have now “accelerated significantly” a program of spying on Iranians.

MEK sources inside Iran have “established that the regime has focused on mass surveillance through malicious codes embedded in IRGC mobile apps to actively monitor and disrupt the communication of protesters and dissidents,” the report said.

The aim: to counter the expansion of the uprising and avert more protests, in a country where an estimated 70 percent of Iran’s 82 million people have access to the Internet and some 48 million have smartphones.

Alireza Jafarzadeh, deputy director of the National Council of Resistance of Iran’s Washington office, speaks at the launch Thursday of the organization’s new report on Iran’s ‘cyber repression.’ 

Released in Washington DC on Thursday, the report, “Iran: Cyber Repression, How the IRGC Uses Cyberwarfare To Preserve the Theocracy,” claims that IRGC front companies are developing spyware-enabled apps to enable mass surveillance.

It notes that some, such as Mobogram – an unofficial Telegram client or “fork” – are even available on Apple’s App Store and Google Play, “potentially exposing millions of users worldwide to the IRGC’s spyware and surveillance activities.”

The report says Mobogram is developed by Hanista Group, which it identifies as an IRGC front company.

People who install Mobogram are automatically added to Hanista’s own Telegram channel. The channel has some 4.7 million subscribers, so that’s a likely indication of the number of people using Mobogram, it says.

The report also points to Café Bazaar, an Iranian app store modeled after Google Play, saying it is supervised by the IRGC and is “the IRGC’s platform of choice to promote and distribute spyware enabled mobile apps.”

The report says apps like Mobogram are available on global platforms such as the App Store and Google Play “despite reports and user reviews warning they contain spyware embedded by the Iranian regime’s app developers.”

“The spread of these apps outside Iran will put Internet users across the world at significant risk, increasing the rate of malware infections.”

“Millions of mobile users in Iran are victims today and millions more will be victims elsewhere if the Iranian regime’s latest cyberwarfare is not confronted with effective countermeasures.”

Telegram CEO Pavel Durov warned on Twitter last summer that Mobogram was a “potentially insecure fork of Telegram from Iran” and advised against using it.

Alireza Jafarzadeh, deputy director of the NCRI’s Washington office, said the organization developing such apps is also responsible for the regime’s cyber warfare against the U.S.

“What the regime is doing is testing the success of these apps on the people of Iran first,” he was quoted as saying at the report launch. “If not confronted, the next victims will be the people of other nations, and that’s why it’s so important to react and do something.”

Asked about the availability of apps like Mobogram on its app store, a Google spokesman said Thursday the company was investigating.

“We always take feedback from the community seriously and are currently investigating the situation,” he said. “While we don’t comment on specific apps, our Google Play policies are designed to provide a great experience for users.”

Queries sent to Apple brought no response by press time.

‘Working to penetrate U.S. and allied networks for espionage’

During the recent protests, hardline elements in Iran blamed the continued availability of social media channels that are not under control of the regime.

“Everyone has seen that the Internet fanned the flames,” Ahmad Khatami, Tehran’s Friday preacher and a member of the Assembly of Experts, said in a Jan. 5 sermon, according to a translation by the Middle East Media Research Institute (MEMRI).

As soon as Internet use was restricted, he said, “the fitna [an Islamic term for strife] died out.”

“I agree with an Internet whose key is in the hands of the regime,” Khatami said, calling for Iran to shut out external platforms altogether. “The nation does not agree to an Internet whose key is in the hands of America.”

In his latest worldwide threat assessment report for Congress, Director of National Intelligence Dan Coats warned this week that the greatest cyber threats to the U.S. this year will come from Iran, along with Russia, China and North Korea.

Coats said Iran’s main targets are regional adversaries Israel and Saudi Arabia, but that the intelligence community assesses that Tehran “will continue working to penetrate U.S. and allied networks for espionage and to position itself for potential future cyber-attacks.”

The NCRI/MEK boasts a network of sources inside Iran, including in the IRGC and other regime organs. It has provided invaluable intelligence in the past, including the key information in 2002 that exposed nuclear activities Tehran had hidden from the international community for two decades.

Iran regards the group as a terrorist organization – as did the U.S. until the State Department delisted it in 2012, citing its renunciation of violence and “the absence of confirmed acts of terrorism by the MEK for more than a decade.”

Scroll to Top