Governments Use 'Legal' Mobile Malware To Spy On Citizens

The barriers to entry for government entities large and small across the world to hijack and spy on citizen phones are lowering, according to two research reports released today in conjunction by Kaspersky Lab and Citizen Lab.

The researchers not only mapped out the underlying command and control infrastructure for a massive mesh of "legal" malware implants, but also discovered how mobile Trojans are used to pump information from victims' phones through those C&C servers. Most notable among the mobile analyses were those about Android and iOS Trojans, which have been known to exist in the past but have been difficult to find and analyze in the past.

The research is a continuance of work looking into a tool targeted for government use called Remote Control System (RCS) and sometimes marketed as Gallileo by an Italian firm called HackingTeam. Kaspersky researchers had previously developed and last year published methods to fingerprint RCS C&C servers. This latest round of research builds off that, starting with a mapping of where RCS command servers are located. These servers were scattered across the world, with the bulk of them in North and South America, Europe, and Asia. Kaspersky stated that the largest number of servers were in the US, Kazakhstan, and Ecuador.

"The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies," says Sergey Golovanov, principal security researcher for Kaspersky Lab. "However, it makes sense for the users of RCS to deploy C&Cs in locations they control, where there are minimal risks of cross-border legal issues or server seizures.”

According to Citizen Lab's report, the team there based its research off of documentation it had received from an anonymous source, which laid out how the typically deployed RCS infrastructure works. Depending on a distributed architecture, RCS can begin to spy on targets via over a dozen mobile implant methods, including network injection in cooperation with an ISP, droppers bundled with bait applications, mobile installers, QR code, silent desktop installers, and even WAP push messages.

Two of the newest discoveries in this latest set of research on RCS were the analyses of Android and iOS Trojans used by the system to hijack users' phones. These mobile modules are discreet and can be fine-tuned to spy only if certain triggers are tripped, such as starting audio recording when the target is connected to specific networks. They're capable of sending information back to command servers about the target's location, which can be included on a customized Google map containing multiple victim locations. They can also take pictures, copy events from calendars, and intercept phone calls, SMS messages, and chat messages from apps like Skype and WhatsApp. While the iOS app can only take over a jailbroken iOS device, governments can use jailbreaking tools like Evasi0n from an infected computer to run a jailbreak on a device.

"They translate into complete control over the environment in and near a victim’s computer," Kaspersky wrote in its report. "Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target -- which is much more powerful than traditional cloak and dagger operations."

Researchers with Citizen Lab state that the interesting takeaway from its research into HackingTeam's framework isn't its level of sophistication -- it can't rival something like Aurora, for instance -- but its lowering of the barrier of entry for potential users.

"Their software is marketed to target everyday criminality and 'security threats,' whereas the state-sponsored campaigns (like Aurora) are designed to support espionage operations against hardened, high-value targets," the researchers wrote in their report. "This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now available to all but a handful of governments."

The researchers believe that while the tool is marketed toward customers seeking to spy on criminals, the lower cost of entry also "lowers the cost of targeting political threats."