Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/24/2014
12:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Governments Use 'Legal' Mobile Malware To Spy On Citizens

New research shows how C&C infrastructure and mobile Trojans are packaged by one firm offering worldwide governments the means to spy on everyday criminals and political targets.

The barriers to entry for government entities large and small across the world to hijack and spy on citizen phones are lowering, according to two research reports released today in conjunction by Kaspersky Lab and Citizen Lab.

The researchers not only mapped out the underlying command and control infrastructure for a massive mesh of "legal" malware implants, but also discovered how mobile Trojans are used to pump information from victims' phones through those C&C servers. Most notable among the mobile analyses were those about Android and iOS Trojans, which have been known to exist in the past but have been difficult to find and analyze in the past.

The research is a continuance of work looking into a tool targeted for government use called Remote Control System (RCS) and sometimes marketed as Gallileo by an Italian firm called HackingTeam. Kaspersky researchers had previously developed and last year published methods to fingerprint RCS C&C servers. This latest round of research builds off that, starting with a mapping of where RCS command servers are located. These servers were scattered across the world, with the bulk of them in North and South America, Europe, and Asia. Kaspersky stated that the largest number of servers were in the US, Kazakhstan, and Ecuador.

"The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies," says Sergey Golovanov, principal security researcher for Kaspersky Lab. "However, it makes sense for the users of RCS to deploy C&Cs in locations they control, where there are minimal risks of cross-border legal issues or server seizures.”

According to Citizen Lab's report, the team there based its research off of documentation it had received from an anonymous source, which laid out how the typically deployed RCS infrastructure works. Depending on a distributed architecture, RCS can begin to spy on targets via over a dozen mobile implant methods, including network injection in cooperation with an ISP, droppers bundled with bait applications, mobile installers, QR code, silent desktop installers, and even WAP push messages.

Two of the newest discoveries in this latest set of research on RCS were the analyses of Android and iOS Trojans used by the system to hijack users' phones. These mobile modules are discreet and can be fine-tuned to spy only if certain triggers are tripped, such as starting audio recording when the target is connected to specific networks. They're capable of sending information back to command servers about the target's location, which can be included on a customized Google map containing multiple victim locations. They can also take pictures, copy events from calendars, and intercept phone calls, SMS messages, and chat messages from apps like Skype and WhatsApp. While the iOS app can only take over a jailbroken iOS device, governments can use jailbreaking tools like Evasi0n from an infected computer to run a jailbreak on a device.

"They translate into complete control over the environment in and near a victim’s computer," Kaspersky wrote in its report. "Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target -- which is much more powerful than traditional cloak and dagger operations."

Researchers with Citizen Lab state that the interesting takeaway from its research into HackingTeam's framework isn't its level of sophistication -- it can't rival something like Aurora, for instance -- but its lowering of the barrier of entry for potential users.

"Their software is marketed to target everyday criminality and 'security threats,' whereas the state-sponsored campaigns (like Aurora) are designed to support espionage operations against hardened, high-value targets," the researchers wrote in their report. "This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now available to all but a handful of governments."

The researchers believe that while the tool is marketed toward customers seeking to spy on criminals, the lower cost of entry also "lowers the cost of targeting political threats."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/29/2014 | 9:10:30 PM
Unconstiutional
Wasn't there a recent judgment made passing this as unconstitutional? I think it might have been within the last week. If anyone knows off hand please elaborate. I will try to find more data.
theb0x
50%
50%
theb0x,
User Rank: Ninja
6/28/2014 | 12:00:10 PM
Re: Spy vs Spy
Since it is well established, atleast according to Snowden..if that is his real name. The NSA can undetectably intercept devices in transit and implant them with malware before the shipment reaches it's destination.

With that being said, who in their right mind uses stock firmware on their mobile device? I use my own highly customized firmware built and hardened from scratch. SMS functionality is completely stripped. GPS functionality can actually be disabled along with camera and mic. All data/VOIP communications are established via VPN and pass through an IPS. The hardware MAC address is spoofed at a random interval and all data on the device is fullly encrypted and will self destruct via 35 pass Gutmann Algorithm after 5 failed attempts to bypass the screen lock.

Do I have anything to hide? No. But I do believe very strongly in personal privacy and having complete control of my device.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/25/2014 | 1:52:21 AM
Spy vs Spy
I'm one of the little guys.  Am I high tech?  Yes.  Do I work up in the 5-10% head space when it comes to using tech beyond the pale?  Yes.  But I still see myself as one of the little guys when it comes to the government.  Look, Big Bro – we don't have any secrets.  You know the bad and the good I've done.  Listen to my phone conversations, comb my email, and monitor my network traffic.  It's OK – I'm over it now.  But, for crying out loud, be smart about it.  Whether you do it through "legal" means or otherwise, you're still opening the door for everyone else out there to get to my information; and that I do care about.

See, for every encrypted tunnel out there is a host of hackers dying to look down it.  Snowden didn't scratch the surface with his revelations – I suspect he was really only stating the obvious.  The real issue is that, especially with the tech described in this article – our favorite cartoon Spy vs Spy has moved from anvils, bombs and guns to bots, malware, injection and sniffing.  Name the US government agency electronically connecting to your data and I'll show you a foreign government-employed hacker trying to ride that connection and share in the booty, and a host of cyber criminals right behind him.

So, what I'm asking you, Big Bro, is – and I can't believe I'm saying this – to please get better at spying on us, secure your connections and software better, and please keep all my private information just between us!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25747
PUBLISHED: 2020-09-25
The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightn...
CVE-2020-25748
PUBLISHED: 2020-09-25
A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP s...
CVE-2020-25749
PUBLISHED: 2020-09-25
The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet...
CVE-2020-24592
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVE-2020-24593
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.