Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones.
The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab in Canada, who say the findings provide great insight into the trade craft behind Hacking Team’s tools.
The new components target Android, iOS, Windows Mobile, and BlackBerry users and are part of Hacking Team’s larger suite of tools used for targeting desktop computers and laptops. But the iOS and Android modules provide cops and spooks with a robust menu of features to give them complete dominion over targeted phones.
They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone’s camera to snap pictures or piggyback on the phone’s GPS system to monitor the user’s location. The Android version can qlso enable the phone’s Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner’s suspicion.
“Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target—which is much more powerful than traditional cloak and dagger operations,” notes Kaspersky researcher Sergey Golovanov in a blog post about the findings.
It’s long been known that law enforcement and intelligence agencies worldwide use Hacking Team’s tools to spy on computer and mobile phone users—including, in some countries, to spy on political dissidents, journalists and human rights advocates. This is the first time, however, that the modules used to spy on mobile phone users have been uncovered in the wild and reverse-engineered.
Kaspersky and Citizens Lab discovered them after developing new methods to search for code fragments and digital certificates used by Hacking Team’s tools.
The modules work in conjunction with Hacking Team’s core surveillance tool, known as the Remote Control System, which the company markets under the names Da Vinci and Galileo.
In a sleek marketing video for Galileo, Hacking Team touts the tool as the perfect solution for obtaining hard-to-reach data—such as data taken by a suspect across borders or data and communications that never leave the target’s computer and therefore can’t be siphoned in transit.
“You want to look through your targets’s eyes,” says the video. “While your target is browsing the web, exchanging documents, receiving SMS….”
Hacking Team’s tools are controlled remotely through command-and-control servers set up by Hacking Team’s law enforcement and intelligence agency customers to monitor multiple targets.
Kaspersky has tracked more than 350 command-and-control servers created for this purpose in more than 40 countries. While Kaspersky found only one or two servers in most of these countries, the researchers found 64 in the United States—by far the most. Kazakhstan followed with 49, Ecuador with 35 and the United Kingdom with 32. It’s not known for certain whether law enforcement agencies in the U.S. use Hacking Team’s tool or if these servers are used by other governments. But as Kaspersky notes, it makes little sense for governments to maintain their command servers in foreign countries where they run the risk of losing control over the servers.
In addition to the modules that were uncovered, Citizen Lab obtained from an anonymous source a copy of the lengthy user’s manual that Hacking Team provides customers. The illustrated document explains in detail how to build the surveillance infrastructure needed to deliver implants to targeted devices and to use the software tool’s dashboard to manage intelligence gleaned from infected computers and phones.
“This gives new visibility into the operational procedures of lawful intercept malware,” says Citizen Lab researcher Morgan Marquis-Boire. “Previous research has allowed us to understand how the software works. This allows us a holistic view of how this type of targeted surveillance is conducted.”
The modules and training manual all show that Hacking Team is well aware of the attention its products have received from researchers in recent years and has taken several steps to thwart attempts to understand how its spy tools work.
“They are well aware that their product may show up on the analyst chopping block at some stage, and they’re taking various steps to mitigate this risk,” says Marquis-Boire.
The Android spy module, for example, uses obfuscation to make it harder to reverse-engineer and examine the module. And before installing itself on machines, Hacking Team’s main spy tool has scouting agents that conduct reconnaissance to identify anything on a system that might detect it.
Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.
“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.
One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.
Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems. Hacking Team asserts that this will uninstall and erase all traces of the tools, but Citizen Lab discovered that initiating a wipe on some mobile phones creates telltale signs. On a BlackBerry, for example, it causes the device to automatically restart. On Android devices, the uninstall can, under certain conditions, cause a prompt to appear onscreen asking permission from the user to uninstall an application called “DeviceInfo”—the name the Android spy tool uses for itself.
In addition to the variety of obfuscation measures the tools use, Hacking Team also advises customers to set up several anonymous proxy servers through which to route data stolen from victim machines. In this way, researchers and victims won’t be able to easily follow the path the data takes back to command servers. Oddly, Hacking Team borrows the logo of the hacktivist group Anonymous—an empty black business suit—to designate the anonymized proxy servers in its user manual.
Hacking Team first developed its Remote Control System spy suite in 2001. Initially it was a free, open-source tool for conducting man-in-the-middle attacks and was used by hackers and security researchers alike. Soon, however, police in Milan contacted the two authors of the tool—Alberto Ornaghi and Marco Valleri—for help developing something to eavesdrop on Skype communications. Work on this tool evolved into RCS.
Hacking Team has long argued that its products are intended for lawful governmental interception only and that it won’t sell its products to repressive regimes and countries blacklisted by NATO. But its spy suite reportedly has been used to spy on the citizen journalist group Mamfakinch in Morocco and appears to have been used by someone in Turkey to target a woman in the U.S. who was a vocal critical of Turkey’s Gulen movement.
Indeed, the Android spy module that Citizen Lab uncovered was masquerading as a legitimate news app for Qatif Today, an Arabic-language news and information service that covers the Qatif region in eastern Saudi Arabia. The government of Saudi Arabia has faced off several times in the last few years against Shia protestors in the Qatif region who have demanded political reform from the Sunni government and the release of political prisoners.
Although the Citizen Lab researchers are careful to point out that they don’t know for certain that the Saudi government is using the Hacking Team tool to spy on political dissidents, circumstantial evidence shows this may be the case.
The malicious Qatif Today app was discovered after someone uploaded the file in March to the VirusTotal web site—a site owned by Google that aggregates several dozen antivirus scanners to detect malware. The file was signed with a bogus certificate that appeared to belong to Sun Microsystems. Citizen Lab found evidence that a Twitter account of interest to Shiites in Qatif may have been used to tweet a link to the malicious file to lure targets into downloading it onto their phones.
While Hacking Team’s core Galileo tool for spying on computers is valuable for governments, the mobile spy modules are particularly attractive to repressive regimes where activists and others use their mobile phones to organize and stay connected during protests.
Cops can install the phone implants directly onto a mobile device if they have physical access to it. But they can also install the implants if a user connects the mobile device to a computer—for example, to charge the device—and the computer is already infected with Da Vinci or Galileo.
The iOS spy module works only on jailbroken iPhones, but agents can simply run a jailbreaking tool and then install the spyware. The only thing protecting a user from a surreptitious jailbreak is enabling a password on the device. But if the device is connected to a computer infected with Da Vinci or Galileo software and the user unlocks the device with a password, the malware on the computer can surreptitiously jailbreak the phone to install the spy tool.
So far, the researchers haven’t uncovered any methods used for remotely infecting phones with the Hacking Team malware via a phishing attack or a malicious web site.
Citizen Lab points out in its report on the malware that it’s important to understand how Hacking Team’s tools work, since they are powerful weapons, no different from the types of tools used by nation states against one another. But in this case they’re employed by government customers not against other government targets but against ordinary citizens.
“This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now being marketed for targeting everyday criminality and ‘security threats,’” they write. “An unstated assumption is that the entities able to buy these tools will use them correctly, and primarily for law enforcement purposes. As our research has shown, however, by dramatically lowering the entry cost on invasive and hard-to-trace monitoring, it lowers the cost of targeting political threats” too.
1,229 total views