After capturing secret remote control “implants” in the wild – the Italian Hacking Team’s Trojans that target and infect smartphones for maximum surveillance – Kaspersky Lab and Citizen Lab gave detailed reports on the “legal” spyware. While the mobile implants are also available for BlackBerry and Windows Phones, we are primarily looking at stealthy and invasive Remote Control System (RCS) toolkits, aka the Hacking Team’s “lawful intercept” Galileo software aimed at iPhones and Androids.
Kaspersky Lab explained:
First, a victim’s computer is infected with Windows or MacOS malware. The infection vectors are different each time and may include social engineering tricks, exploits and spear phishing. The malware silently sits in the computer, performs typical spying activities like keylogging and waits until the victim connects his/her smartphone to perform an iTunes sync.
“The iOS module works only on jailbroken devices" so secretly jailbreaking an iPhone comes first. That opens the way to the following iOS module surveillance functionalities: Control of Wi-Fi, GPS and GPRS for location reporting; recording audio in real-time, including support for recording WhatsApp, Skype and Viber chats; spying on e-mail, call history, calendar, SMS, MMS, files accessed, cookies, visited URLs, cached web pages, notes, clipboard, list of apps and any SIM changes; stealing contact info via the address book, snagging passwords, activating the microphone, secretly snapping shots with the camera, logging keystrokes and screenshots.
It may be called lawful intercept, but it mimics less powerful malware that is deemed a cybercrime when it is deployed.
The Android implant version has most of the same capabilities as the iOS version, except it can also hijack applications as well like Facebook and Google Talk. Citizen Lab added, that it needs root privileges too for modules that capture chats, messages and screenshots. However if root access was not successful, then if anti-forensic measures are taken “the victim sees a prompt requesting permission if an uninstall has been triggered.”
“This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now available to all but a handful of governments.” But now, as Citizen Lab pointed out, the Hacking Team dramatically lowered the entry cost and markets the “legal” malware “to target everyday criminality and ‘security threats’.”
The list of victims secretly targeted by these tools for invasive surveillance includes “activists and human rights advocates, as well as journalists and politicians. However, the interest in some victims is unclear. One notable example is a high school history teacher in the UK.”
A functionality referred to as “crisis” allows for actions on detection of “hostile” activity (the documents give the example of a packet sniffer). This functionality can be triggered by a range of scenarios and have a number of options based on identifying processes. In desktop versions, these options can including pausing synchronizing, and not hooking programs. For mobile versions these options includes pausing audio, camera, location collecting, and synchronizing.
A wipe can also be triggered, and according to the documents, Hacking Team informs users that it will leave “no trace” of the implant. The uninstall action has several features that could be of interest in forensic analysis of potentially infected devices: (i) uninstall on BlackBerry triggers an automatic restart; (ii) uninstall on Android devices where root was not successfully gained results in a user prompt requesting permission to uninstall; (iii) on Windows Phone, uninstall deletes all files but does not remove the Application Icon from the list of programs.
Remote Control System Command & Control
Looking into the command infrastructure supporting the Hacking Team’s RCS, Kaspersky Lab found 326 servers in over 40 countries. Sergey Golovanov, Principal Security Researcher at Kaspersky Lab, said, “The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies. However, it makes sense for the users of RCS to deploy servers in locations they control – where there are minimal risks of cross-border legal issues or server seizures.”
But of the 326 RCS C&C servers, the United States has 64, which is more than any other country, followed by 49 RCS control servers in Kazakhstan, 35 in Ecuador, 32 in the UK and 24 based in Canada. Wow, way to stay classy U.S.!
Furthermore, Citizen Lab has a Google map screenshot, part of the Hacking Team’s Analysts Guide for governmental interception, showing “the access-controlled parking lot of the LA County Sheriff” as the location. “It is possible that Hacking Team RCS is exposing highly sensitive investigation data of government clients to Google as they are making use of the Google Maps API to display this map,” they wrote.
RCS implant code signing
“RCS is designed to incorporate code signing when creating implants,” explained Citizen Lab. “The documents helpfully suggest Verisign, Thawte and GoDaddy as sources of code signing certificates.” To infect a Windows Phone “users are encouraged to register a Microsoft account and a Windows Phone Dev Center account.” Additionally, “documents indicate that Hacking Team is concerned with ensuring users correctly manage the approval process (managed by Symantec) and instructs users to promptly reply to phone and e-mail communications from Symantec.”
RCS “invisibility” factor
The Hacking Team has long marketed its toolkits with phrases such as “deploy a secret agent” for "total control over desktops and smartphones;" company brochures claimed the spyware could “defeat encryption” and even “go stealth and untraceable” aka “invisible” as it is capable of evading the target’s computer security by bypassing “antivirus, antispyware and personal firewalls."
Citizen Lab obtained an undated “Invisibility Report” for Version 9.0 of the Hacking Teams’ RCS solution which includes “the Silent Installer, Melted application, Network Injector INJECT-EXE attack, and Offline CD.” After “tests were performed on a default 64-bit Windows 7 installation,” invisibility documentation shows only a few security products could not upgraded to “elite.”
Who has your back?
Many times in the past, security firms have denied allowing such malware to go undetected. Kaspersky Lab said this was the first time it has obtained RCS smartphone “implants” in the wild; in fact showing the “level of sophistication and scale of these surveillance tools” is part of why Kaspersky published the data. “We like to think that if we’re able to protect our customers from such advanced threats, then we’ll sure have no trouble with lesser, more common threats like those posed by cybercriminals.”
Sure, there’s plenty of scumbag criminals in the world, but wouldn’t other names for this “legal intercept” software be malware, spyware, or Trojan? Although the status for Kaspersky will change for the Invisibility Report, every security company with a product on that list should change too. Why? Because consumers are not synonymous with potential terrorist “targets.” Victims have included activists, human rights advocates, journalists and politicians…oh, and don’t forget that big, bad scary high school history teacher in the UK.
As Citizen Lab said, “By dramatically lowering the entry cost on invasive and hard-to-trace monitoring, the equipment lowers the cost of targeting political threats for those with access to Hacking Team and Gamma Group toolkits.