HackingTeam, the Italian company that develops a “legal” spyware tool known as Remote Control System, has been deployed as a broad network of controversial spyware by various law enforcement entities around the world. Now, a new version has been reportedly designed to give law enforcement agencies complete access to a suspect's phone for the purpose of surveillance.
According to researchers from Kaspersky Lab and Citizen Lab, Munk School of Global Affairs at the University of Toronto, a number of mobile malware modules for RCS are now operating in the wild, including modules for Android, Apple iOS, Windows Mobile and BlackBerry. The iOS module works only on jailbroken devices.
“It was a well-known fact for quite some time that HackingTeam products included malware for mobile phones,” Kaspersky said in a posting. “However, these were rarely seen. In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story.”
The main functionality of the spyware includes network control, recording voice, e-mail, SMS and MMS messages; control of the microphone and camera; and an ability to examine listing files, cookies, visited URLs, cached web pages, address book, call history, notes, calendar, clipboard, list of apps, SIM change and support chats. Also, the spyware can look at activity from the WhatsApp, Skype and Viber apps, and can log keystrokes from all apps and screens.
“They translate into complete control over the environment in and near a victim’s computer,” Kaspersky said. “Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target – which is much more powerful than traditional cloak and dagger operations.”
The modules are installed using infectors – special executables for either Windows or Mac that run on already infected computers.
“The fact that only jailbroken iOS devices are supported can be a limiting factor,” Kaspersky said. “However, this is not a huge problem since an attacker can also run a jailbreaking tool such as Evasi0n via the same infected computer. In this case the only thing that can protect a user from a remote jailbreak and infection is the mobile device’s passcode. However, if the device is unlocked while connected to the infected computer, it can be infected by the attacker.”
The spyware seems to be spreading globally, with instances piling up.
“This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now available to all but a handful of governments,” Citizen Lab said in its analysis. “An unstated assumption is that customers that can pay for these tools will use them correctly, and primarily for strictly overseen, legal purposes. As our research has shown, however, by dramatically lowering the entry cost on invasive and hard-to-trace monitoring, the equipment lowers the cost of targeting political threats.”
Kaspersky pinpointed a huge infrastructure for the spyware, in testament to this. There's a grand total of 326 HackingTeam RCS command and control (C&C) servers around the world, with the US having the most (64). Kazakhstan, interestingly, comes in second with 49.
“Unfortunately, we can’t be sure that the servers in a certain country are used by that specific country’s law enforcement agencies (LEA); however, it would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers,” Kaspersky noted. “Nevertheless, several IPs were identified as government-related based on their WHOIS information, and they provide a good indication of who owns them.”
Some note that the widespread nature of the toolkit is concerning on more than one level. “As of yesterday even the Supreme Court of the US recognizes that ‘American adults who own cell phones keep on their person a digital record of nearly every aspect of their lives.’ Having it hacked by a Hacking Team – legally or not –represents an intrusion of incalculable proportions,” said TextPower CEO Scott Goldman in a comment to Infosecurity. “If malware is installed on a smartphone legally to, for example, track or trace terrorist activities a legitimate argument is that it can be a powerful and useful tool. If used nefariously it would be the modern-day equivalent of stealing someone's mail, ripping off their bank account and reading their personal diary all at the same time.”
Goldman noted that it would be virtually impossible for the average smartphone user to know that their phone was infected with this type of malware. “It's a slippery slope, especially if it sold to and used by a rogue or repressive regime (e.g., China, Iran, Cuba),” he said. “The real question here seems to be how to control the distribution of this spyware and the answer in the final analysis is – you can't. Once it's out it's like a photo posted online – you might remove the original copy but it's already spread so far that it's impossible to retract them all.”