Capabilities of “lawful interception” mobile malware revealed

Researchers from Russian AV company Kaspersky Labs and the Citizen Lab of the University of Toronto have released details about the mobile surveillance tools provided by Hacking Team to governments, intelligence and law enforcement agencies around the world.

The Milan-based company says that they are only selling their surveillance products to governments that gave a good record of respecting human rights and are not considered to be repressive regimes, but the researchers have exposed some evidence that points to these surveillance tools being used by a number of governments to target political targets.

Hacking Team’s main product is the Remote Control System (RCS), which collects data/evidence from computers and mobile phones on which a spying module has been installed, and sends it to a RCS server controlled by the government/agency.

For a while now researchers have been trying to find concrete evidence of these servers and the spying modules/implants used. It’s been hard, especially because the implants are successful at hiding their presence and activity.

But earlier this year, Kaspersky Lab researchers have managed to discover a number of Hacking Team’s mobile malware modules for Android, iOS, Windows Mobile and BlackBerry.

Mainly interested in the versions for the first two platforms, they analyzed the modules and discovered that the iOS module could: control the Wi-Fi, GPS, GPRS connections; record voice, collect e-mails, SMSes, MMSes; list files; collect cookies; check out the visited URLs and cached web pages; exfiltrate information from the address book, call history, notes, calendar, clipboard; get the list of apps on the phone; take photos; turn on the device’s microphone; log keystrokes and make screenshots, and so on.

It’s interesting to note that in order to get the module on the iOS device, the device needs to be jailbroken.

The Android module has the same capabilities plus a number of others (hijacking information from apps).

The modules can be installed on the devices either by connecting them to infected Windows or Mac OS X computers, or by tricking the users to install the modules themselves – something that Citizen Lab researchers believe happened in a specific instance when political dissidents were lured to a website offering a functional copy of a news app popular in Saudi Arabia, but bundled with the Hacking Team implant.

They also revealed that an anonymous individual sent them the user manual – which they believe to be authentic – that Hacking Team provides to its customers.

From it they learned the architecture of a prototypical Hacking Team RCS deployment and that each implant module can be customized. The document also explains the various synchronizing and data exfiltration capabilities of the modules, and how they manage to hide their malicious nature, presence and activity from packet sniffers, forensic analysis tools, AV solutions, the device itself, and users.

Kaspersky Lab researchers have also managed to discover a specific feature than can be used to fingerprint the RCS command servers, and have pinpointed several hundred of them located around the world.

The largest number of servers was found in the US (64), Kazakhstan (49) and Ecuador (35), followed by the UK (32), Canada (24) and China (15). (For the entire list, go here.)

“The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies. However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures,” commented Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.

Don't miss