Researchers Go Inside HackingTeam Mobile Malware, Command Infrastructure

Researchers from Kaspersky Lab and Citizen Lab released a report today with extensive details on the HackingTeam’s controversial RCS spyware, in particular its extensive global command infrastructure and mobile malware.

Controversial spyware commercially developed by Italy’s HackingTeam and sold to governments and law enforcement for the purpose of surveillance, has a global command and control infrastructure and for the first time, security experts have insight into how its mobile malware components work.

Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Munk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices.

The new modules enable governments and law enforcement officers with extensive monitoring capabilities over victims, including the ability to report on their location, steal data from their device, use the device’s microphone in real time, intercept voice and SMS messages sent via applications such as Skype, WhatsApp, Viber, and much more.

“It was a well-known fact for quite some time that the HackingTeam products included malware for mobile phones. However, these were rarely seen,” said Kaspersky Lab experts on the Securelist blog. HackingTeam, the researchers said, also built modules for Windows Mobile and BlackBerry. “In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story.”

Building on research released in March which revealed that at least 20 percent of the infrastructure supporting surveilance using HackingTeam’s Remote Control System (RCS) was located within a dozen U.S. data centers, today’s report demonstrates RCS’ massive reach worldwide aiding officials in the targeting of victims including journalists, politicians, human rights advocates, and others.

“The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies. However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.

Golovanov and Morgan Marquis-Boire of Citizen Lab presented the research today in London, and said that the majority of the command servers were hosted in the United States, the United Kingdom, Canada, Ecuador and Kazakhstan. The researchers from both teams reverse-engineered malware samples, specific indicators of compromise and connectivity data to identify the location of the command and control infrastructure worldwide.

RCS, also known as Galileo, is advertised by HackingTeam as a solution capable of beating encryption technology meant to secure communication and data. The software is agent-based and is surreptitiously installed on the victim’s device; stolen data is sent encrypted back to a command server.

Kaspersky Lab said this is the first time the iOS and Android mobile modules have been dissected. Kaspersky Lab said in a statement that its researchers have been looking at RCS malware samples for two years and were able to match the mobile modules to other RCS malware configuration profiles they’d collected as well as other samples from Citizen Lab.

The mobile implants, the researchers said, are custom built for each target and loaded onto a device.

“Once the sample is ready, the attacker delivers it to the mobile device of the victim. Some of the known infection vectors include spearphishing via social engineering – often coupled with exploits, including zero-days; and local infections via USB cables while synchronizing mobile devices,” Kaspersky Lab said in a statement.

Taking a deeper dive into the malware, Kaspersky and Citizen Lab learned that the iOS version of the RCS Trojans hits only jailbroken devices. Pristine iPhones are also vulnerable if an attacker can remotely run a jailbreaking tool such as Evasi0n and then load the malware implant.

The iOS module has a laundry list of capabilities, including surveillance over email, SMS, MMS, web history, the address book, call history, keystroke and the ability to use both the live microphone and the camera.

“Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target—which is much more powerful than traditional cloak and dagger operations,” Kaspersky Lab said in a statement.

The Android module, meanwhile, is protected by an obfuscator for Android called DexGuard that made analysis challenging. Most of the iOS capabilities are also available for Android, in addition to support for hijacking applications such Facebook, Google Talk, Tencent of China and more.

“The RCS mobile modules are meticulously designed to operate in a discreet manner, for instance by paying close attention to the mobile device’s battery life,” Kaspersky Lab said. “This is implemented through carefully customized spying capabilities, or special triggers: for example, an audio recording may start only when a victim is connected to a particular Wi-Fi network (for example, the network of a media house), or when he/she changes the SIM card, or while device is charging.”

Suggested articles