aGameOfThrones
06-24-2014, 10:04 PM
Citizen Lab
http://cdn.arstechnica.net/wp-content/uploads/2014/06/5_RCS_Logic.png
On Twitter, it was billed as Qatif Today, a legitimate Android app that provides news and information in Arabic with a focus on the Qatif governorate of Saudi Arabia. But in fact, the shortened link came with a hidden extra—an advanced trojan wealthy nation states use to spy on criminal suspects and political dissidents.
Citizen Lab
Citizen Lab, the University of Toronto group that monitors government surveillance in the digital age, analyzed the recently discovered instance of the fake Qatif Today app in a blog post headlined Police Story: Hacking Team’s Government Surveillance Malware. The account provides a rare glimpse into malware developed by "Hacking Team," a highly secretive outfit based in Italy that charges governments top dollar for extremely stealthy spyware that's often referred to as a "lawful intercept" program.
The trojan is a known as an Android implant because it cloaks itself inside a legitimate third-party app. People who are infected with it must first be tricked into obtaining the Android installation package (APK) from a non-authorized source, which in this case was this now-shuttered Dropbox location. Aside from that, victims may have little indication anything is amiss. To lend it legitimacy, the malicious APK was signed by a digital certificate that appeared to be related to Java and its original creator Sun Microsystems. Citizen Labs identified six other samples signed by the same certificate.
Once installed, the app establishes contact with command and control servers located at 91.109.17.189 and 106.186.17.60, which are addresses Citizen Lab has seen used in previous Hacking Team campaigns. The implant also attempts to break out of its Android-imposed security sandbox by exploiting a vulnerability in older Android versions on specific handsets that allows apps to gain unfettered root privileges.
The trojan next tries to access local files stored by a variety of social media, chat, and call apps including Facebook, Viber, WhatsApp, Skype, LINE, and QQ. The app has audio recording, camera, video, key logging, and "live mic" capabilities, as well as a "crisis" module that provides anti-analysis functionality. The researchers also found evidence of what appears to be location, screenshot-taking, and browsing activity modules. The implant even seems to have a filter to specify a date ranges to narrow the mail and text messages it sends back to the control servers. (It's not clear what happens when the app runs on Android versions that have patched the rooting vulnerability.)
"We also see information about how the implant exfiltrates data, along with its C2 servers," Tuesday's post reported. "Interestingly, it appears that the implant is capable of monitoring the devices connectivity (e.g. Wi-Fi, cellular network), choosing connection type, and rate limiting the bandwidth. Note that these are the same servers we observed in the implant’s network communications."
The Citizen Lab researchers provided an overview of the remote control system (RCS) architecture that works with Android trojan and trojans for other platforms. The architecture relies on a series of system administrators, technicians, and analysts to funnel information pulled off an infected device to the interested parties. Unverified screenshots an anonymous person provided to Citizen Lab show RCS works on computers running Windows, Mac OS X, or Linux.
http://arstechnica.com/security/2014/06/how-governments-devise-custom-implants-to-bug-smartphones/
http://cdn.arstechnica.net/wp-content/uploads/2014/06/5_RCS_Logic.png
On Twitter, it was billed as Qatif Today, a legitimate Android app that provides news and information in Arabic with a focus on the Qatif governorate of Saudi Arabia. But in fact, the shortened link came with a hidden extra—an advanced trojan wealthy nation states use to spy on criminal suspects and political dissidents.
Citizen Lab
Citizen Lab, the University of Toronto group that monitors government surveillance in the digital age, analyzed the recently discovered instance of the fake Qatif Today app in a blog post headlined Police Story: Hacking Team’s Government Surveillance Malware. The account provides a rare glimpse into malware developed by "Hacking Team," a highly secretive outfit based in Italy that charges governments top dollar for extremely stealthy spyware that's often referred to as a "lawful intercept" program.
The trojan is a known as an Android implant because it cloaks itself inside a legitimate third-party app. People who are infected with it must first be tricked into obtaining the Android installation package (APK) from a non-authorized source, which in this case was this now-shuttered Dropbox location. Aside from that, victims may have little indication anything is amiss. To lend it legitimacy, the malicious APK was signed by a digital certificate that appeared to be related to Java and its original creator Sun Microsystems. Citizen Labs identified six other samples signed by the same certificate.
Once installed, the app establishes contact with command and control servers located at 91.109.17.189 and 106.186.17.60, which are addresses Citizen Lab has seen used in previous Hacking Team campaigns. The implant also attempts to break out of its Android-imposed security sandbox by exploiting a vulnerability in older Android versions on specific handsets that allows apps to gain unfettered root privileges.
The trojan next tries to access local files stored by a variety of social media, chat, and call apps including Facebook, Viber, WhatsApp, Skype, LINE, and QQ. The app has audio recording, camera, video, key logging, and "live mic" capabilities, as well as a "crisis" module that provides anti-analysis functionality. The researchers also found evidence of what appears to be location, screenshot-taking, and browsing activity modules. The implant even seems to have a filter to specify a date ranges to narrow the mail and text messages it sends back to the control servers. (It's not clear what happens when the app runs on Android versions that have patched the rooting vulnerability.)
"We also see information about how the implant exfiltrates data, along with its C2 servers," Tuesday's post reported. "Interestingly, it appears that the implant is capable of monitoring the devices connectivity (e.g. Wi-Fi, cellular network), choosing connection type, and rate limiting the bandwidth. Note that these are the same servers we observed in the implant’s network communications."
The Citizen Lab researchers provided an overview of the remote control system (RCS) architecture that works with Android trojan and trojans for other platforms. The architecture relies on a series of system administrators, technicians, and analysts to funnel information pulled off an infected device to the interested parties. Unverified screenshots an anonymous person provided to Citizen Lab show RCS works on computers running Windows, Mac OS X, or Linux.
http://arstechnica.com/security/2014/06/how-governments-devise-custom-implants-to-bug-smartphones/