Researchers publish secret details of cops' phone-surveillance malware

Kaspersky Labs (Russia) and Citizen Lab (University of Toronto) have independently published details of phone-hacking tools sold to police departments worldwide by the Italian firm Hacking Team (here's Kaspersky's report and Citizen Lab's). The tools can be used to attack Android, Ios, Windows Mobile and Blackberry devices, with the most sophisticated attacks reserved for Android and Ios.

The spyware can covertly record sound, images and keystrokes, capture screenshots, and access the phones' storage and GPS. The tools are designed to detect attempts to search for them and to delete themselves without a trace if they sense that they are under attack.

Hacking Team insists that its tools are only sold to "democratic" police forces, but Citizen Lab's report suggests that the tool was used by the Saudi government to target dissidents.

The means of infection is device-specific. If police have physical access, it's simple. Android devices can be attacked by infecting a PC with a virus that installs the police malware when the device is connected to it. This attack also works on jailbroken Iphones.

The Android spy module, for example, uses obfuscation to make it harder to reverse-engineer and examine the module. And before installing itself on machines, Hacking Team’s main spy tool has scouting agents that conduct reconnaissance to identify anything on a system that might detect it.

Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.

“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.

One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.

Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems. Hacking Team asserts that this will uninstall and erase all traces of the tools, but Citizen Lab discovered that initiating a wipe on some mobile phones creates telltale signs. On a BlackBerry, for example, it causes the device to automatically restart. On Android devices, the uninstall can, under certain conditions, cause a prompt to appear onscreen asking permission from the user to uninstall an application called “DeviceInfo”—the name the Android spy tool uses for itself.

Researchers Find and Decode the Spy Tools Governments Use to Hijack Phones [Kim Zetter/Wired]

(Image: Peephole, Paul Downey, CC-BY)

Notable Replies

  1. Lessons:
    1) The Good Guys (Cops, Feds, Sheriff of Nottingham, etc) Are not ”Your plastic government pal who’s fun to be with!”
    2) Don't install anything you don't trust totally.
    3) If you lose sight of your phone at a check stop, border crossing, customs or maybe even at work or a party. Wipe it. (if at a government check-point consider getting a new phone anyways.
    4) Maybe even practice frequent wipe procedures anyways. And hope its not in the firmware. (more power to those who take the time to wipe and reload firmware and hope it's not baked into the device itself)
    5) It's not paranoia if they really are after you wink


  2. Remember when hackers who worked with the cops were called "white hats?" I think we need some new terminology.

  3. Thought. Get servicing software for the phones, or tap directly the flash, and get the ability to completely image the filesystem. Essentially what common forensic tools for the phones do. A phone that's switched off will not be able to detect that something "wrong" is happening on it. (This is bad for "our" security but good against "their" secret tools. Few coins don't have two sides (and the often neglected "edge case").) Possibly leverage the access to the flash via JTAG, if accessible.

    After the border checkpoints and other such suspicious encounters, image the phone; if possible, before as well. (Ideally, get into habit of imaging the phone before travel; helps also as a backup for the more common problems - failure, theft or loss.) Compare the images.

    For those with access to the phone internals - phone hackers, servicemen, etc., the task can be finding the phone types that are most friendly to such form of auditing. For example where the JTAG pads are accessible. Or where the NAND flash can be connected to in a comfortable(ish) way. The NAND chips are often conforming to the ONFI standard, with defined pinout and behavior. Then the issue will be the filesystem layout on the chip, which block is which. Which is already solved in the problematics of data rescue/recovery from NAND devices.

    If you are an activist or other "undesirable", you can as well volunteer as a "canary"; get a hacktivist/hacker crew behind you that will look after your equipment's "health" and watch for planted parasites, and if found, disclose and dissect them. (Beware though - these tech crews can also be infiltrated. It is always a bet; everything you do can "kill" you, including doing nothing. Maybe have one crew on each side of the border, so they would effectively watch each other too? Balance here the benefits and risks of having more than one person accessing the hardware.) So a group, perhaps even just loosely affiliated, where some play the role of attracting the deployment of secret tools (which can be played by just doing what they want to do anyway), and the others watch for these tools. Essentially a "honeypot" tactics. I suggest the codename "POOHBEAR".

    Let's make the world where the adversary never knows if they are dealing with a powerless victim or a well-prepared honeypot, where every piece of someone else's hardware they interact with has the potential to disclose that they are up to no good. Will not be an absolute cure but has a good chance of making such surveillance attempts more risky and more costly.

  4. I suggest "blue hats".

  5. "Hacking Team insists that its tools are only sold to "democratic" police forces"

    Democratic police forces don't NEED those hacking tools. If you find a democratic police force, please let me know, I'm considering a move.

Continue the discussion

6 more replies