Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
Governments have been equipped with app spying malware for years. Recently a sly and powerful Android spyware program was discovered. Citizen Lab uncovered this app spying program created by Hacking Team. It is a trojan injected into legitimate apps that gives users root control over infected devices.
Android App Spying Discovered
Citizen Lab of the University of Toronto focuses on monitoring government surveillance activities. They discovered a fake Arabic news and information app Qatif Today that carries a trojan virus. They analyzed the app and found that it was created by Hacking Team. Hacking Team is a for profit group that engineers spyware and sells it to rich governments. Hacking Team has raised app spying to a new level with their crafty malware. It can fully open an Android device to remote spying and is virtually undetectable to users.
Hacking Team designs spyware for governments under its “lawful intercept” program. This malware is of the same type used by the NSA to monitor criminal suspects. But it can also easily be used to monitor any Android user without just cause or due process. Hacking Team is not concerned with the legality of app spying. They merely produce a product in demand by governments around the world. The Trojan found in the fake version of Qatif Today is called an Android implant. It hides inside an app that is offered on third-party sites and sources. The APK is designed to not raise eyebrows. It even carries a digital certificate to fool users. This level of app spying can be easily abused.
Android Spying with Root Access
As soon as a user installs the infected app spying begins with a connection to command and control (C&C) servers. This is basically the same system that sophisticated hackers use. Citizen Lab identified the server addresses as 220.127.116.11 and 18.104.22.168. These IPs have also been linked to other Hacking Team operations. The app spying implant then bypasses the Android sandbox to get root access. It uses the Framaroot vulnerability in the Samsung Exynos chipset of devices running Android version 4.
With root access, the app spying trojan is free to access anything on the Android device. It first goes after any data that is filed by various apps on the device. For most users, this includes messaging apps like Viber, social media apps like Facebook, and VoIP apps like Skype. The app spying trojan then goes for audio, video and image files. It can control these apps as well, including turning on the device microphone. It can also log keystrokes and use a crisis module to prevent analysis of it activities. Other modules allow the app spying trojan to take screenshots, and to track and record locations and browsing activities. The app spying trojan sends all this data to the C&C servers.
Many other app spying malware is capable of doing much of the above. But the app spying trojan found by Citizen Lab is more sophisticated. It has filtering capabilities to collect text and email messages within a designated date range. The app spying trojan also known when the device connects to WiFi hotspots and carrier networks. And it can control bandwidth and the type of connections used.
Government App Spying by Remote
The sophisticated app spying program developed by Hacking Team comes along with a remote control system. This system employs administrators, analysts and technicians to organize the data that is sucked out of the device. The applicable data is then delivered to clients. One of the first steps is to request the specific application that the client wants to use. Hacking Team then melts the Android implant with the app.
Apart from the standard mobile installation or installation via portable disk, the app spying implant can accomplish a lot. It can create QR codes and U3 USBs that infect devices automatically. It can inject malicious traffic on the network to deliver the spyware, via LAN, WiFi or ISP. Documents can also be used to infect mobiles and desktops. ISO images for bootable disks can also be provided for infecting devices even when they are offline or turned off. Silent installers for desktop and WAP push messages for mobile are also available.
Hacking Team has made app spying very convenient for its clients. They can access filtered data from the devices they have infected in a single click. And they can toggle the tracking of different functions like browsing, contacts and calendar on and off from a dashboard. For advanced app spying, the system can tell the spyware to activate different functions in a predetermined sequence. This way, the client can tell the trojan what to activate when the device does something.