HackingTeam mobile, PC spyware for governments spans many countries

Newly released research has uncovered several hundred command-and-control servers across more than 40 countries powering controversial spyware sold to governments and law enforcement.

In addition, researchers found that the legal malware of Italian company HackingTeam is capable of spying on, and stealing data from, users of Android and Apple iOS devices. While suspected, such capabilities had not been proven previously.

[The process and tools behind a true APT campaign: Command & Control]

Research teams from anti-virus vendor Kaspersky Lab and Citizen Lab, based at the Munk Centre for International Studies in the University of Toronto, presented their findings Tuesday at an event in London. The teams had collaborated on the research.

The researchers identified a total of 326 C&C servers, with the largest number in the U.S., Kazakhstan and Ecuador. Who was behind the servers and whether they were being used in the countries where they were located was not known.

"Unfortunately, we can't be sure that the servers in a certain country are used by that specific country's LEAs (law enforcement agencies)," Kaspersky experts said on the company's Securelist blog. "However, it would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers."

The newly discovered mobile version of HackingTeam's Remote Control System (RCS) malware was capable of infecting Android phones and jailbroken Apple iPhones.

To infect pristine iPhones, a personal computer would first have to be infected with malware that would first run a jailbreaking tool, such as Evasi0n, when the phone is synchronized with the PC. Malware would be planted after the phone is jailbroken.

The mobile malware, versions of which had already been discovered for Windows Mobile and BlackBerry, is capable of recording voice from phone calls and the microphone. It can also take pictures, copy the address book and calendar and capture email and messages sent via Skype, WhatsApp and Viber.

The Android version could also hijack Facebook, Google Talk and Tencent applications. The latter is a Chinese Internet company that provides social networks and other services.

HackingTeam's malware has been used by governments to gather information and to spy on criminals, political activists and journalists.

HackingTeam says on its website that the RCS toolkit is targeted at "law enforcement and intelligence communities." However, there is nothing preventing cybercriminals from finding a way to get a hold of the malware and targeting companies.

"This malware can be repurposed and used against the 'good guys,'" Sergey Golovanov, principal security researcher for Kaspersky Lab, said.

Companies are advised to scan PCs and Macs with anti-virus products capable of finding RCS malware. If the malware is found, then companies should also check mobile devices, which could have been infected when connected to one of the compromised systems.

[Google clarifies commercial spyware ban for Play store]

"Unfortunately there is no way to guarantee 100 percent detection of malware in iOS, Blackberry or Windows Mobile phones," Golovanov said.

Therefore, companies should watch for other indicators that malware is running, such as unusually low battery life and high network traffic.

Join the CSO newsletter!

Error: Please check your email address.

Tags Citizen Labgovernment monitoringapplicationsmalware toolkitsgovernment data collectionkaspersky labgovernment surveillanceApplesecuritymobile device securityHackingTeammobile securitysoftwarecommand and control serversspywaredata protection

More about AppleAPTBlackBerryCitizen Watches AustraliaFacebookGoogleKasperskyKasperskyMacsSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts