Police turning to mobile malware for monitoring, study says

The U.S. has the most command-and-control servers for a product made by Italy's Hacking Team

The Remote Control System, from an Italian security company called Hacking Team, is designed in part to help law enforcement and governments monitor the mobile devices of targets.

The Remote Control System, from an Italian security company called Hacking Team, is designed in part to help law enforcement and governments monitor the mobile devices of targets.

Governments are increasingly using spyware for mobile devices to monitor targets, raising questions over the possible misuse of such tools, a new study suggests.

The Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto, and Kaspersky Lab both published analyses on Tuesday of a surveillance product called Remote Control System (RCS) from Hacking Team in Italy.

Hacking Team is one of a handful of companies, including the Gamma Group, specializing in what are essentially malicious software programs designed to intercept data but intended for governments and law enforcement.

The Citizen Lab has long expressed concern in other published research over the use of the tools by governments, which it has concluded have been employed to suppress speech and monitor political opponents in the past.

Over time, the cost of the spying toolkits has fallen and they are now within reach of nearly all governments, the Citizen Lab said in its writeup.

"By dramatically lowering the entry cost on invasive and hard-to-trace monitoring, the equipment lowers the cost of targeting political threats for those with access to Hacking Team and Gamma Group toolkits," the group wrote.

The latest research looks into the exploitation techniques for an Android component of RCS and the command-and-control infrastructure behind it.

The Citizen Lab identified a suspicious Android APK (application installation package) that was a functional copy of the news application "Qatif Today" intended for people in Saudi Arabia. A version of it had been modified to also deliver a payload created by Hacking Team.

A link to what appeared to the malicious APK was tweeted, which led to a Dropbox file that is now gone, The Citizen Lab wrote. If installed, the Hacking Team module requests permissions such as reading and writing SMSes, monitoring GPS location and the ability to process calls.

The Citizen Lab found other Android Hacking Team Android implants that tried to access local stores of chats in applications such as Facebook, Viber, Skype, Line and QQ.

A source leaked to The Citizen Lab a group of documents that describes how the RCS works, giving the research group broad insight into how tracking targets works. The group cautioned the documents have not been verified, but the information did not contradict its own RCS research.

Kaspersky Lab wrote on its blog that it uncovered "a huge infrastructure that is used to control the RCS malware implants."

Kaspersky scanned the entire IPV4 Internet address space, using a special "fingerprinting" method it developed that can identify RCS command-and-control servers.

It found 64 RCS command-and-control servers in the U.S., the most of any country, followed by 49 in Kazakhstan, 35 in Ecuador and 24 in the U.K. Other countries with double-digit numbers of control servers included Canada, China and Colombia.

Some of the IP addresses connected with those servers appeared to be government owned, Kaspersky said. It's unlikely law enforcement agencies would locate those command servers in other countries "in order to avoid cross-border legal problems and the seizure of servers," the company wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile securitymobileHacking Teammalware

More about Citizen Watches AustraliaDropboxFacebookKasperskyKasperskySkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place