Android and iOS mobile trojans likely used for surveillance through mobile devices of journalists and politicians, activists and human rights advocates have been discovered circulating in the wild.
Kaspersky Lab has linked the bugs back to HackingTeam, together with extensive mapping of the HackingTeam command-and-control centers around the world.
The mobile trojans are designed to operate in a discreet manner, for instance monitoring a mobile device’s battery life so as not to ostensibly drain it, arousing suspicion. Then, when a victim is connected to a particular Wi-Fi network or while the device is plugged in to charge, it springs to life, unbeknownst to the user.
Kaspersky said that the trojans are capable of performing a variety of surveillance functions, including intercepting phone calls and SMS messages, and chat messages sent from specific applications such as Viber, WhatsApp and Skype. It can also report the target’s location, take photos, copy events from the device’s calendar and more.
These mobile trojans are part of the allegedly ‘legal’ spyware tool, Remote Control System (RCS), aka Galileo. The mapping shows the presence of more than 320 RCS command & control servers in 40+ countries. The majority of the servers were found in the US, Kazakhstan, Ecuador, the UK and Canada.
“The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies,” said Sergey Golovanov, principal security researcher at Kaspersky Lab, in a statement. “However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures.”
The operators behind the Galileo RCS built a specific malicious implant for every concrete target. Once the sample is ready, the attacker delivers it to the mobile device of the victim. Some of the known infection vectors include spearphishing via social engineering – often coupled with exploits, including zero-days –and local infections via USB cables while synchronizing mobile devices.
One of the major discoveries has been learning precisely how a Galileo RCS mobile trojan infects an iPhone, which first requires the device to be jailbroken. However, non-jailbroken iPhones can become vulnerable too because an attacker can run a jailbreaking tool like ‘Evasi0n’ via a previously infected computer and conduct a remote jailbreak, followed by the infection. To avoid infection risks, Kaspersky Lab recommends that people refrain from jailbreaking their iPhones, and also constantly update the iOS on the device to the latest version.