HackingTeam mobile, PC spyware for governments spans many countries

Researchers say controversial HackingTeam malware can control iPhone and Android devices and is supported by several hundred servers in more than 40 countries.

Newly released research has uncovered several hundred command-and-control servers across more than 40 countries powering controversial spyware sold to governments and law enforcement.

In addition, researchers found that the legal malware of Italian company HackingTeam is capable of spying on, and stealing data from, users of Android and Apple iOS devices. While suspected, such capabilities had not been proven previously.

[The process and tools behind a true APT campaign: Command & Control]

Research teams from anti-virus vendor Kaspersky Lab and Citizen Lab, based at the Munk Centre for International Studies in the University of Toronto, presented their findings Tuesday at an event in London. The teams had collaborated on the research.

The researchers identified a total of 326 C&C servers, with the largest number in the U.S., Kazakhstan and Ecuador. Who was behind the servers and whether they were being used in the countries where they were located was not known.

"Unfortunately, we can’t be sure that the servers in a certain country are used by that specific country’s LEAs (law enforcement agencies)," Kaspersky experts said on the company's Securelist blog. "However, it would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers."

The newly discovered mobile version of HackingTeam's Remote Control System (RCS) malware was capable of infecting Android phones and jailbroken Apple iPhones.

To infect pristine iPhones, a personal computer would first have to be infected with malware that would first run a jailbreaking tool, such as Evasi0n, when the phone is synchronized with the PC. Malware would be planted after the phone is jailbroken.

The mobile malware, versions of which had already been discovered for Windows Mobile and BlackBerry, is capable of recording voice from phone calls and the microphone. It can also take pictures, copy the address book and calendar and capture email and messages sent via Skype, WhatsApp and Viber.

The Android version could also hijack Facebook, Google Talk and Tencent applications. The latter is a Chinese Internet company that provides social networks and other services.

HackingTeam's malware has been used by governments to gather information and to spy on criminals, political activists and journalists.

HackingTeam says on its website that the RCS toolkit is targeted at "law enforcement and intelligence communities." However, there is nothing preventing cybercriminals from finding a way to get a hold of the malware and targeting companies.

"This malware can be repurposed and used against the 'good guys,'" Sergey Golovanov, principal security researcher for Kaspersky Lab, said.

Companies are advised to scan PCs and Macs with anti-virus products capable of finding RCS malware. If the malware is found, then companies should also check mobile devices, which could have been infected when connected to one of the compromised systems.

[Google clarifies commercial spyware ban for Play store]

"Unfortunately there is no way to guarantee 100 percent detection of malware in iOS, Blackberry or Windows Mobile phones," Golovanov said.

Therefore, companies should watch for other indicators that malware is running, such as unusually low battery life and high network traffic.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)