Kaspersky Lab uncovers new Android and iOS spying tools
Security company Kaspersky Lab has published a new report uncovering previously undiscovered Remote Control System (RCS) Trojans that work on both Android and iOS. It's also mapped their massive international command and control network.
The Trojans are part of the allegedly 'legal' spyware tool, RCS, also known as Galileo, developed by the Italian company, HackingTeam. Kaspersky's researchers were able to map the presence of more than 320 RCS command and control servers in over 40 countries. The majority of the servers being found in the United States, Kazakhstan, Ecuador, the United Kingdom and Canada.
It's been suspected for some time that HackingTeam's mobile Trojans for iOS and Android existed. Until now though nobody has actually identified them or noticed them being used in attacks. The list of victims identified by Kaspersky includes activists and human rights advocates, as well as journalists and politicians.
The malware is delivered using spear phishing via social engineering -- often coupled with exploits, including zero-days -- and local infections via USB cables while synchronizing mobile devices. The RCS modules are sophisticated and designed to work in a discreet way. They use carefully customized spying capabilities, or special triggers. For example, an audio recording may start only when a victim is connected to a particular Wi-Fi network, or when that person changes the SIM card, or while the device is recharging its battery.
The RCS mobile Trojans are capable of performing a variety of surveillance functions, including reporting the target's location, taking photos, copying events from the device's calendar, and registering new SIM cards inserted in the infected device. They can also intercept phone calls and SMS messages, including chat messages sent from specific applications such as Viber, WhatsApp and Skype.
For RCS to infect an iPhone it needs to be jailbroken, but Kaspersky warns that non-jailbroken iPhones can become vulnerable too. An attacker can run a jailbreaking tool like 'Evasi0n' via a previously infected computer and conduct a remote jailbreak, followed by the infection.
Sergey Golovanov, Principal Security Researcher at Kaspersky Lab says, "The presence of these servers in a given country doesn't mean to say they are used by that particular country's law enforcement agencies. However, it makes sense for the users of RCS to deploy C&Cs in locations they control -- where there are minimal risks of cross-border legal issues or server seizures".
You can read more on the threat and how it was uncovered on Kaspersky's SecureList blog.