Italy's 'Hacking Team' spy Trojan targeting Android and iOS devices, researchers discover

Now musters 326 servers in 20 countries

Italy's infamous and dubious hackers-for-hire Hacking Team (or HackingTeam) have set up a worldwide command and control network comprising several hundred servers and expanded into Android and iOS surveillance, a study by Kaspersky Lab and the University of Toronto's Citizen Lab has revealed.

The collaboration is just one of a handful that have attempted to keep tabs on one of the oddest organisations in the entire world of malware. Conventionally speaking Hacking Team fits the bill of a professional malware gang except that what these guys work for numerous governments and are considered by police forces to be paid white hats.

Along with similar organisations such as Britain's Gamma International, they are seen as having commercialised the market for 'legitimate' state spying. The controversy follows not far behind; what is legal and justifiable in one country might be viewed as the road to a police state in another.

The researchers discovered that the command and control servers for the group's 'DaVinci' Remote Control System (RCS) now comprises at least 326 servers across 40 countries. Top of the list is the US with 64 servers, followed by Kazakhstan with 49, Ecuador with 35, the UK with 32, Canada with 24, China with 15 and Colombia with 12; the rest of the list is made up of a number of countries with usually only one server each.

Make of that list what you will. Normally, where C&C servers are sited doesn't mean a whole lot except that Hacking Team works for states and police forces that for legal reasons might be keen to keep their surveillance caches on-shore. This implies but does not prove that some of these countries work with the group monitoring their own citizens for purposes unknown.

More significant perhaps is that the researchers have discovered more about Hacking Team's mobile campaigns mobile platforms such as Android and iOS.

The iOS Trojan is the blunter surveillance tool because it only works on jailbroken devices, a small minority globally but probably more common among the sort of dissident targets that the group wants to watch. The researchers also found evidence that attackers might try and jailbreak or root the device remotely.

The status of the Android equivalent remains less certain but both appear to infect mobile devices via a Mac or Windows PC to which they are connected. The mobile Trojans would give the group the ability to monitor not only the target's communications but their location, something that underlines the importance of penetrating these platforms.

"The new data we are publishing on Hacking Team's RCS is extremely important because it shows the level of sophistication and scale of these surveillance tools," said Kaspersky Lab principal security researcher, Sergey Golovanov in a blog.

A detailed breakdown of the findings is available on the University of Toronto website here and here.

Regardless off the legality and ethics of Hacking Team's business, security firms classify the Trojans as malware; Mac security firm Intego, for instance, uses the name OSX/Crisis for the DaVinci spyware.

Tags Personal TechCitizen LabHacking TeamGamma International

Show Comments