Hackers working for a surveillance company infected hundreds of people with several malicious Android apps that were hosted on the official Google Play Store for months, Motherboard has learned.
In the past, both government hackers and those working for criminal organizations have uploaded malicious apps to the Play Store. This new case once again highlights the limits of Google’s filters that are intended to prevent malware from slipping onto the Play Store. In this case, more than 20 malicious apps went unnoticed by Google over the course of roughly two years.
Motherboard has also learned of a new kind of Android malware on the Google Play store that was sold to the Italian government by a company that sells surveillance cameras but was not known to produce malware until now. Experts told Motherboard the operation may have ensnared innocent victims as the spyware appears to have been faulty and poorly targeted. Legal and law enforcement experts told Motherboard the spyware could be illegal.
The spyware apps were discovered and studied in a joint investigation by researchers from Security Without Borders, a non-profit that often investigates threats against dissidents and human rights defenders, and Motherboard. The researchers published a detailed, technical report of their findings on Friday.
“We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years. These apps would remain available on the Play Store for months and would eventually be re-uploaded,” the researchers wrote.
Lukas Stefanko, a researcher at security firm ESET, who specializes in Android malware but was not involved in the Security Without Borders research, told Motherboard that it’s alarming, but not surprising, that malware continues to make its way past the Google Play Store’s filters.
“Malware in 2018 and even in 2019 has successfully penetrated Google Play’s security mechanisms. Some improvements are necessary,” Stefanko said in an online chat. “Google is not a security company, maybe they should focus more on that.”
In an apparent attempt to trick targets to install them, the spyware apps were designed to look like harmless apps to receive promotions and marketing offers from local Italian cellphone providers, or to improve the device’s performance.
The researchers alerted Google earlier this year to the existence of the apps, which were then taken down. Google told the researchers and Motherboard, that it found a total of 25 different versions of the spyware over the last two years, dating back to 2016. Google declined to share the exact numbers of victims, but said it was below 1,000, and that all of them were in Italy. The company would not provide more information about the targets.
The researchers are calling the malware Exodus, after the name of the command and control servers the apps connected to. A person who’s familiar with the malware development confirmed to Motherboard that was the internal name of the malware.
Exodus was programmed to act in two stages. In the first stage, the spyware installs itself and only checks the phone number and its IMEI—the device’s unique identifying number—presumably to check whether the phone was intended to be targeted. For that apparent purpose, the malware has a function called “CheckValidTarget.”
But, in fact, the spyware does not appear to properly check, according to the researchers. This is important because there are currently some legally permissible uses of narrowly targeted malware—for example, with a court order, law enforcement can legally hack devices in many countries.
In a test done on a burner phone, the researchers saw that after running the check, the malware downloaded a ZIP file to install the actual malware, which hacks the phone and steals data from it.
“This suggests that the operators of the Command & Control are not enforcing a proper validation of the targets,” Security Without Borders concluded in the report. “Additionally, during a period of several days, our infected test devices were never remotely disinfected by the operators.”
At that point, the malware has access to most of the sensitive data on the infected phone, such as audio recordings of the phone’s surroundings, phone calls, browsing history, calendar information, geolocation, Facebook Messenger logs, WhatsApp chats, and text messages, among other data, according to the researchers.
The spyware also opens up a port and a shell on the device, meaning it allows the operators to send commands to the infected phone. According to the researchers, this shell is not programmed to use encryption, and the port is open to anyone on the same Wi-Fi network as the target. This means that anyone in the vicinity could hack the infected device, according to the researchers.
“This inevitably leaves the device open not only for further compromise but for data tampering as well,” the researchers wrote.
A second, independent analysis by Trail of Bits, a New York-based cybersecurity company that looked into the malware for Motherboard, confirmed that the malware samples all connect to the servers of one company, that the IP addresses identified by Security Without Borders are all connected, and that the malware leaves the target device more vulnerable to hacking.
WHO IS BEHIND THE SPYWARE?
All the evidence collected by Security Without Borders in its investigation indicates the malware was developed by eSurv, an Italian company based in the southern city of Catanzaro, in the Calabria region.
The first hint that the authors of the malware were italian came from two strings inside the malware code: “mundizza,” and “RINO GATTUSO.” Mundizza is a dialectal word from the southern region of calabria that loosely translates to garbage. Rino Gattuso is a famous retired Italian footballer from Calabria.
The real smoking gun, however, is the command and control server used in several of the apps found on the Play Store to send the data back to the malware operators.
The server, according to the researchers, shares a TLS web encryption certificate with other servers that belong to eSurv’s surveillance camera service, which is the company’s main public business. Also, some of these servers identified by the researchers display eSurv’s logo as the icon associated with the server’s address, the icon you can see in your browser’s tab, also known as favicon…..Read more>>