grandeduc - Fotolia
Acting on a piece of malware provided by a victim, researchers discovered a new type of Android spyware capable of recording audio and video, turning GPS on or off, and stealing or modifying data on the phone.
While the researchers, at first, believed the malware originated from the notorious Italian surveillance software vendor, Hacking Team, the source of the new Android spyware software may be another Italian company that provides spyware to government agencies.
"There really isn't much going on outside of the run-of-the-mill, boring, commercial spyware junk," according to researchers at RedNaga LLC, a security firm based in Oakland, Calif. They said the suspicious software appeared to be "an app requesting almost every permission possible, claims to be an Android update and purports to have something to do with Vodafone APNs [access point names]."
RedNaga's researcher Tim Strazzere wrote he suspected Hacking Team was the source for the spyware, citing two IP addresses that had previously been linked to Hacking Team, as well as the use of Italian language in the malware code. However, Motherboard reported the source was more likely Raxir SRL, an intelligence software startup in Naples, Italy, in large part because Raxir is listed as the organization linked to a digital certificate used by the malware's command-and-control server..
RedNaga wrote the Android spyware "has the normal abilities of most spyware," including code to automatically remove itself from the launcher after it runs once, persistence on the victim device, the ability to go silent when the victim uses the device, as well as surreptitiously record audio and video, and execute further exploits downloaded through the command-and-control network. The spyware also turns on virtually all permissions, giving the attacker access to call logs, contacts, network connections, messaging and more.
While the RedNaga researchers received the malware sample from a targeted victim employed by an unnamed government, who asked to remain anonymous, they did find evidence that the Android spyware software has been used elsewhere.
"While we cannot release these files due to an agreement with our contact and an ongoing criminal investigation, we have been able to find several similar files in the wild through other public feeds, which closely resemble the sample we were provided. The functionality hardly changes between versions, and the obfuscation is the same. Since these other samples are already publicly available, we feel comfortable talking about this threat."
Hacking Team last year suffered a major data breach in which attackers released a 400 GB trove of data that included internal documents, source code and zero-day vulnerabilities that the company used to spread its surveillance software. The breach shed light on how government agencies from numerous countries, including the United States, had purchased spyware and digital surveillance tools from Hacking Team.
Find out more about the top five mobile spyware misconceptions.
Learn about how command-and-control servers control malware remotely.
Read about how to remove malware that reinstalls itself from Android devices.