Kaspersky Lab discovers new Android and iOS mobile malware; maps HackingTeam...
Kaspersky Lab discovers new Android and iOSmobile malware; maps HackingTeam’s command and control serversToday, Kaspersky Labpublished a new research report mapping a massive international infrastructureused to control ‘Remote Control System’ (RCS) malware implants, and identifyingpreviously undiscovered mobile Trojans that work on both Android and iOS. Thesemodules are part of the so-called ‘legal’ spyware tool, RCS, aka Galileo,developed by the Italian company HackingTeam.
The list of victims indicated in the new research, conducted byKaspersky Lab together with its partner Citizen Lab, includes activists andhuman rights advocates, as well as journalists and politicians.
RCS infrastructure
Kaspersky Lab has been working on different security approaches to locateGalileo’s command and control (C&C) servers around the globe. For theidentification process, Kaspersky Lab experts relied on special indicators andconnectivity data obtained by reverse engineering existing samples.
During the latest analysis, Kaspersky Lab’s researchers were able to mapthe presence of more than 320 RCS C&C servers in 40+ countries. Themajority of the servers were based in the United States, Kazakhstan, Ecuador,the UK and Canada.
Commenting on the latest findings, Sergey Golovanov, Principal SecurityResearcher at Kaspersky Lab, said: “The presence of these servers in a givencountry doesn’t mean to say they are used by that particular country’s lawenforcement agencies. However, it makes sense for the users of RCS to deployC&Cs in locations they control – where there are minimal risks of cross-borderlegal issues or server seizures.”
RCS mobile implants
Although in the past it had been known that HackingTeam’s mobile Trojans foriOS and Android existed, nobody had actually identified them before – ornoticed them being used in attacks. Kaspersky Lab’s experts have beenresearching the RCS malware for a couple of years now. Earlier this year theywere able to identify certain samples of mobile modules that matched the otherRCS malware configuration profiles in their collection. During the recentresearch, new variants of samples were also received from victims through theKaspersky Lab cloud-based KSN network. In addition, the company’s expertsworked closely with Morgan Marquis-Boire from Citizen Lab, who has beenresearching the HackingTeam malware set extensively.
Infection vectors: The operators behindthe Galileo RCS build a specific malicious implant for every concrete target.Once the sample is ready, the attacker delivers it to the mobile device of thevictim. Some of the known infection vectors include spearphishing via socialengineering – often coupled with exploits, including zero-days; and localinfections via USB cables while synchronizing mobile devices.
One of the major discoveries has been learning precisely how a Galileo mobileTrojan infects an iPhone: to do so the device needs to be jailbroken. However,non-jailbroken iPhones can become vulnerable too: an attacker can run ajailbreaking tool like ‘Evasi0n’ via a previously infected computer and conducta remote jailbreak, followed by the infection. To avoid infection risks,Kaspersky Lab’s experts recommend that you first of all don’t jailbreak youriPhone, and secondly also constantly update the iOS on your device to thelatest version.
Customized Spying: The RCS mobile modulesare meticulously designed to operate in a discreet manner, for instance bypaying close attention to the mobile device’s battery life. This is implementedthrough carefully customized spying capabilities, or special triggers: for example,an audio recording may start only when a victim is connected to a particularWi-Fi network (for example, the network of a media house), or when he/shechanges the SIM card, or while device is charging.
In general, the RCS mobile Trojans are capable of performing manydifferent kinds of surveillance functions, including reporting the target’slocation, taking photos, copying events from the calendar, registering new SIMcards inserted in the infected device, and interception of phone calls andmessages; these include messages sent from specific applications such as Viber,Whatsapp, and Skype, in addition to regular SMS texts.
Detection: Kaspersky Lab productsdetect the RCS/DaVinci/Galileo spyware tools as: Backdoor.Win32.Korablin,Backdoor.Win64.Korablin, Backdoor.Multi.Korablin, Rootkit.Win32.Korablin,Rootkit.Win64.Korablin, Rootkit.OSX.Morcut, Trojan.OSX.Morcut,Trojan.Multi.Korablin, Trojan.Win32.Agent, Trojan-Dropper.Win32.Korablin,Trojan-PSW.Win32.Agent, Trojan-Spy.AndroidOS.Mekir and Backdoor.AndroidOS.Criag.
Pages:
[1]