The Hacking Team, RCS, Qatif Today, and Lawful Interception Malware

22473494_sIs malware still malware if it’s used by legal authorities to track down criminals? How about when it’s used by governmental agencies to monitor citizens’ computers and keep an eye on political dissent? Is it malware if it’s sold by a legitimate software development company and marketed strictly for use in instances of lawful interception? What if there are currently no clear-cut, legal guidelines to determine exactly what lawful interception is? New research from University of Toronto’s Citizen Lab begs all of these questions, and reveals that present-day Internet activity monitoring technology is much more comprehensive, affordable, and user-friendly than any Big-Brother-fearing netizen had ever feared or thought.

They Call Themselves The Hacking Team

And they have a website, too. The Hacking Team is a legitimate software development company based in Italy that makes a product called RCS – Remote Control System. RCS is a full blown computer and mobile device monitoring kit, capable of infecting, controlling, monitoring, and exfiltrating data from a target device. How is this legal? Well, it is legal mostly because it is unprecedented (at least in the commercial sector) – and also because The Hacking Team enforces a strict user policy:

We will refuse to provide or we will stop supporting our technologies to governments or government agencies that:

  • We believe have used HT technology to facilitate gross human rights abuses.
  • Who refuse to agree to or comply with provisions in our contracts that describe intended use of HT software, or who refuse to sign contracts that include requirements that HT software be used lawfully.
  • Who refuse to accept auditing features built into HT software that allow administrators to monitor how the system is being used.

However – and this is a big however – recent research from academics at Citizen Lab has revealed that The Hacking Team’s technology may be being used by the Saudi Arabian government to monitor and suppress political activists who utilize social media to voice their dissent. Of course, there is really no way of ever proving this, as one of RCS’s most potent capabilities is a remote wipe module that allows users to permanently remove the application from an infected device and leave no trace – more on this later – but the evidence presented by Citizen Lab is strong; and, even if it is circumstantial it raises important questions that the future of Internet Security must ask.

A News App Called Qatif Today

Saudi Arabia has long been in the cross hairs of human rights activists. Long story short: they have a reputation for controlling the way their citizens access and use the Internet. Since most people enjoy freedom, this control, combined with numerous other injustices Citizen Lab outlines in part one of their latest post, has caused not a small amount of political dissent amongst Saudi Arabian citizens. Ironically, this has also made the Internet prime territory for dissenters – as in any country with limited free speech, protesting in the streets is a good way to get fire-hosed, thrown in jail, or, sadly, even shot. In this latest development, Citizen Lab found that someone posted a news app called Qatif Today on a third party app market and in a Twitter post. Research revealed that instead of a mobile app that provided news stories relevant to the eastern Saudi Arabian province, this Qatif Today was actually a Trojan that contained technology strikingly similar to The Hacking Team’s RCS. Interestingly enough, there is actually a real Qatif Today app as well. What is particularly relevant about the Saudi’s choice of Trojan, is that the Qatif province has a strong history of active protest against the Saudi Arabian government. This protest still continues to this day, and despite governmental restrictions on Internet usage, Saudi Internet journalists comprise a strong portion of the protest’s voice – Saudi Internet journalists being exactly the type of people who would download a news app called Qatif Today. At this point, nothing has been proven, but Citizen Lab’s rigorous analysis of the malware is about as close to an accusation as one can get. The lab is of course not directly saying that The Hacking Team sold RCS to the Saudi government knowing full well that the software would be abused; but, they are strongly hinting that said government somehow got their hands on RCS – and that since is the case, stronger regulations of RCS and software like it need to be imposed. Citizen Lab was also kind enough to show us exactly how scary and powerful this RCS type stuff is.

Malware Monitoring at Your Service

Again, for the full effect, we recommend setting aside about an hour of your day and diving deep into the official article. There is some very fine journalism and malware analysis going on at the Citizen Lab blog. Important note though: There is no solid proof that what Citizen Lab analyzed was actually RCS. What they found was malware that bore a striking resemblance to what they know about RCS, based on previous analysis and investigation. Nonetheless, it’s still pretty scary what this kind of stuff can do. Here is a list of point-and-click ways through which a Technician – one of the malware kit’s assignable, privilege-based roles – can craft an installer:

  • Network Injection:  via injected malicious traffic in cooperation with an ISP
  • Tactical Network Injection: on LAN or WiFi
  • Melted Application: bundling a Hacking Team dropper alongside a bait application
  • Installation Package: a mobile installer
  • Exploit: document-based exploit for mobile and desktop
  • Local Installation: mobile installation via USB or SD card
  • Offline Installation: create an ISO for a bootable SDHC, CD, or USB. This option includes the ability to infect hibernated and powered off devices
  • QR Code:  a mobile link that, when pictured, will infect the target
  • Applet Web: likely a malicious website (depreciated after v. 8.4)
  • Silent Installer: a desktop executable that will install the implant
  • Infected U3 USB: an auto-infecting U3 USB
  • WAP Push Message: the target will be infected if the user accepts the message (works on all mobile operating systems apart from iOS)

Once infected, here is a list of things someone with Analyst privileges can analyze, or someone with Admin rights can tell the infected device to do:

  • Accessed files
  • Address Book
  • Applications used
  • Calendar
  • Contacts
  • Device Type
  • Files Accessed
  • Keylogging
  • Saved Passwords
  • Mouse Activity (intended to defeat virtual keyboards)
  • Record Calls and call data
  • Screenshots
  • Take Photographs with webcam
  • Record Chats
  • Copy Clipboard
  • Record Audio from Microphone with additional Voice and silence detection to conserve space
  • Realtime audio surveillance (“live mic:” module is only available for Windows Mobile)
  • Device Position
  • URLs Visited
  • Create conference calls (with a silent 3rd party)
  • Infect other devices (depreciated since v. 8.4)

On top of all this, and perhaps most frighteningly, it was found that this Trojan Qatif Today – a malware, mind you, that could be RCS, a legitimate, proprietary software marketed and sold to governments around the world – can:

  • Send a “scout” infection agent to “pre-infect” a device, to ensure that the real malware won’t get detected
  • Permanently destroy itself if it fails to install or if someone tries to analyze it
  • “Define events that trigger particular actions, sub-actions, modules, and sequences.” I.e., you go to a political website, it wakes up and starts recording your screen.

Lawful Interception Malware

Now, before we or anyone else points the finger cursor at The Hacking Team, there is still one very important counterpoint to consider. This is a counterpoint that is largely ignored by a post-Snowden media looking for and loving all things digital that bleed. The counterpoint is: Lawful Interception. Like most nascent legal concepts, what lawful interception is is still open to debate, but in essence it means that legal authorities pursuing criminals should be given the right to employ the usage of technologies like RCS. At an glance and on paper, this definition seems reasonable enough, but laws in a world and for a world of infinite connections legal definitions are never so simple.

  • Question one: Can, or rather, should a legal agency use tools like RCS against criminals and terrorists, even if it means they can monitor innocent citizens as well?
  • Question two: Should a global, free market economy allow a company to respond to demand by creating malicious software and selling it to anyone who can prove legitimate usage and cash?
  • Question three: Is the government watching you… right now?

All of these are important questions – the answers to which have important implications for the future of the web. Because they are complex, these are also answers that extend way beyond the scope of any one blog post that has already exceeded 1400 words. But this is why blogs have comment sections. More importantly, and seriously however, this is why we as company do what we do. Which is this: Protect people from malware by making anti-malware – no matter who’s making the malware and no matter who’s using it too. Have a Great (You know what free) Day!