Connect with us

Cybersecurity

eSurv, The Company That Developed Malwares In Play Store Sold “Interception Systems” To Italian Law Enforcement

Published

on

Researchers determined that eSurv, the company that developed the malwares hosted in Google Play Store, sold surveillance equipment and software to Italian law enforcement

The malware that was hosted in Google Play Store available for anyone to download and use was created and distributed by an Italian company known for selling surveillance cameras to law enforcement and other clients, researchers said.

A joint study between Security Without Borders, a non-profit organization that often investigates threats against activists and human rights advocates, and Motherboard discovered the existence of the suspected government-owned malware. The team behind the investigation published their detailed findings and technical reports on Friday.

The spyware, named Exodus, aims to trick targets to install them and are designed to look like harmless apps to receive promotions and marketing offers from local Italian cellphone providers, or to improve the device’s performance.

Exodus was programmed to act in two stages. In the initial stage, the malware would self-install and checks the phone number, and it’s IMEI (the device’s unique identifying number) and validate whether or not it was a target. For that apparent purpose, the malware has a function called “CheckValidTarget.”

Read More:GOOGLE PLAY STORE HOSTED GOVERNMENT-OWNED MALWARES

Researchers revealed that the malware was developed by eSurv, an Italian based company from the southern city of Catanzaro, in the Calabria region. The investigation conducted by Security Without Borders said that the Italian company has close ties and made a significant sale of software to Italian law enforcement.

The first hint that the developers of the malware were Italian was discovered from two strings inside the malware code. The code included text like “mundizza,” and “RINO GATTUSO.” The former is a dialectical word from the southern region of Calabria that loosely translates to “garbage,” while the latter is a famous retired Italian athlete from Calabria.

The confirmation of the information came from the command and control server used in some of the apps found on the Play Store to send the data back to the malware operators. According to the researchers, the servers of these apps share a TLS web encryption certificate with other services that belong to eSurv’s surveillance camera service. Some of the servers identified by the Security Without Border investigation displayed eSurv’s logo as the icon associated with the server’s address.

Following the identification made by the researchers, Google confirmed that the servers in questioned belonged to eSurv. Other third-party analyses also arrived at the same conclusion.

The company declined to comment about the matter when asked.

Meanwhile, eSurv appears to have an ongoing relationship with Italian law enforcement. The company won an Italian government State Police tender for the development of a “passive and active interception system,” according to a document published by the Italian government online in compliance with their spending transparency law. The record revealed that the company received a payment of € 307,439.90 on November 6, 2017.

When requested for a copy of the document, the law enforcement agency, the Anti-Drug Police Directorate, refused to grant the FOIA request citing that the said surveillance system was obtained with “special security measures.”

Amid the design protocols and the verification mechanism in the malware, researchers suggest through their investigation, that the spyware app’s verification mechanism does not work probably. “This suggests that the operators of the Command & Control are not enforcing a proper validation of the targets,” the report noted. “Additionally, during a period of several days, our infected test devices were never remotely disinfected by the operators.”

During the period of the test conducted by Security Without Borders, the dummy phone used to investigate the malware has gained access to most of the sensitive data on the infected smartphones, such as audio recordings of the phone’s surroundings, phone calls, browsing history, calendar information, geolocation, Facebook Messenger logs, WhatsApp chats, and text messages.

Furthermore, the spyware would open up a port and a shell on the device that would allow the operators to send commands to the infected phones. The researchers highlighted that these open shells are not programmed to use encryption, and the port is open to anyone on the same Wi-Fi network as the target. This means that anyone connected to the network can have access and send commands to the infected devices.

“This inevitably leaves the device open not only for further compromise but for data tampering as well.”

Many have raised the concern of the limits of Google’s filters that are meant to prevent malware from slipping into its official app marketplace. Both government-sponsored hackers and those that are working for different criminal organizations were known for uploading malicious apps to the Play Store. The new discover only highlights Google’s inability to protect Android users from destructive applications downloaded from Google Play Store.

A Consumer Tech and Cybersecurity journalist who does content marketing while daydreaming about having unlimited coffee for life and getting a pet llama.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Cybersecurity

Indictment Against Hackers Involved In Anthem Data Breach Unsealed

Two men are indicted for allegedly part of a group of hackers from China linked in the Anthem Insurance data breach in 2015. Click To Tweet

Published

on

Twor men are indicted for allegedly part of a group of hackers from China linked in the Anthem Insurance data breach in 2015.
The indicted individuals are allegedly part of a group of hackers from China linked in the Anthem Insurance data breach in 2015. Photo: Tim Reckmann | a59.de | Flickr | CC BY 2.0

Two men were indicted in the U.S. in connection with the data breach at the health insurance company, Anthem, that siphoned more than 78.8 million customer and employee records between 2014 and 2015.

The Justice Department recently unsealed an indictment against two people who prosecutors say are part of a sophisticated hacking network group, based in China that was behind not only in Anthem data breach, but also the attacks against three other US businesses.

While the Justice Department did not name the said Chinese hacking group victimized the three other businesses who they said, they said that these companies were “data-rich.” One was a technology business, one was in necessary materials, and the third was in communications. They said that all of these three companies store a substantial amount – and some confidential – of data on their servers and data networks.

The suspects are 32-year-old Wang Fujie with the Western name of “Dennis” and another one that until now remained unnamed. The Justice Department could not find the real name of the unnamed man but said that he goes by various online nicknames such as “Daniel Jack,” “Kim Young” and “Zhou Zhihong.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

According to the indictment documents, the hacker group where Dennis and the unnamed man belongs have carried out attacks using “sophisticated techniques” including spearphishing and malware from February 2014 and up until around January 2015.

They allegedly sent tailored spearphishing emails with links to malware and sent them to employees at the target companies. Once the targeted employee opened the email, the system would get affected by the malware that would later plant a backdoor Trojan that gives the hackers remote access via their command and control servers.

Wang is also accused of having set up the servers, hosted in California and Arizona that were used in the Anthem attacks.

The cyber attack suffered by the insurance company has had them cough up large amounts of money as settlement, making it the most significant data breach settlement ever. In 2017, the company agreed to pay $115 million to settle a class action suit over the breach.

The Anthem attack is also the most massive health insurance data breach, and the amount of data lost to the hackers dwarfed the biggest data breaches in the following years with 11 million breached at Premera and 10 million from Excellus.

The DOJ through a press release and Assistant Attorney General Brian Benczkowski called the hacking event as “unprecedented.”

“The allegations in the indictment unsealed today to outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history. These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII. The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.”

Meanwhile, another set of indictments were released by the Justice Department against European hackers over the hacking of different private and public institutions in the United States. Ten individuals were charged with conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering.

The ten people who were charged were allegedly involved in the malicious software attacks that infected tens of thousands of computers and caused more than $100 million in financial losses, the US and European authorities announced Thursday.

According to the officials who filed the charges, the malware, which enabled cybercriminals and hackers from Eastern Europe infiltrate computer systems remotely and siphon funds from victim’s bank accounts, targeted companies and institutions across all sectors of American life.

The victims of the malware attacks included a Washington law firm, a church in Texas, a furniture business in California and a casino in Mississippi.

The investigation started following the dismantling of a network of computer servers, known as Avalanche, which hosted more than two dozen different types of malware. The Justice Department had successfully taken their operation apart in 2016.

Continue Reading

Cybersecurity

Winnti For Linux: Researchers Found Linux Variant Of Malware Used By Chinese Hackers In 2015

A Linux version of Winnti malware was discovered by tech researchers from Chronicle. The malware was used in 2015 by Chinese hackers. Click To Tweet

Published

on

A Linux version of Winnti malware was discovered by tech researchers from Chronicle. The malware was used in 2015 by Chinese hackers.
The discovered Linux malware bears significant similarities with its Windows counterpart. Photo: Christiaan Colen | Flickr | CC BY-SA 2.0

Linux systems are cybersecurity kings, but on a historic first, tech researchers have found a variant of a widespread malware, a favorite of Chinese hackers, have been discovered in a Linux system.

The discovery was made by researchers from the Chronicle, Alphabet’s cybersecurity department. The researchers revealed that they found a Linux variant of the Winnti malware that works as a backdoor on infected hosts, granting attackers access to compromised systems. It was the malware used by Chinese hackers in the high-profile cybercrime against a Vietnamese game company in 2015.

Chronicle researchers said that they discovered the malware following the news that Bayer, one of the biggest pharma company in the world, had been hit by Chinese hackers, and the Winnti malware was discovered on its servers.

After the team scanned Bayer’s system using its VirusTotal platform, they found what appeared to be a Linux variant of the Winnti, dating back to 2015 when it was first used by Chinese hackers to attack a Vietnamese gaming company.

According to the Chronicle, the malware that they have discovered comes in two parts: a rootkit to disguise the malware in the infected host and the actual backdoor Trojan. Further analysis the discovered Linux variant of the Winnti malware bears a lot of similarities to the malware’s Windows version. Other connections with the Windows version also included the similar way in which the Linux variant handled outbound communications with its command-and-control (C&C) server — which was a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols).

“As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. During our analysis, we were unable to recover any active plugins. However, prior reporting suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux,” said the researchers in their comprehensive report.

Lastly, the Linux version, just like the Window’s version, also has the ability for Chinese hackers to initiate communication with the infected host without going through the C&C servers – distinct characteristics in Windows Winnti.

“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted,” Chronicle researchers said in a report published last week.

While infecting Linux systems is something already done especially by American and Russian hackers, it is also extremely rare, as pointed out by the Chronicle.

“Clusters of Winnti-related activity have become a complex topic in threat intelligence circles, with activity vaguely attributed to different codenamed threat actors. The threat actors utilizing this toolset have repeatedly demonstrated their expertise in compromising Windows-based environments. An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets, but it may also be an attempt to take advantage of a security telemetry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant,” added Chronicle.

Meanwhile, malware have become one of the most common tools to attack computer systems, even those of public institutions. A few days ago, ten Europeans were indicted for the malware attacks that have victimized several businesses and government agencies in the U.S.

The ten people who were charged were allegedly involved in the malicious software attacks that infected tens of thousands of computers and caused more than $100 million in financial losses, the US and European authorities announced Thursday last week.

The victims of the malware attacks included a Washington law firm, a church in Texas, a furniture business in California and a casino in Mississippi.

The charged individuals are now facing conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering.

The investigation started following the dismantling of a network of computer servers, known as Avalanche, which hosted more than two dozen different types of malware. The Justice Department had successfully taken their operation apart in 2016.

Officials reveal that the malware in the current court case has infected more than 41,000 computers by disguising as legitimate messages or invoice and was sent as spam emails. Once the email was opened, hackers will be able to record all keystrokes in the infected computer, sweeping data like baking information and wire money away from the victim’s account.

Continue Reading

Cybersecurity

10 European Cybercriminals Charged For Malware Attacks In The US

European and US Officials collaborated to pin down ten individuals in connection with the ransomware attacks in the US. The charges include facing conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy… Click To Tweet

Published

on

European and US Officials collaborated to pin down ten individuals in connection with the ransomware attacks in the US.
European and US Officials collaborated to pin down ten individuals in connection with the ransomware attacks in the US. Photo: Christian Cohen | Flickr | CC BY-SA 2.0

The tech world has agreed that ransomware and malware are becoming one of the most prolific cyber attacks in recent (more…)

Continue Reading

Today’s Latest

Our Voices

Silicon Valley Silicon Valley
Our Voice2 days ago

How Tech Companies Affect Communities In Places They Call ‘Home’

Tech companies are today’s driving forces in the economic world, mostly because of the introduction of the Internet. It allows...

We reviewed RingCentral's VoIP offers We reviewed RingCentral's VoIP offers
Our Voice6 days ago

RingCentral VoIP Review

VoIP has had a significant shift from a technology exclusively used by the early adopters or hobbyist to a widely...

April Fools April Fools
Our Voice2 months ago

April Fools Jokes Aren’t Just “Jokes”

April Fools is undoubtedly a fun day, exceptionally if you have crafted the most elaborate prank on your friends and...

Facebook Facebook
Facebook2 months ago

Facebook Should Do Better At Processing Community Standard Violations, And They Should Do It Fast

A few months ago, I saw a photo of myself used by another Facebook account with a “R.I.P. (Rest in...

With reports of artists committing harassments, should you separate the art from the artist? With reports of artists committing harassments, should you separate the art from the artist?
Our Voice2 months ago

Supporting Problematic Artists And Their Arts, An Opinion

As the world becomes swarmed by reports of famous artists – musicians, comedians, actors, painters – being alleged or in...

How to regulate facial recognition without possible risks How to regulate facial recognition without possible risks
Our Voice2 months ago

Ethical Regulation Of ‘Facial Recognition’ Is A Shared Responsibility

There is an ongoing discussion both in online and offline spaces regarding the growth of facial recognition technology and its...

Solving Data Breachs, must focus on SMBs Solving Data Breachs, must focus on SMBs
Cybersecurity2 months ago

Data Breach Epidemic: Solving The Problem In SMBs Will Solve The Problem For All

In the last two weeks, we’ve witnessed a vast amount of data breaches and information leaks, and the issue has...

Here's why we agree to Jacinda Ardern, New Zealand Prime Minister words of not naming mass shooter suspects Here's why we agree to Jacinda Ardern, New Zealand Prime Minister words of not naming mass shooter suspects
Our Voice2 months ago

We Agree To PM Ardern Of Keeping Christchurch Murderer Nameless, And The Media Should Listen

In the wake of Christchurch mosques shooting in New Zealand that killed 50 people at two mosques, the shooter is...

Apple Anti-Snooping Paten Apple Anti-Snooping Paten
Apple2 months ago

Apple vs. Police Authorities; A Cold War Against iPhone’s Anti-Snooping Patent

To protect its customers from hackers and illegal surveillance, Apple is developing an anti-snooping technology that would impede police and...

Fighting misinformation over measles outbreak Fighting misinformation over measles outbreak
Our Voice2 months ago

An Epidemic: Measles Or Misinformation?

2018 was the year when people started asking the question: ‘should I get my child vaccinated?’ Most people answered yes,...

Join us as we delve into the future of the VoIP industry Join us as we delve into the future of the VoIP industry
Our Voice3 months ago

Take A Look At The Predicted Future Of The VoIP Industry

For the past 20 years, VoIP has become an integral part of the lives of millions of people around the...

Contact Center Solutions Contact Center Solutions
Business3 months ago

Choose The Right Call Center And The Best Contact Center Solutions of 2019

The Ins And Outs Of Business Communication Management For your business to exist in today’s world, you must know how...

Instagram poses as a threat to some of the world's most famous location Instagram poses as a threat to some of the world's most famous location
Our Voice3 months ago

How Instagram Corrupts Famous Locations In The World

Is Instagram corrupting the beauty of breathtakingly beautiful locations and sucking all the joy out of traveling? With the era...

How one can earn crypto How one can earn crypto
Our Voice4 months ago

Ways To Earn Cryptocurrency

Cryptocurrency is one of the growing medium for exchange in most countries as it offers a more convenient and safer...

Ending Payday Loans Ending Payday Loans
Our Voice4 months ago

Can We End Payday Loans?

We can’t neglect the fact that debt is one of the pressing problems in the country, especially in today’s economy....

How will 5G change our lives -- Our Voice How will 5G change our lives -- Our Voice
Our Voice4 months ago

Jumping From 4G To 5G: Here’s What 5G Can Do For You

One of the most awaited advancements in technology is the cellular industry. With its monthly updates on software, model and...

VoIP vs Traditional Telephones: Cost Factors to consider VoIP vs Traditional Telephones: Cost Factors to consider
Our Voice4 months ago

What are the cost factors of VoIP?

In the next few years, we might be saying goodbye to traditional telephone systems in exchange for Voice over Internet...

Manufacturing Firms Investment on Technology Manufacturing Firms Investment on Technology
Our Voice5 months ago

Manufacturing Firms are Investing More on Technology

Based on the recent research on how manufacturing companies are coming up in the market industry, they have been increasing...

How to properly take Technology Innovation in companies How to properly take Technology Innovation in companies
Our Voice5 months ago

Technology innovation in companies—for the better or the worse?

Technology has significantly impacted both homes and workplaces in the last years. As much as we want to keep our...

Trending