The malware that was hosted in Google Play Store available for anyone to download and use was created and distributed by an Italian company known for selling surveillance cameras to law enforcement and other clients, researchers said.
A joint study between Security Without Borders, a non-profit organization that often investigates threats against activists and human rights advocates, and Motherboard discovered the existence of the suspected government-owned malware. The team behind the investigation published their detailed findings and technical reports on Friday.
The spyware, named Exodus, aims to trick targets to install them and are designed to look like harmless apps to receive promotions and marketing offers from local Italian cellphone providers, or to improve the device’s performance.
Exodus was programmed to act in two stages. In the initial stage, the malware would self-install and checks the phone number, and it’s IMEI (the device’s unique identifying number) and validate whether or not it was a target. For that apparent purpose, the malware has a function called “CheckValidTarget.”
Researchers revealed that the malware was developed by eSurv, an Italian based company from the southern city of Catanzaro, in the Calabria region. The investigation conducted by Security Without Borders said that the Italian company has close ties and made a significant sale of software to Italian law enforcement.
The first hint that the developers of the malware were Italian was discovered from two strings inside the malware code. The code included text like “mundizza,” and “RINO GATTUSO.” The former is a dialectical word from the southern region of Calabria that loosely translates to “garbage,” while the latter is a famous retired Italian athlete from Calabria.
The confirmation of the information came from the command and control server used in some of the apps found on the Play Store to send the data back to the malware operators. According to the researchers, the servers of these apps share a TLS web encryption certificate with other services that belong to eSurv’s surveillance camera service. Some of the servers identified by the Security Without Border investigation displayed eSurv’s logo as the icon associated with the server’s address.
Following the identification made by the researchers, Google confirmed that the servers in questioned belonged to eSurv. Other third-party analyses also arrived at the same conclusion.
The company declined to comment about the matter when asked.
Meanwhile, eSurv appears to have an ongoing relationship with Italian law enforcement. The company won an Italian government State Police tender for the development of a “passive and active interception system,” according to a document published by the Italian government online in compliance with their spending transparency law. The record revealed that the company received a payment of € 307,439.90 on November 6, 2017.
When requested for a copy of the document, the law enforcement agency, the Anti-Drug Police Directorate, refused to grant the FOIA request citing that the said surveillance system was obtained with “special security measures.”
Amid the design protocols and the verification mechanism in the malware, researchers suggest through their investigation, that the spyware app’s verification mechanism does not work probably. “This suggests that the operators of the Command & Control are not enforcing a proper validation of the targets,” the report noted. “Additionally, during a period of several days, our infected test devices were never remotely disinfected by the operators.”
During the period of the test conducted by Security Without Borders, the dummy phone used to investigate the malware has gained access to most of the sensitive data on the infected smartphones, such as audio recordings of the phone’s surroundings, phone calls, browsing history, calendar information, geolocation, Facebook Messenger logs, WhatsApp chats, and text messages.
Furthermore, the spyware would open up a port and a shell on the device that would allow the operators to send commands to the infected phones. The researchers highlighted that these open shells are not programmed to use encryption, and the port is open to anyone on the same Wi-Fi network as the target. This means that anyone connected to the network can have access and send commands to the infected devices.
“This inevitably leaves the device open not only for further compromise but for data tampering as well.”
Many have raised the concern of the limits of Google’s filters that are meant to prevent malware from slipping into its official app marketplace. Both government-sponsored hackers and those that are working for different criminal organizations were known for uploading malicious apps to the Play Store. The new discover only highlights Google’s inability to protect Android users from destructive applications downloaded from Google Play Store.