Kaspersky Lab has just recently published a report outlining the huge international infrastructure that is being used to control Remote Control System malware implants, as well as mobile Trojans that were created to infect both the Android and iOS operating systems. These modules are part of the Spyware tool RCS, also known as Galileo, which was developed by the Italian group HackingTeam. The victims of the attacks were identified to be activists, human rights advocates, journalists and politicians.
Kaspersky Lab had been working on different approaches to uncover Galileo’s command and Control services globally, and managed to do so by searching for indicators and connectivity information gathered by reverse-engineering existing samples.
The latest analysis unveiled over three hundred RCS c&C servers in over 40 countries, with the majority of those located in the United States, Kazakhstan, Ecuador, the UK, Canada, and China.
Sergey Golovanov, Principal Security Researcher at Kaspersky Lab, said that “The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies. However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures.”
Though HackingTeam’s mobile Trojans had been known in the past, and the Kaspersky Lab Experts have been researching RCS for some years, they had not been noticed as having been used in any targeted attacks.
Earlier this year, they were able to identify certain samples of mobile modules that matched the other RCS malware configuration profiles in their collection.
During the recent research, new variants of samples were also received from victims through the Kaspersky Lab cloud-based KSN network.
In addition, the company’s experts worked closely with Morgan Marquis-Boire from Citizen Lab, who has been researching the HackingTeam malware set extensively.
One of the major discoveries has been learning precisely how a Galileo mobile Trojan infects an iPhone: to do so the device needs to be jailbroken.
However, non-jailbroken iPhones can become vulnerable too. An attacker can run a jailbreaking tool like ‘Evasi0n’ via a previously infected computer and conduct a remote jailbreak, followed by the infection.
To avoid infection risks, Kaspersky Lab’s experts recommend that first of all don’t jailbreak your iPhone, and secondly also constantly update the iOS on your device to the latest version.
In general, the RCS mobile Trojans are capable of performing many different kinds of surveillance functions, including reporting the target’s location, taking photos, copying events from the calendar, registering new SIM cards inserted in the infected device, and interception of phone calls and messages.
These include messages sent from specific applications such as Viber, WhatsApp and Skype, in addition to regular SMS texts.