Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
posted by Fnord666 on Friday April 05 2019, @04:41AM   Printer-friendly
from the sanctioned-spyware dept.

According to a technical report issued Friday, a new surveillance malware, aimed at Italian users and dubbed 'Exodus' has been infiltrating the Google Play store. It is also being reported that the software is contracted by the Italian Government from a surveillance company called eSurv based in Catanzaro, in Calabria, Italy.

According to Google,

nearly 25 variants of this spyware were uploaded on [the] Google Play Store. Google Play has removed the apps and they stated that "thanks to enhanced detection models, Google Play Protect will now be able to better detect future variants of these applications".

Although the software has built in checks to confirm the target is Italian, it is of limited effectiveness.

Exodus includes a function called CheckValidTarget function that supposedly exists to "validate" the target of a new infection, but the researchers suggest that not much "validation" is going on, given that the malware activated immediately on the burner phone they used, and stayed active throughout their tests.

The malware doesn't just violate your security, it more or less destroys it

binding a shell on all available interfaces will obviously make it accessible to anyone who is sharing at least a local network with an infected device. For example, if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port.

If the mobile operator doesn't enforce proper client isolation, it is possible that the infected devices are also exposed to the rest of the cellular network.

Obviously, this inevitably leaves the device open not only to further compromise but to data tampering as well.

Google indicated that all downloads of the malware were from Italy.


Original Submission

Related Stories

How Italy Became an Unexpected Spyware Hub 4 comments

In operation since 1992, RCS Labs is a relatively unknown Italian company, and just one node in a web of spyware vendors operating out of Italy with little oversight:

In April 2022, about four months after Kazakhstan's government violently cracked down on nationwide protests, cybersecurity researchers discovered that authorities in the country were deploying spyware on smartphones to eavesdrop on citizens.

[...] The spyware, known as Hermit, is believed to have been used in several other countries including Syria and Italy. Documents published by Wikileaks in 2015 show that RCS had engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Myanmar, Vietnam and Turkmenistan, according to a blog post from Lookout, the cloud security company which discovered Hermit.

[...] Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel's NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of Justice document, as of December 2022 law enforcement in the country could rent spyware for €150 a day, regardless of which vendor they used, and without the large acquisition costs which would normally be prohibitive.

As a result, thousands of spyware operations have been carried out by Italian authorities in recent years, according to a report from Riccardo Coluccini, a respected Italian journalist who specializes in covering spyware and hacking.

"Spyware is being used more in Italy than in the rest of Europe because it's more accessible," Fabio Pietrosanti, president of Italy's Hermes Center for Transparency and Digital Human Rights and a prominent ethical hacker there told Recorded Future News. "Like any technology or any investigative tool, if it's more accessible, then it will be more used. That's just the natural consequence."

Originally spotted on Schneier on Security.

Previously: Italian Government Spyware Infiltrated Google Play


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Funny) by Anonymous Coward on Friday April 05 2019, @05:48AM (2 children)

    by Anonymous Coward on Friday April 05 2019, @05:48AM (#824812)

    Are you sure it were not Russians?

    • (Score: 0) by Anonymous Coward on Friday April 05 2019, @06:57AM

      by Anonymous Coward on Friday April 05 2019, @06:57AM (#824820)

      Calabrese mafia, maybe.

    • (Score: 0) by Anonymous Coward on Friday April 05 2019, @04:06PM

      by Anonymous Coward on Friday April 05 2019, @04:06PM (#824972)

      Probably Itallians. Don't they always leave their weapons behind?

  • (Score: 1, Insightful) by Anonymous Coward on Friday April 05 2019, @06:38AM (1 child)

    by Anonymous Coward on Friday April 05 2019, @06:38AM (#824817)

    binding a shell on all available interfaces will obviously make it accessible to anyone who is sharing at least a local network with an infected device. For example, if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port.

    Why would google allow "apps" downloaded from its store to bind on all interface? Don't they have MAC security for these kinds of things?
    inb4 it is deliberate until it was discovered.

  • (Score: 2) by Bot on Friday April 05 2019, @08:40AM

    by Bot (3902) on Friday April 05 2019, @08:40AM (#824827) Journal

    If we look at the possible infiltration from the mob, Catanzaro is as safe a place as Palermo. From n fact, Palermo is the home of noscript devs. Other fun fact, I still trust noscript more than Google.

    --
    Account abandoned.
  • (Score: 0) by Anonymous Coward on Sunday April 07 2019, @05:10AM

    by Anonymous Coward on Sunday April 07 2019, @05:10AM (#825658)

    Have some mal-a-ware! Optimists think this is to monitor the mafia or pedofile catholic priests but realists would realize this is rather done by them.

    Italy is different.

(1)