This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Droid Trojan 'linked to German police'

Share this article:
Droid Trojan 'linked to German police'
Droid Trojan 'linked to German police'

A backdoor Trojan that is capable of monitoring online activity and recording Skype calls has been detected – and is allegedly being used by the German police force.

According to research by the Chaos Computer Club (CCC), the malware can not only siphon away intimate data, but also offers a remote control or backdoor functionality for uploading and executing arbitrary programs. It said functionality in the ‘Bundestrojaner light' (‘federal Trojan'), concealed as ‘Quellen-TKÜ', goes much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court.

German courts have permitted police to use Bundestrojaner to record Skype conversations if there is legal permission for a wiretap.

It said: “The Trojan can, for example, receive uploads of arbitrary programs from the internet and execute them remotely. This means an upgrade path from Quellen-TKÜ to the full Bundestrojaner's functionality is built in right from the start.

“The analysis concludes that the Trojan's developers never even tried to put in technical safeguards in to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.”

The CCC also concluded that complete control of an infected PC is open not just to the agency that put it there due to the poor craftsmanship of the Trojan.

A CCC spokesperson said: “We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities. The security level this Trojan leaves the infected systems in is comparable with it setting all passwords to '1234'.”

To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data centre in the US. The CCC said the German Ministry of the Interior has been informed.

The CCC said: “The clandestine infiltration of IT systems by government agencies must stop. At the same time we would like to call on all hackers and people interested in technology to further analyse the malware, so that at least some benefit can be reaped from this embarrassing eavesdropping attempt.

“Also, we will gladly continue to receive copies of other versions of government malware off your hands.”

Graham Cluley, senior technology consultant at Sophos, said its analysis of the malware confirmed that it can eavesdrop on several communication applications including Skype, MSN Messenger and Yahoo! Messenger. It can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey, and take JPEG screenshots of users' screens.

He said: “We have no way of knowing if the Trojan was written by the German state and, so far, the German authorities aren't confirming any involvement. The comments in the Trojan's binary code could just as easily have been planted by someone mischievously wanting the Trojan to be misidentified as the infamous Bundestrojaner.”

Mikko Hypponen, chief research officer at F-Secure, said: “We do not know who created this backdoor and what it was used for. We have no reason to suspect CCC's findings, but we can't confirm that this Trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

“We have never before analysed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors.

“Having said that, we detect this backdoor as Backdoor:W32/R2D2.A. The name R2D2 comes from a string inside the Trojan ‘C3PO-r2d2-POE'. This string is used internally by the Trojan to initiate data transmission.”
Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.