iPhone, Android open to remote control malware

News by Steve Gold

Italian hacking team seem to have forgotten about a Blackberry version of the spyware.

Analysis by researchers with Kaspersky Lab has revealed that a new generation of RCS (Remote Control Software) malware is now infecting both Apple iPhone and Google Android smartphones around the world.     

According to Kaspersky Lab's Global Research & Analysis Team (GReAT), the RCS spyware is the brainchild of the Hacking Team, a group of Italian programmers, who started developing the darkware code around 12 months ago.

GReAT now says that the malware has a name - Galileo - and is supported by an international infrastructure that allows the spyware to take control of the user's smartphone.

Interestingly, Kaspersky Lab says that its research has revealed a list of infected victims that includes journalists, politicians, activists, and human rights advocates. To become infected with Galileo, GReAT says that a user's iPhone has to be jailbroken, and is advising that users should not jailbreak their iPhones to prevent a possible infection. 

From its latest analysis, Kaspersky Lab's researchers say they were able to map the presence of more than 320 RCS command-and-control (C&C) servers in 40-plus countries, with key locations in the US, Kazakhstan and Ecuador.

Commenting on the findings, Sergey Golovanov, a principal security researcher with the firm, said that the presence of these servers in a given country doesn't mean to say they are used by that particular country's law enforcement agencies.

However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures,” he explained.

In a SecureList posting, the GReAT researchers now say that a version of Galileo exists for Blackberry handsets, and which uses the JavaLoader application to load the malware, although the good news - from a security perspective - is that the code appears to have been "mistakenly forgotten by the authors."

"The new data we are publishing on HackingTeam's RCS is extremely important because it shows the level of sophistication and scale of these surveillance tools. We like to think that if we're able to protect our customers from such advanced threats, then we'll sure have no trouble with lesser, more common threats like those posed by cybercriminals," says GReAT's analysis.

According to Tony Kenyon, technical director with A10 Networks' EMEA and Latin American operations, if you look at the iPhone - and more specifically 'jailbroken' iPhones - there are no reliable statistics on how many iPhones have been compromised.

"Estimates vary from anything between one and 10 percent, rising with older models. We certainly need more reliable data here, but in reality it's probably at the low end of this figure. Since the primary targets for these attacks don't appear to have the right demographic for jailbreaking their own phones," he said, adding that this leaves either - firstly - remote jailbreaking an iPhone via an infected PC, or secondly (and more likely) Android, as the most likely transmission path.

"According to McAfee's  Feb 2014 mobile security report 'Who's Watching You,' Android malware almost tripled between 2012 and 2013, which is a very worrying trend," he said, noting that the same report also states that root exploits have fallen, probably because mobile operating systems are becoming more secure.

Kenyon went on to say that, once user jailbreaks a handset, all security bets are off.

"As mobile devices increasingly dominate client Internet access we place more and more trust in mobile apps to handle our banking, shopping and sensitive data. With so much to gain these incursions are set to continue as both sides pit willpower and intelligence," he explained.

Phil Robins, a director of Encode UK, meanwhile, said that, with malware currently responsible for upwards of 80 percent of all security breaches, the Galileo spyware is another great example of how resourceful the attackers are.

"It therefore is essential that companies continually review where they are vulnerable to attack and that all relevant defences are in place, properly configured and up-to-date. Company policy needs to support this - i.e prohibiting employees from Jailbreaking their iPhones," he said.

"However this impacts on the BYOD issue, as many people use their own phones to connect with their company's systems and may not comply," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews