How governments devise custom “implants” to bug smartphones

Citizen Lab

On Twitter, it was billed as Qatif Today, a legitimate Android app that provides news and information in Arabic with a focus on the Qatif governorate of Saudi Arabia. But in fact, the shortened link came with a hidden extra—an advanced trojan wealthy nation states use to spy on criminal suspects and political dissidents.

Citizen Lab

Citizen Lab, the University of Toronto group that monitors government surveillance in the digital age, analyzed the recently discovered instance of the fake Qatif Today app in a blog post headlined Police Story: Hacking Team’s Government Surveillance Malware. The account provides a rare glimpse into malware developed by "Hacking Team," a highly secretive outfit based in Italy that charges governments top dollar for extremely stealthy spyware that's often referred to as a "lawful intercept" program.

The trojan is  known as an Android implant because it cloaks itself inside a legitimate third-party app. People who are infected with it must first be tricked into obtaining the Android installation package (APK) from a non-authorized source, which in this case was this now-shuttered Dropbox location. Aside from that, victims may have little indication anything is amiss. To lend it legitimacy, the malicious APK was signed by a digital certificate that appeared to be related to Java and its original creator Sun Microsystems. Citizen Labs identified six other samples signed by the same certificate.

Read 8 remaining paragraphs | Comments

Buzzfeed tracks your quiz answers—and the results may surprise you

Man, this quiz sure could use more Game of Thrones characters.

A normal browsing session on Buzzfeed may include GIF-filled lists, quick news blurbs, and a zillion pop-culture quizzes, but what can the site do once it tells you which 30 Rock character you are? According to a British e-commerce specialist, the answer is quite a bit, as Buzzfeed users are coughing up a lot more personal information than they may realize.

In another reminder that everything you do on the Internet leaves a clicktrail, a post at Dan Barker's personal blog opened by picking through the default Buzzfeed browsing data sent to Google Analytics. That data included whether users have connected Facebook to Buzzfeed, how often they've shared Buzzfeed stories to social media, their gender and age (if those have been publicly disclosed), their location, and more.

All of that data was assigned to a "username" value, which Barker noted was the same across multiple browsers on the same PC. Barker analyzed the site's many quizzes, where he found that each quiz answer he chose (or didn't choose) was tracked alongside all of that other potentially personally identifiable information.

Read 2 remaining paragraphs | Comments

Attackers poison legitimate apps to infect sensitive industrial control systems

Corporate spies have found an effective way to plant their malware on the networks of energy companies and other industrial heavyweights—by hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.

That's what operators of the Havex malware family have done with aplomb, according to a report published Tuesday by researchers from antivirus provider F-Secure. Over the past few months, the malware group has taken a specific interest in the types of industrial control systems (ICS) used to automate everything from switches in electrical substations to sensitive equipment in nuclear power plants. In addition to the normal infection channels of spam e-mail, the malware operators have added a new tack—replacing the normal installation files of third-party software with tainted copies that surreptitiously install a remote access trojan (RAT) on the computers of targeted companies.

"It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers," F-Secure researchers Daavid Hentunen and Antti Tikkanen wrote. "Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet."

Read 5 remaining paragraphs | Comments