This report analyzes Hacking Team’s Android implant, and uses new documents to illustrate how their Remote Control System (RCS) interception product works. This work builds on our previous research into the technologies and companies behind “lawful interception” malware. This technology is marketed as filling a gap between passive interception (such as network monitoring) and physical searches. In essence, it is malware sold to governments. Unlike phone monitoring and physical searches, however, most countries have few legal guidelines and oversight for the use of this new power. In light of the absence of guidelines and oversight, together with its clandestine nature, this technology is uniquely vulnerable to misuse. By analysing the tools, and their proliferation at the hands of companies like Hacking Team and Gamma Group, we hope to support efforts to ensure that these tools are used in an accountable way, and not to violate basic principles of human rights and rule of law.
In a report published earlier this year, we presented the results of a global scanning effort, and identified 21 countries with deployments of Hacking Team’s Remote Control System monitoring solution. In addition, alongside other researchers, we have uncovered a range of cases where “lawful interception” software has been used against political targets by repressive regimes. Political and civil society targets have included Mamfakinch in Morocco, human rights activist Ahmed Mansoor in the UAE, and ESAT, a US-based news service focusing on Ethiopia. In all of these cases, a tool marketed for “law enforcement” was used against political, rather than security threats. In still other cases, like Malaysia [PDF], we have found bait documents and seeding suggestive of political targeting.
Part 1: An Android Hacking Team Backdoor in Saudi Arabia
Protests in Saudi Arabia and Qatif
While Saudi Arabia has not seen protests comparable to those elsewhere during the Arab Spring, it has experienced protests since 2011, primarily in the Ash-Sharqīyah province. There are a number of reasons for political tensions, ranging from demographic pressures, cost of housing, and unemployment, to issues of women’s and minority rights. The province is predominantly Shia, who have long-standing grievances over perceived political and cultural marginalization by the Sunni ruling regime. These grievances were magnified when, in early 2011, the Bahraini government violently suppressed Shia protests with the assistance of Saudi Arabian troops.
Protests then spread in a number of areas, including in the predominantly Shia Qatif Governorate. In 2011, Shia most protesters appear to have initially demanded reform, rather than the regime-change advocated in other Arab countries. Interestingly, Qatif has a history of Shia protest, most famously in widespread protests in 1979. In response to the protests, which demanded greater political and economic participation, the regime provided extensive economic concessions. In 2011, however, authorities responded with violence and arrests of prominent Shia figures. Protesters were wounded and others allegedly killed by security forces, according to Human Rights Watch. This crackdown may have contributed to shifting protesters’ demands; today, some explicitly demand regime change using secular language, according to researchers and journalists directly familiar with recent developments who spoke with us. In what might be described as an inflammatory response, Saudi authorities also arrested an outspoken and highly visible Shia Sheikh.
“… the prosecutor demanded he face not only the death sentence, but an additional punishment mandated by sharia law for the most heinous offences in which the dead body is defiled by being hanged from a pole.” -Reuters
The escalation, which has been accompanied by violence against security services among some Shia, is used by the regime to justify harsh measures, including “riot control,” arrests, and sentences including death for protesters on charges of “Sedition.” Others have been charged with espionage on behalf of Iran, in a case that has been claimed by many Shia to have been politically motivated.
Human rights organizations that have catalogued alleged abuses, like the Adala Center for Human Rights, have been denied the ability to register as formal organizations, subject to URL blocking, and had staff harassed and imprisoned. Journalists attempting to report on Qatif are blocked from entering, and regularly subjected to threats and government pressure.
Social media and mobile phones are a key part of how protests are organized, with protesters taking measures, like using pseudonymous accounts, to share their message. Nevertheless, according to people familiar with the events, digital operational security practices are often piecemeal, and do not match the capabilities of the security services.
Surveillance, Monitoring and Information Control in Saudi Arabia
Saudi Arabia is a unique and complex security environment, and its security services play a range of roles. On the one hand, Saudi Arabia faces undeniable foreign and domestic security threats from hostile groups, extremists and other governments. On the other hand, the regime has been exceptionally aggressive in its attempts to control and stifle dissent and political pluralism.
The security services in Saudi Arabia make use of a range of instruments of formal and informal state power to control the electronic information environment in the country. Beginning at government-maintained Internet chokepoints and extending to ISPs, the state blocks a wide range of political, religious and cultural content. This includes social media, whether specific users or whole platforms. Extending further, the state requires that news websites (defined broadly) register with the authorities. Registered websites are subject to extensive regulation, while unregistered operators that have not registered risk severe penalties. Site operators are encouraged to self-monitor and moderate content, under threat of financial penalties, jail time, and corporal punishment like lashes. In addition, anti-cybercrime legislation has also been used to prosecute online dialogue that most societies would consider acceptable political speech.
The public use of mobile monitoring extends into forms of social control that many societies would find highly objectionable. For example, the government earned international condemnation when it announced that it would implement a system to enable theirmale guardian to monitor the travel behavior of women under their care. Replacing an older permission-slip based system (“yellow cards”), male guardians receive text messages when women arrive on the premises of the international airport, asking whether the women are permitted to travel.
Internet and social media users are encouraged to self-censor and report on each other. The government engages in public advertising campaigns to encourage both behaviours, and makes it clear to Saudi citizens that they are watching, and listening. In particular, the state has implemented specific penalties for re-sharing, privately or publicly, content deemed objectionable. In addition to using the explicit tools of the law, it is widely believed that the state encourages an “electronic army” of pro-government individuals to swamp social media conversations with pro-regime voices and harass dissenters.
Speech involving religious themes is especially risky, as the government is willing to use serious religious charges, including the death penalty and corporal punishment, and tools of international jurisprudence like extradition, to detain and punish those who violate its strict norms for political, religious, and cultural speech.
In two notable cases, the operator of the Saudi Liberals discussion forum was eventually sentenced to 10 years in prison and 1000 lashes for maintaining a forum on the discussion of religion and reform. This was a reduction of sorts, as the prosecution demanded his execution. Many similar cases, using various charges, have been reported by human rights organizations andcommentators.
These measures have an intentionally chilling effect on political speech, and are regularly the subject of criticism by the international human rights community. Nevertheless, social media remains the primary outlet for political speech. Many users practice some degree of self censorship, or indirect speech, while others use pseudonyms and other technical means to preserve their anonymity. To access banned content, the use virtual private networks (VPNs) is also common. In response, security services use police and investigative powers to unmask the posters, and punishes them severely, sometimes after arrests where the name of the detainee(s) is kept secret.
Phone use in Saudia Arabia has a penetration rate of 170%, with an estimated average of 30% of individual income spent on mobile phone and Internet costs in 2014. As a result, older mechanisms of Internet surveillance, like monitoring Internet cafes, are being replaced. Individual users are required to use real identities when registering mobile devices, and it is clear that the state is seeking greater visibility into encrypted traffic. In 2010, for example, Saudi Arabia successfully gained access to BlackBerry communications after making Saudi-located servers a quid-pro-quo of allowing the devices on Saudi Networks. More recently, the government’s appetite for encrypted communications was revealed by Moxie Marlinspike, a security researcher and developer, who received an overture from Saudi telecom company Mobily seeking his assistance in accessing encrypted traffic. The firm was seeking an intercept solution (on request of the Saudi Government, they said) for access to a range of mobile chat clients (Viber, LINE, WhatsApp) as well as the mobile-version of Twitter.
The use of mobile malware can be understood as part of this desire, by no means limited to Saudi Arabia, to match the technologies in use by their population.
Seeding: A Lure with Political Subtext?
Using signatures developed as part of our ongoing research into “lawful intercept” malware developed by Hacking Team, we identified a suspicious Android installation package (APK). The file was a functional copy of the ‘Qatif Today’ (القطيف اليوم) news application bundled with a Hacking Team payload. Documents we have reviewed suggest that Hacking Team refers to this kind of mobile implant as an “Installation Package,” where a legitimate third party application file is bundled with the implant (See:Developing and Deploying Implants). This kind of tactic with Android package implants has been seen in other targeted malware attacks (that do not use commercial “lawful intercept” products) including the LuckyCat campaign, and in attacks against Tibetan activists, and groups in the Uyghur community.
The genuine ‘Qatif Today’ app is an Android (download here) and iPhone application that provides news and information in Arabic with a special relevance to the Qatif Governorate of Saudi Arabia.
Qatif Today in the Google Play app store
The connection to Qatif is interesting, given the recent history of protest in Qatif as outlined above. We are not in a position to determine the identity of the group or individual targeted with this malware, however, we speculate that the attack may be linked to political protest in eastern Saudi Arabia.
Hacking Team Samples
The malicious APK, QatifNews.apk, has the following hash:
At the time of first submission to the VirusTotal database, the file was detected by zero out of 50 AntiVirus products in VirusTotal:
It appears that an APK of the same name was seeded on Twitter 5 days later by a Twitter account (@_bhpearl) linked to Bahrain, a country of great interest to Shia in Qatif.
Tweet with links by @_bhpearl (since deleted)
The tweeted links were shortened using the goo.gl service. These resolved to:
The first link to the iTunes store has 18841 clicks on the shortened link and appears legitimate. The second link, however, does not redirect to the genuine app at the Android App Store. Instead, it redirects to a Dropbox file that has since been removed. Examination of analytics on the shortened second link is interesting; there were only 13 clicks. We can discount 7 of these clicks (those in US and Germany) as researchers, while three are in Saudi Arabia. One click in Taiwan may be a VPN, or a security researcher.
Google Shortener Analytics
While we cannot confirm that the file on Dropbox was the same APK, we suspect the timing of the tweet, and the use of a non-standard method for sharing an Android application, is not a coincidence.