Police-Grade Mobile Spyware Is Spreading Through Saudi Arabia (and Beyond)

"It’s giving governments the power to impose ancient ideologies with modern technology.”​

Thomas Fox-Brewster

Image: Ismagilov/Shutterstock

Evidence is amassing that shows an increasing use of modern technology for oppressive means in Saudi Arabia. In recent years, the world has learned of schemes that send text messages to let men know when their wives are about to board a flight, attempt to ban globally popular messaging apps, and heavily monitor social networks.

Today, researchers said it appeared government malware could be being used to infect Shiite minority members' computers, who have expressed concern over political marginalisation in recent years. "We are not in a position to determine the identity of the group or individual targeted with this malware, however, we speculate that the attack may be linked to political protest in eastern Saudi Arabia," Citizen Lab said in its report. It's believed Shiites of Qatif, which was home to protests in 2011, may have been targeted.

The malware in question is "lawful interception technology" sold by an Italian company called Hacking Team. The Hacking Team Remote Control System is designed to be used by law enforcement to track genuine criminals, but has been found in various countries with questionable human rights records and rule of law, the researchers claimed.

Motherboard has previously documented the alleged use of similar software to target pro-democracy activists from Bahrain and Ethiopia.

In this latest case, a fake Android application masquerading as a functional copy of the Qatif Today news app was found by researchers from Citizen Lab, a Toronto-based body which has analysed the malware and fingerprinted the servers it uses.

"With the internet we thought it was all going to be freedom and freedom of communication. But it's giving governments the power to impose ancient ideologies with modern technology."

On download, the malicious Android app would attempt to root the device and take control of it, before siphoning off phone calls, text messages, and other files on the phone. The tool can also take screenshots and photos of the user, and attempts to access local files stored by popular social media and messaging software, including Facebook, Viber, WhatsApp, and Skype.

The malware didn't appear on official or third-party stores, but was linked to on Twitter by a user called @_bhpearl, a Shiite activist based in Bahrain, according to Citizen Lab. Though he can't be sure who was running the Hacking Team operation or who specifically it was trying to monitor, Morgan Marquis-Boire, a researcher at Citizen Lab and now head of security at First Look Media, told me he thinks the Twitter user may have been targeted due to his followers list, which likely included other Shiites of interest to Saudi intelligence agencies.

Whoever the perpetrator and whoever the target, the appearance of such government malware "speaks to technology acting as a power amplifier," Marquis-Boire added. "With the internet we thought it was all going to be freedom and freedom of communication. But it's giving governments the power to impose ancient ideologies with modern technology."

Meanwhile, Citizen Lab has just been given a large document believed to be a manual for Hacking Team's toolkit dating from autumn 2013. Though it could not determine the authenticity of the document, it chimed with much of what the researchers had found before.

The leak, which included demo demonstrations, showed how adding modules to the malware has been made easy with a GUI interface called the Factory. Simple slide mechanisms can turn functions, such as Skype monitoring and web usage tracking, on or off:

Image: Citizen Lab

Inside the Factory, the technician can choose from a range of options to attack users, including the use of a "melted application," where Hacking Team code is built into a bait app. That technique seems to have been used in the Qatif Today case. Other methods included infection over QR code, a malicious website, or USB.

Marquis-Boire said the most common infection vector for mobile was via text messages sent over the Wireless Application Protocol, though this would not work on Apple's iOS. Hacking Team's software can work on all major operating systems, including iOS, Mac, Windows, Windows Phone and BlackBerry, as well as Android. Another common method is to launch a malware download on the mobile once it is connected to an infected PC.

The leaked manual also showed the Google Maps-based GPS tracking functionality, including an image that might have revealed a demo for US law enforcement, as it showed a target called Jimmy Page in the parking lot of the LA County Sheriff. This could, however, simply be a coincidence or an unfortunate choice of location.

Image: Citizen Lab

Though much of what Citizen Lab has revealed is worrying for activists across the world, there is some good news: Hacking Team's users haven't done a perfect job of covering their tracks. Though the software uses a "scout agent," which checks whether a system is safe to infect (or whether it might be owned by analysts trying to uncover its secrets), researchers from Citizen Lab and antivirus firm Kaspersky have managed to map Remote Control System operations and the servers running them.

Marquis-Boire said this isn't Hacking Team's fault; it's the company's customers who appear to be giving the game away by not training law enforcement officials on how to use the software properly. "It's on the operator to ensure their tools don't get discovered. Hacking Team's product is fine, it's that there are substantial operational security risks when you sell your product to many governments around the world," he said.

Thanks to loopholes in the use of Hacking Team infrastructure, Kaspersky has managed to detect it in over 40 countries around the world and pinpoint 326 servers used to run the software. The majority were based in the US, Kazakhstan, Ecuador, the UK and Canada. The image below shows the spread of the malware:

Image: Kaspersky

Kaspersky's Sergey Golovanov also told Motherboard his employer had previously been asked not to detect for law enforcement malware, but wouldn't say who approached the antivirus vendor. He said Kaspersky, which asked for more specifics, would never accept such a request.

Hacking Team did not respond to a request for comment by the time of publication.

There are many other companies that do similar things to Hacking Team, who might be doing a better job of staying under the radar. "What's interesting about these guys ['lawful interception' suppliers in general] is the widespread nature of their adoption by law enforcement in a lot of different countries. This is the democratisation of surveillance tools and this speaks to the militarisation of law enforcement," Marquis-Boire said.

The hope is that their software will be used to find genuine criminals, rather than activists exercising their freedom of expression.