Malware infects computer, waits for mobile device to connect

Jun 25, 2014 07:35 GMT  ·  By

Italian firm HackingTeam develops a spying software for government agencies called Remote Control System (RCS), that can be planted on iOS and Android devices.

RCS is initially downloaded on the computer of the target (Windows or Mac OS), where it initiates spying activities and waits for the connection of the mobile device. The attack vector varies from social engineering ploys to exploits and spear-phishing.

According to security researchers at Kaspersky, once the iOS smartphone is hooked to the computer and the iTunes synchronization process starts, RCS, also dubbed Galileo, starts the infection procedure for the mobile device.

In order to add the spying component on the iPhone, the Trojan attempts to surreptitiously jailbreak the device, and the only sign of suspicious activity would be the restart of the phone.

A jailbreakable iOS version is among the pre-requisites for RCS to be able to conduct its spying activity on an iPhone, which means that the latest version remains unaffected for the moment. Also, Kaspersky says that the device should be passcode-unlocked during the jailbreak.

The researchers say that the spying software has been crafted to be triggered under certain conditions that would not alarm the user.

As such, it acts when Wi-Fi networks under the control of the attacker are available and when a wall charger is connected. By doing so, the risk of suspicious activity is greatly minimized.

RCS can report the current location of the victim, take photos, access short text messages, as well as spy the activity of other apps available on the device.

It appears that most of the control servers for RCS are based in the United States, Kazakhstan, Ecuador, the UK and Canada. However, this does not mean that agencies operating in these countries are necessarily the ones in control of the spyware.

In cooperation with Citizen Lab, Kaspersky discovered that most of the victims of RCS are activists and human rights advocates, as well as journalists and politicians; but they also found that a school teacher in the UK was the owner of a monitored iPhone.

Kaspersky is aware of two other spying programs used by law enforcement agencies. One of them is the Trojan Bundestrojaner, used by agencies in Germany to track suspects on the Internet, while the other is FinSpy, used by agencies in different countries for both computers and mobile devices.

The security firm had suspicions that RCS variants specifically designed for mobile devices were available in the wild, but confirmation came only recently in a research conducted in partnership with Morgan Marquis-Boire from Citizen Lab.

To minimize the risk of infection on iPhones, it is recommended to avoid jailbreaking the device and to update the iOS to the latest version.