GOVERNMENT SPYWARE was found lurking on the Google Play Store masquerading as harmless apps waiting to suck up data.
Dubbed 'Exodus', the malware was discovered through a joint investigation carried out by Security Without Borders and Motherboard. The probe found the malware was produced by surveillance company eSurv and contains Italian text in its code; Italy happens to be the nation eSurv is located.
"According to public records it appears that eSurv began to also develop intrusion software in 2016," the report explained.
"Exodus is equipped with extensive collection and interception capabilities. Worryingly, some of the modifications enforced by the spyware might expose the infected devices to further compromise or data tampering."
The latter part of that is particularly noteworthy, as there's no encryption or authentication applied to the data being harvested and pushed back to the C&C server.
As such, data pilfered from Exodus' snooping could end up being spied by other third-party devices, especially on a public network. Essentially, the security-breaching malware has bad security itself; go figure.
The malware has a two-stage approach to its malicious ways. First, it waits to be downloaded by an unsuspecting victim, and once that happens it harvests basic identifying information about the device it has infected, such as the IMEI code and phone number. That info is sent on to the C&C server to validate the infected device.
After that, stage two gets cracking and all manner of nasty stuff could be, including a modified version of DirtyCow, which in that case attempts to jailbreak the infected device.
Exodus in its second stage can hoover up data ranging from a list of installed apps and the victim's address book to phone calls and pictures. So in short, Exodus seems to be a pretty comprehensive bit of spyware.
The government bit comes into play as Motherboard heard that eSurv had sold the spyware to the Italian government.
The use of government spyware is a pretty grey area; a court order, for example, can grant police the authority to hack a person's phone. But in the case of Exodus, a borked function meant it was effectively snooping on people it shouldn't be.
Exodus has a function called "CheckValidTarget", which we can assume is designed to ensure the infected device is one that's meant to be snooped on by law enforcement. Problem is, the investigation found that it failed to carry out those checks and would have meant the spyware digitally gawked at people it had no right to and was, therefore, acting illegally.
Italian prosecutors are now reportedly looking into eSurv and have seized computers and shut down the infrastructure supporting the spyware.
Google also moved to strip the Exodus apps from its Play Store, and noted that not many of the apps had more than a few dozen installs apiece, though one app exceeded 350 downloads; hardly a rampant infection.
But this still raises the question about law enforcement using malware, especially when the apps have flaws that may have resulted in unlawful spying. Furthermore, in this case, the data collected ran the risk of being tampered with, meaning Italian rozzers could have collected data that wasn't even accurate.
The whole thing is a bit of mess and also highlights that there's still some work to do on Google side to keep spyware-ridden apps at bay. µ
It's the week in Google news
Erik Estrada wouldn't have stood for this
Hacks in support of WikiLeaks founder target gov websites