Leggi in italiano.

Hackers working for a surveillance company infected hundreds of people with several malicious Android apps that were hosted on the official Google Play Store for months, Motherboard has learned.

Motherboard已经了解到,为一家监控公司工作的黑客已经感染了数百人,他们在官方Google Play商店中托管了几个恶意的Android应用程序。

In the past, both government hackers and those working for criminal organizations have uploaded malicious apps to the Play Store. This new case once again highlights the limits of Google's filters that are intended to prevent malware from slipping onto the Play Store. In this case, more than 20 malicious apps went unnoticed by Google over the course of roughly two years.

旨在防止恶意软件滑入Play商店。在这种情况下,谷歌在大约两年的时间里没有注意到超过20个恶意应用程序。

过去,政府黑客和犯罪组织工作人员都已将恶意应用程序上传到Play商店。这个新案例再一次强调了Google的局限性

Motherboard has also learned of a new kind of Android malware on the Google Play store that was sold to the Italian government by a company that sells surveillance cameras but was not known to produce malware until now. Experts told Motherboard the operation may have ensnared innocent victims as the spyware appears to have been faulty and poorly targeted. Legal and law enforcement experts told Motherboard the spyware could be illegal.

主板还了解到Google Play商店中出现了一种新的Android恶意软件,这种恶意软件由一家销售监控摄像头的公司出售给意大利政府,但直到现在才知道它会产生恶意软件。专家告诉主板,由于间谍软件似乎有缺陷且目标不明确,该行动可能使无辜的受害者陷入困境。法律和执法专家告诉Motherboard,间谍软件可能是非法的。

"These apps would remain available on the Play Store for months and would eventually be re-uploaded."

"这些应用程序将在Play商店中保留数月,并最终会重新上传。"

The spyware apps were discovered and studied in a joint investigation by researchers from Security Without Borders, a non-profit that often investigates threats against dissidents and human rights defenders, and Motherboard. The researchers published a detailed, technical report of their findings on Friday.

间谍软件应用程序是由来自研究人员的联合调查发现和研究的

"We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years. These apps would remain available on the Play Store for months and would eventually be re-uploaded," the researchers wrote.

"我们发现以前未知的间谍软件应用程序在两年多的时间内多次成功上传到Google Play商店。这些应用程序将在Play商店中保留数月,并最终会重新上传,"研究人员

Lukas Stefanko, a researcher at security firm ESET, who specializes in Android malware but was not involved in the Security Without Borders research, told Motherboard that it's alarming, but not surprising, that malware continues to make its way past the Google Play Store's filters.

安全公司ESET的研究员Lukas Stefanko专门研究Android恶意软件,但没有参与安全无国界研究,他告诉Motherboard,恶意软件继续超越Google Play商店的过滤器,这令人震惊,但并不奇怪。

"Malware in 2018 and even in 2019 has successfully penetrated Google Play's security mechanisms. Some improvements are necessary," Stefanko said in an online chat. "Google is not a security company, maybe they should focus more on that."

"在2018年甚至2019年的恶意软件已成功渗透到Google Play的安全机制中。一些改进是必要的,"Stefanko在一次在线聊天中说。 "谷歌不是一家安全公司,也许他们应该更多地关注这一点。"

MEET EXODUS

In an apparent attempt to trick targets to install them, the spyware apps were designed to look like harmless apps to receive promotions and marketing offers from local Italian cellphone providers, or to improve the device's performance. Android Malware

在明显试图欺骗目标安装它们的过程中,间谍软件应用程序被设计成看起来像无害的应用程序,以接收当地意大利手机提供商的促销和营销提供,或提高设备的性能。

A screenshot of one of the malicious apps. (Image: Security Without Borders)

其中一个恶意应用的屏幕截图。 (图片:安全无国界)

The researchers alerted Google earlier this year to the existence of the apps, which were then taken down. Google told the researchers and Motherboard, that it found a total of 25 different versions of the spyware over the last two years, dating back to 2016. Google declined to share the exact numbers of victims, but said it was below 1,000, and that all of them were in Italy. The company would not provide more information about the targets.

今年早些时候,研究人员向谷歌提醒应用程序的存在,然后将其删除。谷歌告诉研究人员和主板,它在过去两年中共发现了25种不同版本的间谍软件,可追溯到2016年。谷歌拒绝分享受害者的确切数量,但表示已低于1,000,并且所有他们在意大利。该公司不会提供有关目标的更多信息。

The researchers are calling the malware Exodus, after the name of the command and control servers the apps connected to. A person who's familiar with the malware development confirmed to Motherboard that was the internal name of the malware.

研究人员将应用程序所连接的命令和控制服务器的名称称为恶意软件Exodus。熟悉恶意软件开发的人向Motherboard确认这是恶意软件的内部名称。

Exodus was programmed to act in two stages. In the first stage, the spyware installs itself and only checks the phone number and its IMEI---the device's unique identifying number---presumably to check whether the phone was intended to be targeted. For that apparent purpose, the malware has a function called "CheckValidTarget."

出埃及记被编程为分两个阶段行动。在第一阶段,间谍软件自行安装,只检查电话号码及其IMEI ---设备的唯一识别号码 - 可能是为了检查手机是否有针对性。出于这个明显的目的,恶意软件具有一个名为"CheckValidTarget"的功能。

But, in fact, the spyware does not appear to properly check, according to the researchers. This is important because there are currently some legally permissible uses of narrowly targeted malware---for example, with a court order, law enforcement can legally hack devices in many countries.

但事实上,根据研究人员的说法,间谍软件似乎没有得到适当的检查。这很重要,因为目前有一些法律允许使用针对性很强的恶意软件 - 例如,通过法院命令,执法部门可以在许多国家合法地破解设备。

In a test done on a burner phone, the researchers saw that after running the check, the malware downloaded a ZIP file to install the actual malware, which hacks the phone and steals data from it.

在对燃烧器电话进行的测试中,研究人员发现,在运行检查后,恶意软件下载了一个ZIP文件来安装实际的恶意软件,这会侵入手机并从中窃取数据。

"This suggests that the operators of the Command & Control are not enforcing a proper validation of the targets," Security Without Borders concluded in the report. "Additionally, during a period of several days, our infected test devices were never remotely disinfected by the operators."

。 "此外,在几天的时间里,我们的受感染的测试设备从未被操作员远程消毒过。"

"这表明指挥与控制的操作员没有对目标进行适当的验证,"安全无国界组织总结道

Got a tip? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv. And you can reach Riccardo Coluccini securely on OTR chat at rcoluc@jabber.ccc.de, and riccardo.coluccini@vice.com.

At that point, the malware has access to most of the sensitive data on the infected phone, such as audio recordings of the phone's surroundings, phone calls, browsing history, calendar information, geolocation, Facebook Messenger logs, WhatsApp chats, and text messages, among other data, according to the researchers.

此时,恶意软件可以访问受感染手机上的大多数敏感数据,例如手机周围的录音,电话,浏览历史记录,日历信息,地理定位,Facebook Messenger日志,WhatsApp聊天和短信,据研究人员称,其他数据包括在内。

The spyware also opens up a port and a shell on the device, meaning it allows the operators to send commands to the infected phone. According to the researchers, this shell is not programmed to use encryption, and the port is open to anyone on the same Wi-Fi network as the target. This means that anyone in the vicinity could hack the infected device, according to the researchers.

间谍软件还会在设备上打开一个端口和一个shell,这意味着它允许操作员向受感染的手机发送命令。根据研究人员的说法,这个shell没有被编程为使用加密,并且该端口对与目标相同的Wi-Fi网络上的任何人开放。据研究人员称,这意味着附近的任何人都可以攻击受感染的设备。

"This inevitably leaves the device open not only for further compromise but for data tampering as well," the researchers wrote.

研究人员写道:"这不可避免地使设备开放,不仅是为了进一步妥协,而且也是为了数据篡改。"

A second, independent analysis by Trail of Bits, a New York-based cybersecurity company that looked into the malware for Motherboard, confirmed that the malware samples all connect to the servers of one company, that the IP addresses identified by Security Without Borders are all connected, and that the malware leaves the target device more vulnerable to hacking.

由位于纽约的网络安全公司Trail of Bits进行的第二次独立分析,调查了主板的恶意软件,确认恶意软件样本都连接到一家公司的服务器,安全无边界识别的IP地址都是连接,并且恶意软件使目标设备更容易受到黑客攻击。

WHO IS BEHIND THE SPYWARE?

All the evidence collected by Security Without Borders in its investigation indicates the malware was developed by eSurv, an Italian company based in the southern city of Catanzaro, in the Calabria region.

,一家位于卡拉布里亚地区南部城市卡坦扎罗的意大利公司。

安全无国界组织在调查中收集的所有证据都表明恶意软件是由恶意软件开发的

The first hint that the authors of the malware were italian came from two strings inside the malware code: "mundizza," and "RINO GATTUSO." Mundizza is a dialectal word from the southern region of calabria that loosely translates to garbage. Rino Gattuso is a famous retired Italian footballer from Calabria.

是来自卡拉布里亚南部地区的一个方言词,松散地转化为垃圾。

恶意软件的作者是意大利语的第一个暗示来自恶意软件代码中的两个字符串:"mundizza"和"RINO GATTUSO"。

The real smoking gun, however, is the command and control server used in several of the apps found on the Play Store to send the data back to the malware operators.

然而,真正的吸烟枪是在Play商店中找到的几个应用程序中使用的命令和控制服务器,用于将数据发送回恶意软件操作员。

The server, according to the researchers, shares a TLS web encryption certificate with other servers that belong to eSurv's surveillance camera service, which is the company's main public business. Also, some of these servers identified by the researchers display eSurv's logo as the icon associated with the server's address, the icon you can see in your browser's tab, also known as favicon.

据研究人员称,该服务器与其他属于eSurv监控摄像头服务的服务器共享TLS网络加密证书,这是该公司的主要公共业务。此外,研究人员确定的这些服务器中的一些显示eSurv的徽标作为与服务器地址相关联的图标,您可以在浏览器的选项卡中看到该图标,也称为favicon。

Other spyware samples communicate with a server belonging to eSurv, according to the researchers. Google confirmed the servers belong to eSurv. The Trail of Bits researcher who reviewed the technical report and the spyware confirmed that it's linked to eSurv. eSurv Servers

据研究人员称,其他间谍软件样本与属于eSurv的服务器进行通信。谷歌证实这些服务器属于eSurv。审查技术报告和间谍软件的Bit of Bits研究员证实,它与eSurv有关。

A sample of eSurv's command and control servers. (Image: Security Without Borders)

eSurv命令和控制服务器的示例。 (图片:安全无国界)

Finally, an eSurv employee explained in a resume publicly available through his LinkedIn page that as part of his job at the company, he developed "an 'agent' application to gather data from Android devices and send it to a C&C server"---a technical, albeit clear, reference to Android spyware.

最后,一位eSurv员工通过他的LinkedIn页面公开发布的简历中解释说,作为他在公司工作的一部分,他开发了一个"代理"应用程序,用于从Android设备收集数据并将其发送到C&C服务器"--- Android间谍软件的一个技术性的,虽然是明确的参考。

Motherboard reached out to the developer, who declined to comment, arguing that the answer would be "confidential information. I don't think I can say anything about this ;)"

主板联系了开发人员,开发人员拒绝发表评论,认为答案是"机密信息。我认为我不能对此发表任何意见;"

We reached out to eSurv multiple times via email and LinkedIn. Initially, an employee of the company claimed to be surprised and shocked by our findings, given that eSurv only sells video surveillance, she said. A few hours after our phone call, the company took down its site for a couple of weeks.

我们通过电子邮件和LinkedIn多次联系eSurv。她说,最初,该公司的一名员工声称对我们的调查结果感到惊讶和震惊,因为eSurv只出售视频监控。在我们打电话几个小时后,该公司将其网站停用了几个星期。

After we followed up and asked for clarification, the company declined to comment.

在我们跟进并要求澄清之后,该公司拒绝发表评论。

eSurv appears to have an ongoing relationship with Italian law enforcement, though Security Without Borders was unable to confirm whether the malicious apps were developed for government customers.

尽管安全无国界无法确认恶意应用是否是为政府客户开发的,但eSurv似乎与意大利执法机构保持着持续的关系。

eSurv won an Italian government State Police tender for the development of a "passive and active interception system," according to a document published online in compliance with the Italian government spending transparency law. The document reveals that eSurv received a payment of € 307,439.90 on November 6, 2017.

符合意大利政府支出透明度法。该文件显示,eSurv于2017年11月6日收到307,439.90欧元的付款。

据eSurv称,eSurv赢得了意大利政府国家警察招标,以开发"被动和主动拦截系统"

We filed a freedom of information request to obtain information on the tender, the list of companies that participated, the technical offer sent by the company, and the invoices issued by eSurv. Our request, however, was rejected. The Anti-Drug Police Directorate, an agency within the State Police which responded to the request, said it could not respond with the documents because the surveillance system was obtained with "special security measures."

获取招标信息,参与公司名单,公司发送的技术报价以及eSurv发出的发票。但是,我们的请求遭到拒绝。反对该请求的州警察机构反毒品警察局表示,由于监控系统是通过"特殊安全措施"获得的,因此无法回复这些文件。

Over the last few months, several sources with knowledge of Italy's spyware market told Motherboard that a new company from Calabria was getting several contracts to develop surveillance software with law enforcement and government agencies. Some of those sources specifically named eSurv as that new company that was taking the local market by storm.

在过去的几个月里,一些了解意大利间谍软件市场的消息人士告诉Motherboard,卡拉布里亚的一家新公司正在与执法部门和政府机构签订合同,开发监控软件。其中一些消息来源特别指出eSurv是一家风靡当地市场的新公司。

Finally, a source close to eSurv, who asked to remain anonymous because he was not authorized to speak to the press, said that the company sells malware to the Italian police.

最后,一位接近eSurv的消息人士表示,该公司向意大利警方出售恶意软件,后者要求保持匿名,因为他无权向新闻界发表讲话。

"They publish [the spyware] on the Play Store and then induce the person to download it and open it," the source said in an online chat.

"他们在Play商店发布[间谍软件],然后诱使该人下载并打开它,"消息人士在网上聊天时说。

IS THIS ALL LEGAL?

Using spyware with warrants or a judge's authorization is, generally speaking, legal in most countries in Europe, as well as the United States. In this case, however, eSurv's spyware may not be operating according to the law, experts told Motherboard.

一般来说,在欧洲大多数国家以及美国,使用带有权证或法官授权的间谍软件是合法的。专家告诉Motherboard,在这种情况下,eSurv的间谍软件可能无法依法运作。

"I don't think there are reasons to believe this spyware is legal," Giuseppe Vaciago, an Italian lawyer who specializes in criminal law and surveillance, told Motherboard after reviewing the report by Security Without Borders.

"我不认为有理由相信这种间谍软件是合法的,"专门从事刑法和监视的意大利律师朱塞佩·瓦西亚戈在审查了无国界安全组织的报告后告诉主板。

Vaciago explained that a spyware acting according to Italian law should not install itself on any target without first validating that the target is legitimate, something Exodus does not properly do, according to the researchers.

根据研究人员的说法,Vaciago解释说,根据意大利法律行事的间谍软件不应该在没有首先证实目标是合法的情况下安装在任何目标上,而Exodus不能正确做到这一点。

Moreover, Vaciago explained that Italian law effectively equates spyware with physical surveillance devices, such as old school hidden microphones and cameras, limiting its uses to capturing audio and video.

此外,Vaciago解释说,意大利法律有效地将间谍软件与物理监视设备等同,例如旧式隐藏式麦克风和摄像头,限制其用于捕获音频和视频。

"This software, on the other hand, is able to do, and effectively appears to have done, much more invasive activities than those prescribed by the law," Vaciago told Motherboard in an email.

"另一方面,该软件能够做到并且有效地完成了比法律规定的更具侵入性的活动,"Vaciago在一封电子邮件中告诉Motherboard。

"Opening up security holes and leaving them available to anyone is crazy and senseless, even before being illegal."

"即使在非法之前,开放安全漏洞并将其留给任何人都是疯狂而毫无意义的。"

The fact that the malware leaves the device vulnerable to other hackers is perhaps the worst element of Exodus, according to a police agent who has experience using spyware during investigations, and who asked to remain anonymous because he's not allowed to speak to the press.

据一位在调查期间使用间谍软件的警察代理人说,恶意软件使设备容易受到其他黑客攻击的事实可能是出埃及记中最糟糕的因素,并且他要求保持匿名,因为他不允许向媒体发表讲话。

"This, from the point of view of legal surveillance, is insane," the agent told Motherboard. "Opening up security holes and leaving them available to anyone is crazy and senseless, even before being illegal."

"从法律监督的角度来看,这是疯了,"该经纪人告诉Motherboard。 "即使在非法之前,开放安全漏洞并将其留给任何人都是疯狂而毫无意义的。"

At the end of 2017, Italy introduced a law regulating the use of spyware for law enforcement activities and investigations---the law only regulates the use of spyware to record audio remotely, leaving out all the other features that surveillance software can have, such as intercepting text messages, or taking screenshots of the screen. In May 2018, the Ministry of Justice published technical requirements that must be respected in the development and use of spyware by law enforcement agencies.

执法机构在开发和使用间谍软件时必须遵守的技术要求。

规范间谍软件在执法活动和调查中的使用 - 法律仅规定使用间谍软件远程录制音频,忽略监视软件可能具有的所有其他功能,例如截取短信或截取屏幕。 2018年5月,司法部

In an opinion issued by the Italian Data Protection Authority in April of last year, the authority criticized the requirements for being too vague when it came to describing the interception system's components, and it emphasized that authorities need to ensure that installing the spyware on a target does not reduce the overall security of the infected device.

由意大利数据保护局于去年4月发布,当局批评在描述拦截系统的组件时过于模糊的要求,并强调当局需要确保在目标上安装间谍软件不会减少受感染设备的整体安全性。

"This is in order to prevent the device from being compromised by third parties, avoiding negative consequences on the protection of personal data contained therein as well as on investigative activities," the authority wrote.

"这是为了防止设备受到第三方的侵害,避免对其中包含的个人数据以及调查活动的保护产生负面影响,"当局写道。

Apps that offer promotions and marketing offers from local telecommunication providers is a front that has been used by Italian government malware before. In fact,Italian telecommunication companies can be forced by the government to send text messages to facilitate malware injection on suspects' devices, as previously reported by Motherboard Italy.

政府可以强迫意大利电信公司发送短信,以便在嫌疑人的设备上注入恶意软件,

提供本地电信提供商的促销和营销服务的应用程序是意大利政府恶意软件之前使用的前端。

Details of this activity were found in a hearing of the Company Security Governance of the Italian cellphone provider Wind Tre Spa, held in March of 2017 by the Parliamentary Committee for the Security of the Republic (COPASIR)---a committee that supervises the activity of the intelligence services.

2017年3月由共和国议会安全委员会(COPASIR)举行,该委员会负责监督情报部门的活动。

According to the document, which summarizes the hearings, when it comes to the use of spyware for investigations, the telecommunication operators are consulted to facilitate the infection of third party devices with the malware. These operations "consist mainly in expanding the bandwidth and sending messages to request certain maintenance activities," the document reads. These activities may be included in what are called "mandatory justice services" for telecommunication operators, services that are detailed in a specific price list by the Ministry of Justice: ranging from 15 Euros for wiretaps and internet communication flow, to 110 Euros for "assistance and feasibility studies."

司法部:窃听和互联网通信流量从15欧元到"援助和可行性研究"的110欧元不等。

根据总结听证会的文件,在使用间谍软件进行调查时,咨询电信运营商以利用恶意软件感染第三方设备。这些操作"主要包括扩展带宽和发送消息以请求某些维护活动",该文件写道。这些活动可以包括在电信运营商所谓的"强制性司法服务"中,这些服务详见a

At the time of publication, the Italian State Police did not respond to multiple requests for comment on the technology subject to their tender, nor they had replied to questions on the use of this spyware. Questions to two Italian Public Prosecutor's Offices went unanswered as well.

在出版时,意大利国家警察没有回应多次要求对招标技术发表评论的请求,也没有回答有关使用这种间谍软件的问题。对两个意大利检察官办公室的问题也没有得到答复。

The police agent agreed that eSurv's spyware lacked the right scope and safeguards to ensure it wouldn't hit people who were not being under investigation.

警方代理同意,eSurv的间谍软件缺乏正确的范围和保障措施,以确保它不会打击未受到调查的人。

"You can't do something indiscriminate," the police agent told Motherboard. "Putting something on the Play Store thinking you're going to infect an undetermined number of people, and do trawling is something absolutely illegal."

警察经纪人告诉主板说:"你不能做一些不分青红皂白的事情。" "在Play商店放置一些东西,认为你会感染不确定数量的人,拖网捕鱼绝对是非法的。"

The source close to eSurv confirmed that, at times, the apps ended up on the wrong phones, as "oblivious people," the source said, "unknowingly downloaded the app and infected themselves."

接近eSurv的消息人士证实,有时,应用程序最终出现在错误的手机上,因为"不经意的人",消息人士说,"在不知情的情况下下载应用程序并感染了自己。"

Instead of doing anything to stop that, however, the company used the victims as "guinea pigs."

然而,该公司没有做任何事情来阻止这种情况,而是将受害者当作"豚鼠"。

Listen to CYBER , Motherboard's new weekly podcast about hacking and cybersecurity.

查看英文原文

查看更多文章

公众号:银河系1号

联系邮箱:public@space-explore.com

(未经同意,请勿转载)