Egypt Used Google Play In Spy Campaign Targeting Its Own Citizens (arstechnica.com) 12
An anonymous reader quotes a report from Ars Technica: Hackers with likely ties to Egypt's government used Google's official Play Store to distribute spyware in a campaign that targeted journalists, lawyers, and opposition politicians in that country, researchers from Check Point Technologies have found. The app, called IndexY, posed as a means for looking up details about phone numbers. It claimed to tap into a database of more than 160 million Arabic numbers. One of the permissions it required was access to a user's call history and contacts. Despite the sensitivity of that data, those permissions were understandable, given the the app's focus on phone numbers. It had about 5,000 installations before Google removed it from Play in August. Check Point doesn't know when IndexY first became available in Play.
Behind the scenes, IndexY logged whether each call was incoming, outgoing, or missed as well as its date and duration. Publicly accessible files left on indexy[.]org, a domain hardcoded into the app, showed not only that the data was collected but that the developers actively analyzed and inspected that information. Analysis included the number of users per country, call-log details, and lists of calls made from one country to another. IndexY was one piece of a broad and far-ranging surveillance campaign that was first documented in March by Amnesty International. It targeted people who played adversarial roles to Egypt's government and prompted warnings from Google to some of those targeted that "government-backed attackers are trying to steal your password." Check Point found that, at the same time, Google was playing a key supporting role in the campaign. According to Lotem Finkelshtein, Check Point's threat intelligence group manager, one of the ways the attackers evaded Google vetting of the app was that the analysis and inspection of the data happened on the attacker-designated server and not on an infected phone itself. "Google couldn't see the info that was collected," he said.
IndexY was one of at least three pieces of Android malware that Check Point tied to the campaign. "A different app purported to increase the volume of devices, even though it had no such capability," reports Ars Technica. "Called iLoud 200%, it collected location data as soon as it was started. In the event it stopped running, iLoud was able to restart itself. Finkelshtein said that that app was distributed on third-party sites and was installed an unknown number of times." v1.apk was another app that communicated with the domain drivebackup[.]co and appeared to be in an early testing phase.
Behind the scenes, IndexY logged whether each call was incoming, outgoing, or missed as well as its date and duration. Publicly accessible files left on indexy[.]org, a domain hardcoded into the app, showed not only that the data was collected but that the developers actively analyzed and inspected that information. Analysis included the number of users per country, call-log details, and lists of calls made from one country to another. IndexY was one piece of a broad and far-ranging surveillance campaign that was first documented in March by Amnesty International. It targeted people who played adversarial roles to Egypt's government and prompted warnings from Google to some of those targeted that "government-backed attackers are trying to steal your password." Check Point found that, at the same time, Google was playing a key supporting role in the campaign. According to Lotem Finkelshtein, Check Point's threat intelligence group manager, one of the ways the attackers evaded Google vetting of the app was that the analysis and inspection of the data happened on the attacker-designated server and not on an infected phone itself. "Google couldn't see the info that was collected," he said.
IndexY was one of at least three pieces of Android malware that Check Point tied to the campaign. "A different app purported to increase the volume of devices, even though it had no such capability," reports Ars Technica. "Called iLoud 200%, it collected location data as soon as it was started. In the event it stopped running, iLoud was able to restart itself. Finkelshtein said that that app was distributed on third-party sites and was installed an unknown number of times." v1.apk was another app that communicated with the domain drivebackup[.]co and appeared to be in an early testing phase.
Hmmmm... (Score:2)
...the mobile phone providers also already have that information (as does probably Google and anyone else who buys the data). It seems unlikely you would bother creating an app to do that if you were the government.
Re: (Score:2)
Well, in a democratic country, it might be pretty hard for a government to justify siphoning that kind of information, especially when dealing with journalists.
Of course, since such an utopian society doesn't exist, you're right.
Re: (Score:2)
But according to these guys the government specifically funded an app, put it on the Play Store, somehow "targeted" the people they wanted to monitor (how?) so they installed it. It seems unlikely they would bother with doing all that. If you want to target certain people you just install hidden spyware, or just get all the data from the mobile provider/Google/Apple/data broker/etc. Sounds more like "Check Point" wanted to make a name for themselves.
Re: (Score:2)
That's hacking, which can be hard. Just developing a simple app that lies and gathers data is much easier.
And reporters might be very interested in a phone number lookup app, especially if you push advertising into their circles.
Re: Hmmmm... (Score:2)
On Android you can create a local contact and use it with Signal. There's nothing to subpoena there.
Re: (Score:2)
True nuff. Unless Android is sending the data out itself. You never know with Android. It isn't truly open source.
What? To whom? (Score:3)
"One of the permissions it required was access to a user's call history and contacts. Despite the sensitivity of that data, those permissions were understandable, given the the app's focus on phone numbers."
That only seems reasonable if you're a dumbass. Granted, most users are. But a legitimate app performing the purported task only needs your name and phone number to provide your relevant information back to the database.
Re: (Score:2)
Sorry to say it, but.... (Score:4, Informative)
"Egypt Used Google Play In Spy Campaign Targeting Its Own Citizens"
Sorry to say it, but I wouldn't be the least bit surprised if the next headline was, "US Government Used Google Play In Spy Campaign Targeting Its Own Citizens".
Be honest- would you be surprised to find out something similar was going on in the US?
Egypt targets journalists, lawyers, politicians? (Score:3, Informative)
The NSA’s Hidden Spy Hubs in Eight U.S. Cities [theintercept.com]