Spyware Demo Shows how Spies Hack Mobiles

Uploaded on 2015-08-07 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

_84665771_rcs1.jpg

The tool can record audio from a phone's microphone, even when the device is locked

Intelligence agencies' secretive techniques for spying on mobile phones are seldom made public, but a UK security firm has shown the BBC how one tool, sold around the world to spooks, actually works.

It allows spies to take secret pictures with a phone's camera and record conversations with the microphone, without the phone owner knowing.

Hacking Team's software was recently stolen from the company by hackers and published on the web. When Joe Greenwood, of cybersecurity firm 4Armed, saw that source code for the programme had been dumped online by hackers, he couldn't resist experimenting with it. Although he had to fiddle with the code to make it work, it only took a day before he had it up and running.

The software consists of the surveillance console, which displays data retrieved from a hacked device, and malware planted on the target device itself. 4Armed was careful to note that using it to spy on someone without their consent would be against the law.

After testing the software on his own PC, Mr Greenwood soon realised the scope of its capabilities. "You can download files, record microphones, webcam images, websites visited, see what programmes are running, intercept Skype calls," he told the BBC.

The software even has some in-built features to track Bitcoin payments, which can be difficult to associate with individuals without additional data about when and how transactions were performed.

In a live demonstration of the system, Mr Greenwood showed how an infected phone could be made to record audio from the microphone, even when the device was locked, and use the phone's camera without its owner knowing.

"We can actually take photos without them realising. So the camera in the background is running, taking photos every number of seconds," explained Mr Greenwood.

It was also possible to listen in on phone calls, access the list of contacts stored on the device and track what websites the phone user was visiting.
 
The tool can record audio from a phone's microphone, even when the device is locked

Both Mr Greenwood and 4Armed's technical director, Marc Wickenden, said they were surprised by the sleekness of the interface.

Both point out, though, that customers could be paying upwards of £1m for the software and would expect it to be user-friendly, especially if it was intended for use by law enforcers on the beat.

For the tracked user, though, there are very few ways of finding out that they are being watched. One red flag, according to Mr Greenwood, is a sudden spike in network data usage, indicating that information is being sent somewhere in the background. Experienced spies, however, would be careful to minimise this in order to remain incognito.

At present, spy software like this is only likely to be secretly deployed on the phones and computers of people who are key targets for an intelligence agency.

The version of the spyware distributed online is now likely to be more easily detected by anti-virus programs because companies analysing the source code are in the process of updating their systems to recognise it.
Security expert Graham Cluley said it should be as easy to detect as malware.

"The danger will be that malicious hackers could take that code and augment it or change it so it no longer looks like Hacking Team's versions, which might avoid detection," he added. The best course of action, said Mr Cluley, is to keep operating systems and software as up to date as possible.
BBC: http://bbc.in/1MMT96S

« Cyber Wars Are Good For Tech Businesses
Internet of Things Unlocks Revenue Opportunities »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ObjectSecurity

ObjectSecurity

ObjectSecurity is a leader in authorization policy automation. With OpenPMF, you can manage application security policies for access control and auditing.

Nok Nok Labs

Nok Nok Labs

Nok Nok is a market leader in next generation authentication for cloud, mobile and IoT applications.

Tempest

Tempest

TEMPEST is a leading provider of IT products and services including solutions for network and application security.

CYQUEO

CYQUEO

CYQUEO is your professional partner and system integrator. We secure your organization against advanced cyber threats.

CPP Group UK

CPP Group UK

CPP Group UK develops products to help insurers add further value to their products and services through its innovative suite of new products in FinTech, InsurTech and cyber security.

Huntress Labs

Huntress Labs

Huntress provides managed threat detection and response services to uncover and address malicious footholds that slip past your preventive defenses.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

Cyber Intelligence 4U

Cyber Intelligence 4U

Cyber Intelligence 4U is an educational services company that provides two levels of cybersecurity training programs: executive and technical.

Robert Walters

Robert Walters

Robert Walters is one of the world's leading global specialist professional recruitment and recruitment process outsourcing consultancies.

Hunton Andrews Kurth

Hunton Andrews Kurth

Hunton Andrews Kurth LLP serves clients across a broad range of complex transactional, litigation and regulatory matters. Practice areas include Privacy and Cybersecurity.

Veratad Technologies

Veratad Technologies

Veratad Technologies, LLC is a world class provider of online/real-time Identity Verification, Age Verification, Fraud Prevention and Compliance Solutions.

Nagios

Nagios

Nagios is a powerful tool that provides you with instant awareness of your organization’s mission-critical IT infrastructure.

Siren

Siren

Siren provides the leading Investigative Intelligence Platform to some of the world’s leading Law Enforcement, National Security and Cyber threat investigators.

Binarii Labs

Binarii Labs

Binarii are focused on helping enterprises to design and deploy SaaS solutions that utilise DLT (Digital Ledger Technology) effectively, efficiently and sensibly.

CardinalOps

CardinalOps

The CardinalOps platform continuously assesses your detection posture and eliminates coverage gaps in your existing detection stack so you can easily implement a threat-informed defense.

Arcfield

Arcfield

Arcfield protects the nation and its allies through innovations in systems engineering and integration, space and mission launch assurance, cybersecurity, and missile support.