8/17/14, 11:50 AM Hacking Team’s Tradecraft and Android Implant Page 1 of 27 https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Research Projects Publications Archives Teaching GLA2010 News In the News Newsletter Events Lab About People Opportunities Contact 158 Police Story: Hacking Team’s Government Surveillance Malware June 24, 2014 Categories: Media, Reports and Briefings, Research News Authors: Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola For media coverage of this report, see The Economist, Associated Press, Wired, VICE, International Business Times, Forbes, Ars Technica, Kaspersky’s Threatpost, Slash Gear, Engadget, Help Net Security, The Verge, CIO Today, Voice of America (VOA), Computer World, Infosecurity Magazine, and Slate. Read the Arabic Version / العربية النسخةtranslated by Cyber Arabs The left newspapers might whine a bit But the guys at the station they don’t give a shit Dispatch calls “Are you doin’ something wicked?” “No siree, Jack, we’re just givin’ tickets” Police Truck, Dead Kennedys (1980) Summary In Part 1, we analyze a newly discovered Android implant that we attribute to Hacking Team and highlight the political subtext of the bait content and attack context. In Part 2, we expose the functionality and architecture of Hacking Team’s Remote Control System (RCS) and operator tradecraft in never-before published detail. Introduction This report analyzes Hacking Team’s Android implant, and uses new documents to illustrate how their Remote Control System (RCS) interception product works. This work builds on our previous research into the technologies and companies behind “lawful interception” malware. This technology is marketed as filling a gap between passive interception (such as network monitoring) and physical searches. In essence, it is malware sold to governments. Unlike phone monitoring and physical searches, however, most Search