On Twitter, it was billed as Qatif Today, a legitimate Android app that provides news and information in Arabic with a focus on the Qatif governorate of Saudi Arabia. But in fact, the shortened link came with a hidden extra—an advanced trojan wealthy nation states use to spy on criminal suspects and political dissidents.

Citizen Lab, the University of Toronto group that monitors government surveillance in the digital age, analyzed the recently discovered instance of the fake Qatif Today app in a blog post headlined Police Story: Hacking Team’s Government Surveillance Malware. The account provides a rare glimpse into malware developed by "Hacking Team," a highly secretive outfit based in Italy that charges governments top dollar for extremely stealthy spyware that's often referred to as a "lawful intercept" program.

The trojan is known as an Android implant because it cloaks itself inside a legitimate third-party app. People who are infected with it must first be tricked into obtaining the Android installation package (APK) from a non-authorized source, which in this case was this now-shuttered Dropbox location. Aside from that, victims may have little indication anything is amiss. To lend it legitimacy, the malicious APK was signed by a digital certificate that appeared to be related to Java and its original creator Sun Microsystems. Citizen Labs identified six other samples signed by the same certificate.

Once installed, the app establishes contact with command and control servers located at 91.109.17.189 and 106.186.17.60, which are addresses Citizen Lab has seen used in previous Hacking Team campaigns. The implant also attempts to break out of its Android-imposed security sandbox by exploiting a vulnerability in older Android versions on specific handsets that allows apps to gain unfettered root privileges.

The trojan next tries to access local files stored by a variety of social media, chat, and call apps including Facebook, Viber, WhatsApp, Skype, LINE, and QQ. The app has audio recording, camera, video, key logging, and "live mic" capabilities, as well as a "crisis" module that provides anti-analysis functionality. The researchers also found evidence of what appears to be location, screenshot-taking, and browsing activity modules. The implant even seems to have a filter to specify date ranges to narrow the mail and text messages it sends back to the control servers. (It's not clear what happens when the app runs on Android versions that have patched the rooting vulnerability.)

"We also see information about how the implant exfiltrates data, along with its C2 servers," Tuesday's post reported. "Interestingly, it appears that the implant is capable of monitoring the devices' connectivity (e.g. Wi-Fi, cellular network), choosing connection type, and rate limiting the bandwidth. Note that these are the same servers we observed in the implant’s network communications."

The Citizen Lab researchers provided an overview of the remote control system (RCS) architecture that works with Android trojans and trojans for other platforms. The architecture relies on a series of system administrators, technicians, and analysts to funnel information pulled off an infected device to the interested parties. Unverified screenshots an anonymous person provided to Citizen Lab show RCS works on computers running Windows, Mac OS X, or Linux.

It comes with a dazzling number of capabilities, including:

Network Injection: via injected malicious traffic in cooperation with an ISP

via injected malicious traffic in cooperation with an ISP Tactical Network Injection : on LAN or Wi-Fi

: on LAN or Wi-Fi Melted Application : bundling a Hacking Team dropper alongside a bait application

: bundling a Hacking Team dropper alongside a bait application Installation Package : a mobile installer

: a mobile installer Exploit : document-based exploit for mobile and desktop

: document-based exploit for mobile and desktop Local Installation : mobile installation via USB or SD card

: mobile installation via USB or SD card Offline Installation: create an ISO for a bootable SDHC, CD, or USB. This option includes the ability to infected hibernated and powered off devices

create an ISO for a bootable SDHC, CD, or USB. This option includes the ability to infected hibernated and powered off devices QR Code: a mobile link that, when pictured, will infect the target

a mobile link that, when pictured, will infect the target Applet Web: likely a malicious website (depreciated after v. 8.4)

likely a malicious website (depreciated after v. 8.4) Silent Installer: a desktop executable that will install the implant

a desktop executable that will install the implant Infected U3 USB : an auto-infecting U3 USB

: an auto-infecting U3 USB WAP Push Message: the target will be infected if the user accepts the message (works on all mobile operating systems apart from iOS)

Citizen Lab researchers wrote:

The implant (“agent”) offers one-click functionality for requesting information from target devices. Technicians are encouraged to add functionality as needed.

In addition, a more advanced approach can be taken, allowing a sophisticated technician to determine a specific sequence of module activation upon infection, using a graphical flow model. This allows the user to define events that trigger particular actions, sub-actions, modules, and sequences. The documents provide an example of such a sequence:

Selection of available surveillance modules Accessed files

Address Book

Applications used

Calendar

Contacts

Device Type

Files Accessed

Keylogging

Saved Passwords

Mouse Activity (intended to defeat virtual keyboards)

(intended to defeat virtual keyboards) Record Calls and call data

Screenshots

Take Photographs with webcam

Record Chats

Copy Clipboard

Record Audio from Microphone With additional Voice and silence detection to conserve space

Realtime audio surveillance (“live mic:” module is only available for Windows Mobile)

(“live mic:” module is only available for Windows Mobile) Device Position

URLs Visited

Create conference calls (with a silent 3rd party)

(with a silent 3rd party) Infect other devices (depreciated since v. 8.4) Other Capabilities Once an implant is operational its collection operations can be updated. In addition files can be sent to and received from the device. In addition, implants have a default cap on “evidence” space of 1GB on the target device. Recording of new material stops when the space is reached. Operators also have the ability to delete not-yet-transmitted data on the device.

Programs such as RCS are marketed to governments as legitimate wares, but Citizen Lab points out that many countries have few legal guidelines and little oversight for the way they're used.

"In light of the absence of guidelines and oversight, together with its clandestine nature, this technology is uniquely vulnerable to misuse," the report warns. "By analyzing the tools and their proliferation at the hands of companies like Hacking Team and Gamma Group, we hope to support efforts to ensure that these tools are used in an accountable way, and not to violate basic principles of human rights and rule of law."