Last year, Facebook announced that WhatsApp users were vulnerable to an exploit that could hack into phones with just a few unanswered calls. The new exploit was likely part of Pegasus, a spyware suite developed by Tel Aviv-based NSO Group. According to WhatsApp and Citizen Lab, a research center at the University of Toronto, the company can take over phones and computers for highly paid government clients. The U.S. Department of Justice recently told Fast Company that it is aware of the exploit, but a representative for the agency would not comment on whether they are actively combating it.
NSO is perhaps the most notorious mobile spyware manufacturer, however they are just one of many shady companies offering smartphone malware that, while officially only targeting criminals or terrorists, are also used to monitor activists, lawyers and other members of civil society. A recent lawsuit alleges that Pegasus technology was used to track murdered Saudi dissident Jamal Khashogg. Dozens of spyware companies offer a range of smartphone surveillance, from video and audio recording to location and text monitoring, including from regimes with dubious human rights records. The technology has been used, for example, by mysterious elements in countries such as Bahrain and Ethiopia, who used the Remote Control System from Milan-based Hacking Team and FinFisher spy software from the U.K.-based Gamma Group, respectively, to target dissidents at home and abroad.
NSO has strongly denied any role in tracking Khashoggi. The company’s CEO Shalev Hulio, told Israeli newspaper Yedioth Ahronoth earlier this year that “Khashoggi was not tracked by any NSO product or technology.” In January, an NSO spokesman told Fast Company that the lawsuits were “nothing more than an empty PR stunt to continue the propaganda drumbeat against NSO’s work helping intelligence agencies to fight crime and terrorism around the globe.“
Other companies include Israeli firms Ability (a former NSO Group partner), Verint and Elbit Systems, which have customers around the world, according to the Surveillance Industry Index toolkit. In recent months, a new alliance of some public and unnamed companies has launched Intellexa. A consortium that hopes to challenge NSO Group and Verint in the burgeoning lawful intercept market. In late May, Senpai, a “consulting and R&D company” specializing in cyberintelligence and AI solutions joined Intellexa as its fourth official partner (five others are not publicly named) for its expertise in AI-based data analytics.
Of particular concern to civil society is the legal uncertainty surrounding these spyware tools. While security researchers like Citizen Lab continue to uncover cases of abuse and attorneys for affected individuals fight the battle in court, federal contracts for the sale and use of such mobile spyware tools continue with little to no oversight. The industry is a veritable Wild West of cyberweapons with no sheriffs to protect anyone with a smartphone.
Karsten Nohl, cryptographer and managing director at Security Research Labs, says legitimate interception tools have two dimensions: Is the smartphone an iPhone or not, and does the exploit require “help” from the phone’s user? For example, some exploits require users – despite warnings – to install a security update that downloads malware to their device. According to Nohl, the easiest exploits are those for Android phones, and the preferred exploits work over the Internet, while others work only on Wi-Fi. According to Nohl, NSO Group can hack most versions of the iPhone and many Android phones, and this is usually done remotely.
“The most difficult would be a remote exploit of an iPhone, and as far as I can tell, NSO Group has a monopoly most of the time,” Nohl says. “There’s no one who can promise continuous access to the iPhone without the users’ help.”
However, when it comes to issues of surveillance, governmental or commercial, we very often don’t know what we don’t know. Nohl says an iPhone exploit can cost a customer millions of dollars. An Android exploit, on the other hand, costs only hundreds of thousands of dollars. The iPhone ecosystem is clean, with only one software for a range of devices, which breeds highly specialized exploit research and development, hence the high market prices. The Android ecosystem is much more fragmented, requiring less effort to develop exploits for different manufacturers and phones, but more work to maintain exploits over time.
Apple has declined to comment publicly on the capabilities of NSO or other spyware vendors. In 2016, after a Citizen Lab investigation into Pegasus prompted Apple to release a security patch for iPhones, the company did not specify the reason or the culprit, nor did it contact human rights groups. That same year, Google and cybersecurity firm Lookout said they found traces of NSO spyware on “a few dozen” smartphones in 11 countries, mostly in Israel, Mexico, Georgia and Turkey.
There are cheaper options. Instead of attacking phones, Nohl said most spyware vendors offer SS7 spying, which exploits vulnerabilities in the cellular network. SS7, or Signaling System No. 7, is a protocol that allows different phone networks to communicate with each other. If an exploit gives hackers access to SS7, they can intercept smartphone users’ information such as voice calls, text messages, location information and other data. “Of course, your iPhone can be as strong as you want security-wise, but if the cellular network is leaking information, that’s beyond the control of the phone and Apple. Companies like Circles very actively advertise that they can track a phone’s location through SS7.”
Nohl assumes that every spyware vendor has access to SS7 networks. However, Nohl says Android exploits are becoming more sophisticated and new competitors are entering the market, putting these tools in the hands of a growing number of customers.
Ability a Tel Aviv based spyware company sells something called Ultimate Interception System (ULIN) which along with a tactical cellular interception system called IBIS (In-Between Interception System) allows Ability to intercept GSM, UMTS, LTE AND CDMA networks to spy on a target’s smartphone. Mexico spent $42 million on ULIN and other tools in 2016, but Ability also has customers in China, Singapore, Myanmar, the Czech Republic, Germany and other countries. The company’s website says customers include security and intelligence agencies, armed forces, law enforcement and homeland security agencies in more than 50 countries.
Verint which has offices in Melville, New York, Herzliya and Israel was close to buying NSO Group for $1 billion in 2018 before talks fell through. The company is best known for its security cameras and systems that allow businesses to monitor workplaces. Verint also sells sophisticated mass communications surveillance tools, including smartphone tracking software, to government and enterprise customers. Verint’s SkyLock technology, for example, can track the location of smartphone users by hacking the SS7 protocol. according to a confidential brochure obtained by 60 Minutes in 2016.
Like a number of well-known spyware companies, Verint has sold smartphone sniffing systems to governments with highly questionable human rights records, such as the United Arab Emirates (UAE), South Sudan, and Mexico.
An anonymous former Verint employee told Haaretz last year that Verint’s phone surveillance technology was used to monitor gay and transgender people in Azerbaijan.
To compete with competitors like the NSO Group and Verint Systems, a number of surveillance startups recently formed a consortium. Under the name Intellexa, this alliance aims to become “a one-stop-shop for all of our customers’ needs in the field of field intelligence” – the need is of course the monitoring of smart devices and other electronic devices.
The Intellexa alliance consists of the cyber intelligence companies Nexa Technologies (formerly Amesys), WiSpear and Cytrox. The “Lawful Intercept” solution from Nexa enables spying on voice and data in 2G, 3G and 4G networks. The company, headquartered in Paris and with offices in Dubai and the Czech Republic, also offers an Internet wiretapping product that allows users to perform IP probes to analyze networks with high data rates, or which, according to the website, use Wi-Fi sensors able to spot a target several miles away.
Nexa did not respond to email requests for comments regarding its system’s capabilities. However, John Scott-Railton – Senior Research at Citizen Lab says the company’s Wi-Fi sensors are likely a radio direction finding technology combined with standard Wi-Fi eavesdropping attacks.
Intellexa partner WiSpear is a newer entry into the offensive cyber weapons market. WiSpear was founded in Israel in 2017, but is based in Cyprus. The company sells a specially equipped van called the SpearHead, which is equipped with 24 antennas that can force a target’s phone or computer to connect to their Wi-Fi-based interceptor up to 1,640 feet away. After carrying out a “man-in-the-middle” attack, SpearHead can download four different types of malware on iOS and Android.
WiSpear Founder Tal Dilian, a veteran of the Israel Defense Forces, is also the founder of Circles, a cyber weapons company based in Cyprus and Bulgaria that merged with NSO Group when both companies were owned by Francisco Partners. Intellexa’s other public partner, Cytrox, is a European company that develops exploits that can target and penetrate a user’s smart devices. The company, which is currently in stealth mode according to its website, was acquired by WiSpear in 2018. Dilian announced prior to publication that there are five other non-public partners in Intellexa in addition to the three companies.
“Field intelligence teams must be prepared to face any challenge,” Dilian said in the February 16 Intellexa press release announcing the alliance. “They need to be able to reach hard-to-reach areas and successfully intercept any device. To do that, they need a versatile platform – portable, vehicle-mounted, or aerial – with a full range of features, depending on the the respective operating scenario.
Intellexa was created to do just that. Intellexa could not be reached for comment on its “airborne” spying capabilities. Scott-Railton says drones and other aircraft equipped with intercept technology would be beneficial to companies. “[Drones and aircraft] are actually the best way to go because you can get them through line-of-sight,” he says. “Ground-based systems have a much shorter range.”
Another, lesser-known spyware company is Rayzone, an Israeli company that offers location tracking and big data analysis services, as well as a “mobile trojan system” that it sells to governments and federal agencies. The Rayzone website mentions malware that customers can use to collect smartphone information such as files, photos, web browsing, email, location, Skype conversations and other data. The company also boasts that its malware can spy on SMS and other instant messaging services, including WhatsApp.
Many of the above spyware companies make their money on contracts overseas, often under the auspices of their governments’ export controls, but there are several companies with more domestic agendas. For example, in the United Arab Emirates, Dark Matter is a cybersecurity company that houses Project Raven, a team of secret agents some of whom have previously worked for US intelligence agencies such as the National Security Agency (NSA). Reuters reported in January that Raven employees have been using a cyber espionage platform called Karmas for the past few years, which can hack the iPhones of activists and political leaders, as well as suspected terrorists.
One of the Reuters sources Lori Stroud, who was formerly with the NSA contractor of Booz Allen Hamilton, learned in a briefing that Raven is the offensive, operational division of the NESA (National Electronic Security Authority, now called Signals Intelligence Agency) of the UAE, which complies with the NSA. While Raven used Karma to spy on regional rivals such as Qatar and Iran, the malware was also reportedly used to target UAE citizens who were openly critical of the monarchy.
Anonymous sources told the Intercept that Dark Matter staff discussed hacking the publication’s staff after reporter Jenna McLaughlin revealed in an Intercept story how Maryland-based computer security firm CyberPoint helped a team of American people Gathering spies and hacking tools for Project Raven.
Across the Mediterranean, the Italian company eSurv sells an Android spyware platform nicknamed “Exodus”. In March, researchers from the surveillance organization Security Without Borders said that between 2016 and early 2019 they found 25 malicious apps uploaded by eSurv to the Google Play Store, where they were disguised as mobile operator applications. “According to publicly available statistics and confirmation from Google, most of these apps garnered a few dozen installs each, with one case exceeding 350,” reported Security Without Borders.
Research by Security Without Borders revealed that Exodus are equipped with “extensive detection and interception functions” and that some modifications triggered by the spyware “could expose infected devices to further compromise or data manipulation”. Italian authorities opened an investigation into eSurv and a related company STM in the weeks leading up to the Security Without Borders report. As part of the investigation, prosecutors said they had shut down eSurv’s infrastructure.
In March, the New York Times reported that the lawful intercept spyware market was valued at $ 12 billion. London-based research firm Technavio, on the other hand, estimates the lawful intercept market at $1.3 billion and notes that an important driver for the market is an “increasing number of government initiatives … to increase the use of lawful interception” for is the regular monitoring and control of criminal, terrorist and other illegal activities via communication networks. ” With more spyware tools and government eavesdropping initiatives, the potential for abuse is very likely to increase, says Scott-Railton.
“That said, while the new entrants chase after investors, it’s pretty clear that a lot of investors are uncomfortable about the risks these companies are taking,” he says.
Novalina Capital, the private equity firm that recently acquired the NSO Group from Francisco Partners, has been championing Pegasus’ human rights record over the past few months. With NSO Group facing multiple lawsuits from alleged victims in Canada and Mexico, Novalpina has tried to calm investors’ nerves with a public relations campaign addressing human rights groups and pledging stricter internal oversight. NSO is “already relatively liberal about using its technology for what Europeans would consider human rights violations,” Nohl says.
In the meantime, the legal terrain surrounding the so-called “Lawful Intercept Tools” remains opaque and largely uncontrolled. As a group of lawyers and law students recently wrote on Just Security: “To this day, we have neither the national legal framework that regulates the sale and use of spyware, nor the self-regulation of the industry that can effectively prevent the abuse”.
David Kaye, the United States Special Rapporteur on Freedom of Expression, recently called for a moratorium on the sale of surveillance software. “It has been shown that the surveillance of certain people – often journalists, activists, oppositionists, critics and others exercising their right to freedom of expression – leads to arbitrary detention, sometimes torture and possibly extrajudicial killings,” he wrote in one Report to the UN Human Rights Council. “States should impose an immediate moratorium on the export, sale, transfer, use or service of privately developed surveillance instruments until a system of protection in line with human rights is in place.”
Nohl points out that completely legal activity in one country can be criminal in another, especially when it comes to espionage and prosecution. He says that many countries will feel perfectly justified in using mobile spyware technologies as tools of political repression because their laws actually grant them that power. And the companies will keep selling them arms.
While NSO and other Israeli suppliers are currently dominating the market, this may not always be the case. “The NSO Group is so phenomenally profitable that someone else has to break into this market,” says Nohl. “And the closest competitor could be a Russian, Chinese or even North Korean supplier, which may have even fewer problems with an even larger customer base.”
In 2019, we identified more than 20 government spyware apps disguised as harmless vanilla apps on the Google Play Store. These apps were only bait to install the government spyware Exodus on the targets’ phones. In a two-step process, they created lists of installed apps, browser history, contact lists of numerous apps, text messages – including encrypted texts – location data as well as app and Wi-Fi passwords. The malware was also able to activate cameras and microphones to record both audio and video, and to take screenshots of apps while they were in use. This spyware came from an Italian surveillance company called eSurv, and while it was good at hacking other people’s phones, it was bad at backing up its own data. The spyware opened a remote command shell on the infected phones, but did not use any encryption or authentication, so anyone on the same Wi-Fi network as the infected device could break in and hack it.
It was this shoddy security that led authorities to a startling discovery: As Bloomberg reported earlier this month, eSurv employees were allegedly spying on ignorant, innocent Italian citizens using the powerful surveillance technology.
Allegedly, they did this with great sensitivity: According to court documents viewed by Bloomberg, eSurv employees played secretly recorded phone calls in the office aloud. The company sold its spy software to law enforcement agencies, but eSurv allegedly also closed a deal with a company believed to be affiliated with the Mafia ‘Ndrangheta.
Uncover the sniffing apps
The man behind Exodus is the Italian developer Diego Fasano. After successfully developing an app that doctors can use to view medical records, a friend advised him to get into the surveillance business, where investigators are desperately looking for help breaking into the encrypted communications of messaging apps like WhatsApp and Signal. In 2014 he founded eSurv, which sells surveillance technology to police and intelligence agencies.
Here’s how it worked: with the help of Italian telecoms, the company enticed people to download a seemingly harmless app that would supposedly fix network errors on their phone. Fasano said that the police, in cooperation with the mobile networks, would shut down the target’s data service.
Next, they sent instructions to download an app over Wi-Fi to restore the service. The app was supposed to look like it was connected to telecom providers, with names like “Operator Italia”. The real purpose: to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages.
Fasano sold Exodus to prosecutors across the country, including the country’s foreign intelligence agency, L’Agenzia Informazioni e Sicurezza Esterna.
However, a security flaw led to Exodus’ undoing. According to authorities, a prosecutor’s office in the city of Benevento used Exodus in 2018 to hack into the phones of suspects in an investigation. In October, a technician noticed that the network connection kept dropping out.
After some investigation, the technician found that Exodus was not working from a secure internal server that only the Benevento prosecutor’s office had access to, as it was supposed to. Rather, it connected to a server that was accessible to anyone on the Internet and protected only by a username and password.
This meant that data collected covertly from suspects’ phones by Italian prosecutors as part of some of the country’s most sensitive investigations – of Mafia cases, terror cases and corruption cases – could be intercepted by hackers. This included thousands of photos, recordings of conversations, private messages and emails, videos and other files collected from hacked phones and computers – a total of about 80 terabytes of data, or about 40,000 hours of HD video, stored unencrypted. It turned out to be an Amazon Web Services server in Oregon. Authorities don’t know if that server was ever hacked.
Prosecutors filed criminal charges against eSurv for unlawfully collecting and storing private communications, forwarding them overseas and failing to store secure “sensitive personal data of a judicial nature.”
Meanwhile, Fasano and another eSurv executive, Salvatore Ansani, were charged with fraud, unauthorized access to a computer system, unauthorized wiretapping, and unauthorized data processing. After being under house arrest for three months, they were released and are now awaiting the next phase of their legal proceedings, which will likely lead to a trial.
Further investigation revealed that some of eSurv’s 20 employees – who were dedicated to working on Exodus and called themselves “The Black Team” under Ansani’s leadership – used the spy software to target law-abiding Italian citizens who were never named as suspects in the investigation. Nonetheless, these citizens’ phones were tapped and their private conversations recorded, for reasons that authorities say are still unknown.
According to police documents, the Black Team spied on more than 230 people who were not allowed to be monitored by the police. Some of these people were referred to in eSurv’s internal files as “The Volunteers” – in other words, they may have been unwitting guinea pigs.
Investigators are still combing through the vast amount of data they seized from eSurv as they try to figure out the purpose of the illegal data collection. Was it for blackmail? For fun? For spying? For illegal surveillance on behalf of the mafia?
At this point, a prosecutor – Eugenio Facciolla, who is at the center of a corruption scandal – has been accused of falsifying documents to obstruct or mislead a police investigation into an illegal logging operation led by the ‘Ndrangheta, in which thousands of trees were cut down in some Italian national parks.
In November, the agency that handles prosecutor appointments said it was removing Facciolla from his Castrovillari office on the grounds that he had “abused his functions.” Facciolla is appealing the decision. Yes, he says, he supplied Exodus to other companies, but, says his lawyer, Vincenzo Ioppoli, the spyware is “like a weapon. Once you sell it, you don’t know how it will be used“.
Executives from “eSurv” were arrested in Italy in the wake of the Exodus spyware case.
Our answer to Exodus: simple yet powerful solution
Due to the firmware architecture, remote code execution is blocked by default. This way, no other apps (except the pre-installed ones) can be installed on the Stealth Phone, not even by the user. Moreover, we even blocked any app update, as we found out that spy apps can be pushed through malicious app update.
FinSpy is a field-proven remote monitoring solution that enables governments to address today’s challenges in monitoring mobile and security targets who regularly change location, use encrypted and anonymous communication channels, and reside abroad. FinSpy provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory and recordings of phone calls. All exfiltrated data is transferred to the attacker via SMS messages or over the Internet. Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers. According to information on the official website, FinFisher offers a “strategic, wide-ranging wiretapping and monitoring solution”, among other tools and services. This software (also known as FinSpy) is used to collect a variety of private user information on different platforms.
Its implants for desktop devices were first described by Wikileaks in 2011 and mobile implants were discovered in 2012. Since then, XCell Technologies has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen individual mobile devices have been infected in the past year, with the most recent activity recorded in Myanmar in June 2019. In late 2018, XCell Technologies experts examined the functionally latest versions of FinSpy implants for iOS and Android, which were created in mid-2018. The mobile implants for iOS and Android have almost the same functionality. They are able to collect personal information such as contacts, SMS/MMS messages, emails, calendar, GPS location, photos, files in memory, phone call records and data from the most popular messengers.
The Android implant is able to gain root privileges on an unrooted device by abusing the DirtyCow exploit included in the spyware. FinSpy Android samples have been known for several years now. Based on the certificate data of the latest found version, the sample was deployed in June 2019. It is unlikely that the functionality of the Android implant will change significantly, as most of the configuration parameters are the same in the old and new versions. The variety of available settings makes it possible to customize the implant’s behavior for each victim. For example, operators can select preferred communication channels or automatically disable data transmissions while the victim is in roaming mode. All configuration data for an infected Android device (including the location of the control server) is embedded in the implant and subsequently used, but some of the parameters can be changed remotely by the operator. The configuration data is stored in a compressed format, split into a series of files in the “assets” directory of the implant apk. After all data is extracted and the configuration file is created, all configuration values can be retrieved. Each value in the configuration file is stored according to the little-endian value of its size, and the setting type is stored as a hash.
For example, the following interesting settings found in the configuration file of the implant’s developer build can be marked: mobile target ID, proxy IP address, proxy port, remote SMS phone number, unique identifier of the installed implant. As in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access to the device, as well as via remote infection vectors: SMS messages, emails and WAP push. After successful installation, the implant attempts to gain root privileges by checking for the presence of the known root modules SuperSU and Magisk and executing them. If no utilities are present, the implant decrypts and executes the DirtyCow exploit located inside the malware. If successful in gaining root access, the implant registers a custom SELinux policy to gain full access to the device and maintain root access. If it has been using SuperSU, the implant changes the SuperSU settings to silence it, disables its expiration date and configures it to start automatically at boot time. It also deletes all possible logs, including SuperSU logs. The implant allows accessing information such as contacts, SMS/MMS messages, calendar, GPS location, pictures, files in memory and phone call recordings. All exfiltrated data is transmitted to the attacker via SMS messages or over the Internet (the location of the C2 server is stored in the configuration file). Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers. Each of the targeted messengers has its own unified handling module, making it easy to add new handlers as needed. The full hardcoded list of supported messengers is listed below:
com.bbm ……….BBM(BlackBerry Messenger)
com.facebook.orca ………. Facebook Messenger
jp.naver.line.android ……….Line Messenger
First, the implant checks whether the targeted messenger is installed on the device (using a hard-coded package name) and whether root access is granted. After that, the messenger’s database is prepared for data exfiltration. If necessary, it can be decrypted using the private key stored in its private directory, and all the required information can be easily retrieved:
FinSpy implants are controlled by the FinSpy agent (operator terminal). By default, all implants are connected to FinSpy anonymization proxies (also known as FinSpy relays) provided by the spyware vendor. This is done in order to hide the actual location of FinSpy Master. Once the infected target system appears online, it sends a heartbeat to the FinSpy proxy. The FinSpy Proxy forwards connections between target systems and a master server. The FinSpy master server manages all targets and agents and stores the data. Based on the decrypted configuration files, our experts were able to identify the different relays used by the victims and their geographical location. Most of the relays we found are concentrated in Europe, with some in Southeast Asia and the United States.
FinSpy mobile implants are advanced malicious spying tools with multiple functions. Various configuration options provided by the spyware vendor in its product allow FinSpy terminal (FinSpy Agent) operators to tailor the behavior of each implant to a specific victim and conduct effective surveillance, exfiltrating sensitive data such as GPS location, contacts, calls, and other data from various instant messengers and the device itself. The Android implant has features to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that this spyware solution does not provide infection exploits for its clients, as its product seems to be tuned to remove traces of publicly available jailbreaking tools. This could mean physical access to the victim in cases where the devices are not already jailbroken. At the same time, several features are implemented that we have not yet observed in malware designed for this platform. Since the leak in 2014, FinSpy developers have rebuilt significant parts of their implants, expanded the supported features (for example, the list of supported instant messengers has been significantly expanded), and at the same time improved encryption and obfuscation (making it harder to analyze and detect the implants), which made it possible to maintain its position on the market. In total, the research discovered current versions of these implants being used in the wild in nearly 20 countries, although the total number could be higher. FinSpy developers are constantly working on updates for their malware. At the time of publication, XCell Technologies researchers have found another version of the threat and are currently investigating this case.
FinSpy bypasses 40 regularly tested antivirus apps. Therefore, there is no point in installing an antivirus. XCell Technologies has chosen another effective solution to bypass the installation of malware and malicious software. There is a FinSpy detection algorithm installed deep in the XROM firmware that not only detects any intrusion attempt, but also blocks any code execution. Local HTTP ports used by FinSpy were blocked: :8999 and :8899.
So XStealth users should not be afraid of government-grade surveillance software.
Pegasus is a spyware that can be installed on devices running certain versions of iOS, Apple’s mobile operating system, developed by the Israeli cyberarms company NSO Group. Android OS is less vulnerable than iOS when it comes to Pegasus (also known as Chrysaor for Android). If you click on a malicious link, Pegasus secretly activates a jailbreak on iOS devices and can read text messages, track calls, collect passwords, track phone location, and collect information from apps, including (but not limited to) iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype. Thus, Pegasus cannot install itself (like FinSpy Mobile): user interaction required.Pegasus for Android (Chrysaor) does not rely on zero-day vulnerabilities. Instead, it uses a well-known rooting method called Framaroot. On XROM (our proprietary firmware), we blocked the Framaroot executable and ports. This was easier than blocking FinSpy Mobile.
Don’t worry: Pegasus is not a threat to our Android Ultra Secure Stealth Phones, nor to other XCell Stealth Phones. The others running 100% proprietary firmware are also 100% immune: no apk files can be installed on feature phones.
What is ULIN actually?
We would say that ULIN (Ultimate Interception) is nothing more than a well-executed marketing campaign based on a very old interception method: SS7. Nothing new, nothing extraordinary compared to other SS7 interception solutions already on the market such as the older but powerful SkyTrack.
Verint another Israeli company, has already launched SkyJack and SkyLock in 2013, which are SS7 solution for interception and location tracking. At the time, there was no known SS7 exploit now being used by ULIN, so Verint had to install a so-called SS7 box in the core mobile network connected to the operator’s internal servers running HLR-VLR services. And Verint did that with the help of security and homeland security agencies around the globe that were interested in running such systems. And they did it well.
The new thing that ULIN brings is a new SS7 exploit that allows remote exploits without having an SS7 box installed on the mobile network core. The price is also an exceptional one, justifying the monetization of the new SS7 exploit: The ULIN system is currently available for $20 million and can identify calls, texts, and location from virtually any cell phone around the world.
As we mentioned earlier, Ability is not the only company targeting SS7 so aggressively. In fact, Ability neither developed the ULIN product itself nor owns the technology, but licenses it from an unnamed third party. The company invests in research and development for the system and is the only one that deploys the tool on its own infrastructure, but it has relied on another company for the core system. This other company is described in the SEC filings only as “a newly formed company with a short operating history and is still unknown in the industry.”
Last year, it was revealed that Circles Bulgaria and two other Israeli companies, Rayzone and CleverSig, were selling SS7 exploit packages, although there were few details about what exactly they were offering or for how much. ULIN was introduced back in 2015 as an interception solution that allows government agencies to intercept long-distance communications almost anywhere in the world. ULIN enables the lawful interception of voice calls, SMS messages and caller-related information from GSM / UMTS / LTE phones without the intercepted phone having to be nearby and without the consent of the mobile network operators, and requires only the phone number or IMSI of the mobile device. ULIN is a young product that may not yet be widely deployed. According to May’s findings document, Ability has sold only one ULIN product at the low end of the price scale so far, but they have “received inquiries from a number of existing and potential customers.” This first customer, which does not engage in cross-border exploitation but focuses on in-country targets, is being treated as a beta test.
How can this system achieve such extraordinary feats?
It actually exploits a flaw in Signaling System No. 7, or SS7, the international telecommunications standard that illustrates how information is exchanged over public switched telephone networks (PSTN) digital networks for cell phones.
SS7’s “signaling points” and the nodes that use out-of-band signaling to facilitate services such as call forwarding. A yet unknown third party is responsible for licensing this vulnerability to Ability and providing access or information about the SS7 flaw. Thus, intercepting any cell phone for law enforcement is easily possible by simply tapping the targeted phone. Like any other SS7 interception system, the ULIN system is based on vulnerabilities in the SS7 protocol, which was developed back in 1984 and has been updated very sparingly since then; the last update was in 1993! The vulnerability affects everyone as long as they use the cellular network. Even if a user turns off their location services on their phone, hackers can still view the network through network services. Governments around the globe knew about the vulnerability, but because of the benefits it represents to them, they chose not to close it. The world’s population is at risk of having their phone calls intercepted with a known vulnerability just because some intelligence agencies might get some data.
The bad news is that there is no single place to turn when it comes to SS7 security, because network operators are responsible for their own security, although some networks are more secure than others, none is indifferent to the attacks.
How does the SS7 bug work?
The hacker or law enforcement using an SS7 wiretap forwards all calls to an online recording device and then returns the call to the intended recipient, a so-called man-in-the-middle attack. In addition, a cell phone user’s movements can be tracked by other hacking tools. The victim’s location can be tracked through Google Maps. The SS7 flaw is actually an open secret among the world’s intelligence agencies. The crucial vulnerability lies in the mobile network itself.
Hydra is another SS7 monitoring and interception solution developed by HSS Development. It exploits the same SS7 protocol vulnerability as SkyTrack, Sky Lock and ULIN. Since we have cryptoTRACERⓇ installed on most of our XCell Stealth Phones, such an intrusion will trigger an alarm every time a phone call and SMS are intercepted, and every time a location tracking ping hits the Stealth Phone.
Although Ability claims that ULIN is the first global interception and tracking system, Verint, another Israeli company, launched its SS7 interception system back in 2013. At that time, there was no known SS7 exploit that is now being used by ULIN. Therefore, Verint had to install a so-called SS7 box in the core mobile network, connected to the operator’s internal servers running HLR-VLR services. And Verint did that with the help of security and homeland security agencies around the globe that were interested in running such systems. And they did it well.
The problems arise in 2015 when some governments found out that the same SkyLock surveillance system can be used against them by your enemies (other hostile governments and/or countries). Verint has sold SkyLock to any interested government without restrictions. However, Verint will not reveal the location of Israeli subscribers in Israel, nor of US subscribers at home or abroad. The same situation exists today with ULIN and other SS7-based interception systems.
In Verint’s current offering, SkyLock no longer exists, but continues to be sold and serviced by another former Verint company called Cognyte. Like a number of well-known spy companies, Verint has sold smartphone sniffing systems to governments with highly questionable human rights records, such as the United Arab Emirates (UAE), South Sudan and Mexico. An anonymous former Verint employee told Haaretz last year that Verint’s phone surveillance technology was used to monitor gay and transgender people in Azerbaijan.
Since we have cryptoTRACER® installed on most of our XCell Stealth Phones, such intrusion triggers alerts when a phone call and SMS are intercepted and every time a location tracking ping hits the Stealth Phone.
Since 2016 we have introduced cryptoTRACER® on most of our Stealth Phones which trigger Alerts when your phone calls and messages are intercepted using SS7 means. CryptoTRACER® is effective in ULIN interception detection because the system uses the same SS7 security vulnerability. In addition, location tracking pings from the ULIN system (portable or strategic) are sent over a cellular network, causing them to show up on XCell Stealth Phones as a received location tracking ping that is stored in a text file for further analysis.
For XCell Dynamic IMEI Stealth Phones (v1, v2, v3.1, v4, XCrypt and XCell Pro), there is a special kind of warning when the ULIN system collects call-related data (date, time, involved phone numbers (for conference calls) and related location data at the time of the call): The green lock icon on the top home screen will flicker red/green for approximately 20 seconds after you hang up the call, as this is the time ULIN needs to collect the above data. This advanced feature is used by ULIN to map the entire contact network of the target phone and is usually performed before starting the voice call listening process.
With XCell Basic v3, XStealth Lite and XStealth, the call screen remains on alert for about 20 seconds after the call ends, as if the call was still active. This is not an error or a malfunction of the Stealth Phone, but a direct result and proof of the ULIN system extracting call-related data not from your phone, but from the cellular network.