Killer Mobile: Tracking American Android And iOS Spyware In Russia

Tracer is a form of iOS and Android spyware sold by Las Vegas-based company Killer Mobile.

I’ve been able to track the spread of Killer’s malware in a number of ways after first detailing some of its business here: https://www.forbes.com/sites/thomasbrewster/2017/02/16/government-iphone-android-spyware-is-the-same-as-seedy-spouseware/

This post is a dump of the stuff I couldn’t ram in the latest Forbes story tracking the rather large spread of Killer’s gear, which focuses on the connection between the American firm and a Russian malware dealer that has links to the cybercriminal underground. See below for malware samples, an epic number of control panels that appear to manage Killer tools, and the technical leads that unravelled an unparalleled spread of American-owned iPhone and Android malware.

Hopefully this will spur on further research into these malware dealers and others, shining a light on a market that the likes of Citizen Lab deem out of control…

The iPhone Trojan

Let’s start with a domain registered by Alner: greetingsunwired.com. This domain was used in my test of the Tracer malware as demoed for me by Wolf Intelligence in August 2016, which was demoing Killer tools. Wolf is an Indian spyware dealer with a very interesting past.

That domain was mentioned by Killer Mobile CEO, Joshua Alner, in his attempt to get business with Hacking Team back in 2014: https://wikileaks.org/hackingteam/emails/emailid/495916. Alner is named on the Whois for the IP hosting greetingsunwired.com, hosted on German supplier Hetzner.

We can track greetingsunwired.com to a Russian provider of spyware, also for consumers and govt, called OpenGSM. A manual for OpenGSM’s iOS non-jailbreak surveillance tool names the greetingsunwired.com domain in its installation guide: https://www.opengsm.ru/downloads/manual_prox_nojb_iphone.pdf (this is no longer available, but I downloaded it and you can view it here. You can also still view Tracer’s 2014 manual for its older, jailbreak-required iPhone malware in web archives. It looks like they started trying to scrub all traces of their tools shortly after I sent [ultimately unreturned] requests for comment).

The malware uses Apple enterprise certificates to install without the need for a jailbreak. In this case, the certificate was registered by a firm called Interneo (see pages 5 and 7 of the manual), which has done plenty of interesting work for OpenGSM, setting up a load of its domains and, as you’ll see in the Forbes article, is linked to spamming services.

What does OpenGSM do? Much the same as Killer: selling Android and iOS spy tools to law enforcement and consumers. As I note in the Forbes story, it has some special services for cops and has links to cybercriminal forums in Russia…

OpenGSM may still be using Tracer. Compare the web panels hosted by Killer and OpenGSM, which look very similar: https://killermobilesoftware.com/central/auth/login

https://opengsm.su/central/auth/login

Android — we have samples!

We weren’t able to gather any Killer iOS samples resold in Russia. Sad face. But there was an Android sample hosted on OpenGSM sites that’s clearly Killer’s (just look at the file detail in the Virus Total link):

https://www.virustotal.com/en/file/caf2ff7e15b8ffc4a0d205f5eb6b543784590e5691ccbed6ec1bbbd55c8de03f/analysis/

That malware was disseminated from: http://www.opengsm.ru/downloads/po/prox.apk

And this Bitly link shows its distribution: https://bitly.com/10nn9Nf+

There was another non-Killer Android sample hosted on an OpenGSM site too, found by Morgan Marquis-Boire, director of security at First Look Media, publisher of The Intercept:

https://www.virustotal.com/en/file/f9008937440ea387d3455c7f82e1751c31135a68a2db67d7ef3d0778cd9ec960/analysis/

Disseminated from: http://azxc.ru/r.apk, http://www.opengsm.ru/downloads/po/1.apk

Bitly link showing distribution: https://bitly.com/YtRx50+

Bitly link intrigue…

Those Bitly links give some indication as to where victims of the OpenGSM-sold tools were located. This link — https://bitly.com/YtRx50+ — shows hits mostly in April 2015 from Russia. But there are 14 hits from the US too. Remember this isn’t Killer gear, but it still indicates a Russian cellphone surveillance supplier was selling tools that were deployed in America…

As for https://bitly.com/10nn9Nf+, the hits are from April 2015 and most are in Russia. But there are 11 in European Union countries. Note that Alner is hosting most of his infrastructure in Germany. This may have implications in light of the Wassenaar Agreement governing where surveillance tools like these can go…

Alner didn’t respond to my questions, declining to speak with me following questions for the first article on the “Cowboys of Creepware.”

A Chechen link

We were also able to trace a likely OpenGSM customer: Grozny95.net. That domain was registered by Interneo and is hosted on Legato LLC, a Russian hosting firm that’s had malicious activity on its servers before, namely Rescator.cc, the site that sold data pilfered from the Target andHome Depot data breaches (thanks to Flashpoint’s director of research Vitali Kremez for that little nugget). Though the site is currently blank, looking at the source code shows it was clearly linking back to OpenGSM:

<iframe src=”https://opengsm.su" width=”100%” height=”700" align=”left” frameborder=”0" style=”position: absolute; top: 0px; left: 0px; bottom: 0px; right: 0px; height: 100%;”>

Ваш браузер не поддерживает плавающие фреймы!

</iframe>

Grozny is the capital of the Chechen Republic. 95 is the number all vehicle license plates in Chechnya need to contain.

Make of this what you will…

Tracing other Tracer resellers

The anonymous researcher also found a large number of domains that appeared to be resellers of Tracer. This was using a slightly wonky technique, looking for domains with the path: central/auth/login. You’ll note both Killer and OpenGSM panels contain that path, though not all resellers’ domains have it.

The researcher believes these companies are signing up via Killer’s reseller site: https://web.archive.org/web/20150607051119/http://www.spyonyourmobile.com/reseller-white-label-custom-development/

Here are some of the more intriguing names on the researcher’s list:

Here are other suspected resellers looking purely at domains (a number of these are hosted on Alner’s Hetzner IPs — see section below):

Some resellers have also posted links to their malware in their guides.

More samples:

Looking across these and other sites, I was able to find more of what appear to be Killer Android samples:

1.

https://www.virustotal.com/en/file/2f40b4c7ca89afe2d7ed1facd28eae94794d947c0e81c979953d790505ca9b49/analysis/. This is from South Africa reseller https://intertel.co.za/, whose panel is at cellspyx.co.za.

2.

https://www.virustotal.com/en/file/00adba436c0176eedb05df486baab626682bb0ad0abb8aac4ba63f9094dd41d8/analysis/. This is from spyphone.me,a site registered by oxadigital@hotmail.com (which also set up spyphoneparaguay.com, spyphonecolombia.com, spyphonechile.com, spyphoneargentina.com, spyphone.mobi).

3.

https://www.virustotal.com/en/file/586443cbbaedb4812e3793e4f5b7d4758427f9e02460185a39f02a059dd45430/analysis/

This appears to be the same as https://www.virustotal.com/en/file/8e5ac92820444bc404fa6a1c890cf35c6e73645cc44784f2fbcaba052040d269/analysis/

From: spylink.com.br

More domains:

There are a load more interesting domains from IP addresses associated with Alner’s block at Hetzner. For instance, IP address 136.243.80.131 hosts a load of spyware-related domains, possibly Tracer:

secretmobil.com

quanlydienthoai.net

operacionesenlinea.net

netspymob.com

loginespiao.com.br

celespiaobr.com.br

foxspy.co.za

tracecellbrasil.com

users.tracer-africa.com

downloadcalls.com

cp.catchspy.com

panel.mspyitaly.com

www.barsim.com

Another IP address from that block — https://www.virustotal.com/en/ip-address/5.9.149.110/information/ — is hosting:

whatsappdater.com — registered by Joshua Alner and used in our Wolf demo for fake WhatsApp iOS malware.

www.spysix.com

bspymobile.com

panel.cepspy.com

onveda.de

One more thing

Is this another Tracer manual?

https://www.virustotal.com/en/file/e91de63f9f9e833c7c94a4fae402b77ae580644e19897b959d06f1b72be7962a/analysis/

From: https://www.virustotal.com/en/ip-address/188.40.23.61/information/

Sharing info

If you’re interested, please use any of this for future research. It’s all public info anyways. And I’m 99 per cent certain this is only a portion of what’s out there.

If you find anything, drop me a note on Signal: +447837496820.

Or you can now use our SecureDrop at Forbes: https://www.forbes.com/tips/

Cheers!

Thomas Fox-Brewster