In March 2019, researchers with a group called Security Without Borders – a non-profit that often investigates threats against dissidents and human rights defenders – identified more than 20 government spyware apps squatting in plain sight, pretending to be harmless, vanilla apps on Google’s Play store.
Those apps – which were just a decoy through which government spyware called Exodus was installed on targets’ phones – were anything but harmless. In a two-stage process, they snorted up lists of installed apps, browsing history, contact lists from numerous apps, text messages – including encrypted texts – location data, and app and Wi-Fi passwords. The malware could also activate cameras and microphones to capture both audio and video, as well as take screenshots of apps as they were being used.
That spyware came from an Italian surveillance company called eSurv, and though it was good at hacking people’s phones, it stunk at securing its own data. The spyware opened up a remote command shell on infected phones, but it failed to use any sort of encryption or authentication, so that anyone on the same Wi-Fi network as an infected device could wander in and hack it.
But it was that shoddy security that’s led authorities to a stunning discovery: as Bloomberg reported earlier this month, eSurv employees have allegedly spied on unwitting, innocent Italian citizens with the powerful surveillance technology.
They allegedly did it with a lot of brass: according to court documents seen by Bloomberg: eSurv employees would play aloud secretly recorded phone conversations in the office. And while it was selling its spyware to law enforcement agencies, it also allegedly struck a deal with a company – ‘Ndrangheta – that’s said to be linked to the Mafia.
Unearthing the snooping apps
The man behind Exodus is Italian developer Diego Fasano. After successfully creating an app for doctors to view medical records, a friend told him that he should get into the surveillance business, where investigators have been clamoring for help in penetrating communications encrypted by messaging apps such as WhatsApp and Signal. In 2014, he founded eSurv, which sells surveillance technology to police and intelligence agencies.
How it worked: with the help of Italy’s telecoms, the company would dupe people into downloading what appeared to be an innocuous app that would ostensibly fix network errors on their phone. Fasano said that police, in cooperation with mobile phone networks, would shut down a targeted person’s data service. Next, they’d send instructions to use Wi-Fi to download an app to restore service. The app was designed to look like it was associated with telecom providers, with names such as “Operator Italia.”