Online researchers in Canada say they have identified malware intentionally designed to infect and spy on mobile devices in the restive Qatif region of Saudi Arabia, and they think they know who’s behind it.
Analysts with Citizen Lab, a Toronto-based privacy and security research institute, say they have evidence that an Android-based mobile news app called “Qatif Today” has been deliberately altered to turn mobile phones into surveillance devices. The authors also strongly implicate the Italy-based intelligence firm Hacking Team as being behind the malware.
The website for Hacking Team says the for-profit company provides what it calls “lawful interception technology” only to government agencies for the express purpose of conducting electronic surveillance.
The authors of the Citizen Lab report say once downloaded, the doctored “Qatif Today” application would provide near complete access to all the data on the user’s mobile phone. Additionally, the malware siphons off information about the user’s social media activity on platforms such as Facebook, Viber, Skype and WhatsApp.
“Documents we have reviewed suggest that Hacking Team refers to this kind of mobile implant as an ‘Installation Package,’ where a legitimate third party application file is bundled with the implant,” write the report’s authors.
Adding concern, the researchers also say that those controlling the malware could remotely switch on the infected phone’s microphone and cameras and to surreptitiously record the user. The report does not conclusively say who is controlling the fake app.
“We are not in a position to determine the identity of the group or individual targeted with this malware, however, we speculate that the attack may be linked to political protest in eastern Saudi Arabia,” write the Citizen Lab authors.
“This isn’t definitive evidence that the Saudi Arabian government is using this malware,” says Cynthia Wong, senior Internet researcher at Human Rights Watch. “But it raises serious questions because this app was focused on a particular city in a particular province in Saudi Arabia. The only people interested in downloading this are those interested in that particular area, which raises serious concern whether the government has purchased this particular piece of malware.”
The Shia-majority Qatif governorate, located on the Gulf near Bahrain, has been the site of ongoing protests against the government in Riyadh. Wong tells VOA that the Internet and social media have become important tools in Saudi Arabia, allowing some measure of free expression and dissent.
But in early 2014, a new set of laws was enacted in Saudi Arabia that criminalize most online dissent as an act of terrorism.
“What we’ve seen in the past few years is the government really cracking down on online activism,” said Wong. “If the government is using this kind of malware to spy on online activists, it would be part and parcel in terms of the crackdown on activism on the Internet.”
For its part, Hacking Team spokesman Eric Rabe told VOA by email that there was “no comment, of course, on client identities or location in accordance with our company policies.” But Rabe forwarded a statement from Hacking Team that reads in part:
“Hacking Team is aware of the ongoing efforts of Citizen’s Lab to attack our business by attempting to disclose confidential information, systems, and procedures that we use. This report is only their latest effort. It is evident that the primary complaint of the authors is about repressive government, however, Citizen’s Lab has chosen to target a private business operating in full compliance with all relevant law.”
The Saudi embassy in Washington declined to respond to VOA requests for comment for this story.