German police given go-ahead to use home-brewed spying Trojan

In a blast from the surveillance past, the German Interior Ministry has approved a new version of infamous surveillance malware that’s been around for years and will be put into play as early as this week.

The Germany-based Chaos Computer Club (CCC) in 2011 was the first to spot the malware, which is called, among other things, the Bundestrojaner (“Federal Trojan”) and which was developed by the German Federal Criminal Police.

The CCC discovered that Bundestrojaner could set up a backdoor, remotely update itself, grab screenshots, and activate an infected computer’s camera and microphone.

When Sophos Labs analyzed it back then, they found that the Trojan was also able to eavesdrop on communication applications, including Skype, MSN Messenger and Yahoo Messenger, as well as to log keystrokes in a number of browsers.

Most anti-virus vendors originally called the Trojan by the cute-robot name of “R2D2”, after a string that was found embedded inside the malware’s code (one that also included the characters “C3PO,” mind you!).

It’s also been referred to as “0zapftis.”

That’s a play on a Bavarian phrase “The barrel is open”, said by the mayor of Munich when he opens the first barrel of beer at the Oktoberfest.

It’s an uncomfortably apt bit of bragging when you’re talking about surveillance spyware, German-speaking Sophos Labs staffers noted at the time.

It took German authorities a while to confirm that Bundestrojaner was their handiwork, but on 11 October 2011, that they did.

As HelpNetSecurity reported, the ministers of several German states at the time confirmed that they used the malware in criminal investigations but claimed it was used only to conduct telecommunication intercepts (what are still anachronistically known as “wiretaps” in the US) of suspects.

The German authorities claimed that the CCC had gotten its hands on a prototype: a test version of the Trojan – created by the German firm DigiTask – that was rejected because it could be easily made to take screenshots.

They claimed that a latter version could only perform telecommunication surveillance, in accordance with the law.

Deutschlandfunk reports that the new version of the Trojan, which the government has been working on for months, has been available since autumn 2015.

In accordance with German law, it’s only supposed to be used for telecommunication surveillance at the source: in other words, to read emails and chats and to listen in on phone calls placed by a target via computer or mobile phone.

What it’s not supposed to do, again according to German law: to access files, steal passwords, or set up video or audio surveillance via a target’s device.

In addition, the police will be required to get a court order to use the spyware and to prove that the suspect is involved in a crime threatening citizens’ “life, limb or liberty”.

The problem is that it can do both the court-approved and the court-disapproved functions, a spokesman for the CCC said.

CCC spokesman Frank Rieger told HelpNetSecurity that there aren’t many technical differences between a Trojan that can perform surveillance of digital communications (legal) and that can set up video or audio surveillance (illegal).

He also said that it’s difficult for investigators to identify targeted devices without surveilling communications of other, innocent users.

Sweeping up innocents in surveillance dragnets happens in other countries, of course.

The US Drug Enforcement Administration (DEA), for one, was sued in April 2015 for secretly monitoring Americans’ international phone calls for decades: a practice it gave up when Edward Snowden’s revelations about US surveillance hit the fan.

Nor are US intelligence agencies above using malware: one example was in 2014, when US courts were demanding that the FBI justify drive-by downloads of spyware onto the computers of people visiting child porn sites hidden on Tor.

Rieger also noted that the German Federal Criminal Police will likely be forced to buy zero-day vulnerabilities to get its Trojan past anti-virus software, and it won’t be up for sharing that information with the public.

Again, that’s nothing new.

It’s well-known that government agencies have deep pockets when it comes to buying vulnerability info.

There are plenty of buyers willing to pay for zero days, and we’ve known for a long time that Google, Microsoft and the like can’t outbid the US government, nor, likely, other countries’ governments.

For more details on the earlier prototype of Bundestrojaner, have a look at this FAQ about the Trojan that Naked Security put together when it was first detected.

Image of German Police courtesy of