In March 2019, researchers with a group called Security Without Borders – a non-profit that often investigates threats against dissidents and human rights defenders – identified more than 20 government spyware apps squatting in plain sight, pretending to be harmless, vanilla apps on Google’s Play store.
Those apps – which were just a decoy through which government spyware called Exodus was installed on targets’ phones – were anything but harmless. In a two-stage process, they snorted up lists of installed apps, browsing history, contact lists from numerous apps, text messages – including encrypted texts – location data, and app and Wi-Fi passwords. The malware could also activate cameras and microphones to capture both audio and video, as well as take screenshots of apps as they were being used.
That spyware came from an Italian surveillance company called eSurv, and though it was good at hacking people’s phones, it stunk at securing its own data. The spyware opened up a remote command shell on infected phones, but it failed to use any sort of encryption or authentication, so that anyone on the same Wi-Fi network as an infected device could wander in and hack it.
But it was that shoddy security that’s led authorities to a stunning discovery: as Bloomberg reported earlier this month, eSurv employees have allegedly spied on unwitting, innocent Italian citizens with the powerful surveillance technology.
They allegedly did it with a lot of brass: according to court documents seen by Bloomberg: eSurv employees would play aloud secretly recorded phone conversations in the office. And while it was selling its spyware to law enforcement agencies, it also allegedly struck a deal with a company – ‘Ndrangheta – that’s said to be linked to the Mafia.
Unearthing the snooping apps
The man behind Exodus is Italian developer Diego Fasano. After successfully creating an app for doctors to view medical records, a friend told him that he should get into the surveillance business, where investigators have been clamoring for help in penetrating communications encrypted by messaging apps such as WhatsApp and Signal. In 2014, he founded eSurv, which sells surveillance technology to police and intelligence agencies.
How it worked: with the help of Italy’s telecoms, the company would dupe people into downloading what appeared to be an innocuous app that would ostensibly fix network errors on their phone. Fasano said that police, in cooperation with mobile phone networks, would shut down a targeted person’s data service. Next, they’d send instructions to use Wi-Fi to download an app to restore service. The app was designed to look like it was associated with telecom providers, with names such as “Operator Italia.”
The real purpose: to give law enforcement access to a device’s microphone, camera, stored files and encrypted messages. Fasano sold Exodus to prosecutors’ offices across the country, including to the country’s foreign intelligence agency, L’Agenzia Informazioni e Sicurezza Esterna.
A security blunder led to Exodus’s undoing, however. According to authorities, in 2018, a prosecutor’s office in the city of Benevento was using Exodus to hack the phones of suspects in an investigation. In October, a technician noticed that the network connection kept dropping out.
After doing some sleuthing, the tech found that Exodus wasn’t working off a secure internal server accessible only to the Benevento prosecutor’s office, as it was supposed to do. Rather, it was connecting to a server accessible to anyone on the internet, protected only by a username and password.
That meant that data covertly collected by Italian prosecutors from suspects’ phones in the course of some of the country’s most sensitive investigations – of Mafia cases, terrorist cases, and corruption cases – were at risk of interception by hackers. That included thousands of photos, recordings of conversations, private messages and emails, videos, and other files gathered from hacked phones and computers – a total of about 80 terabytes of data, or roughly 40,000 hours of HD video, stored in unencrypted form on what turned out to be an Amazon Web Services server in Oregon.
Authorities don’t know if that server was ever hacked.
Prosecutors filed criminal charges against eSurv for unlawfully collecting and storing private communications, transferring them overseas, and failing to keep secure “sensitive personal data of a judicial nature.”
Naples prosecutors expect the investigation to be completed later this year. Meanwhile, Fasano and another eSurv executive, Salvatore Ansani, have been charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing. Kept under house arrest for three months, they’ve been released and are now awaiting the next stage of their legal proceedings, which will likely result in a trial.
Further investigation found that a subset of eSurv’s 20 employees – devoted to working on Exodus and led by Ansani, they called themselves The Black Team – used the spyware to target law-abiding Italian citizens who were never named as suspects in investigations. Nonetheless, those citizens’ phones were bugged, and their private conversations were recorded, for reasons that authorities say are still unknown.
According to police documents, the Black Team spied on more than 230 people whom police weren’t authorized to surveil. Some of those people were referred to in eSurv’s internal files as “The Volunteers” – in other words, they may have been unwitting guinea pigs.
Investigators are still combing through the vast amount of data they seized from eSurv as they try to figure out the purpose for the illegal data collection. Was it intended for blackmail? For fun? For spying? For illegal surveillance on behalf of the Mafia?
At this point, one prosecutor – Eugenio Facciolla, who’s at the center of a corruption scandal – has been charged with forging documents in an effort to obstruct or mislead a police investigation into an ‘Ndrangheta-led illegal logging operation that involved chopping down thousands of trees in some of Italy’s national parks.
In November, the agency that handles prosecutor appointments said that it was removing Facciolla from his office in Castrovillari, on the grounds that he had “abused his functions.” Facciolla is appealing the decision. Yes, he says, he supplied Exodus to other companies, but, according to his lawyer, Vincenzo Ioppoli, the spyware is “like a gun.”
Once you have sold it, you don’t know how it will be used.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.