A piece of Android spyware recently analyzed by researchers with the RedNaga Security team seemed to be yet another Hacking Team spying tool but, according to more recent revelations, another Italian company is its likely source.

Researcher Tim Strazzere, with help of his colleagues, analyzed the sample received practically directly from the target (who wished to remain anonymous), and discovered that the spyware:

  • Asks for practically every permission
  • Can hide itself from the launcher, ensure persistence, mute all audio on the device, turn the GPS on and off, take screenshots or record what can be seen on the screen, record video and audio, reply to or forward messages, lay low while the user is using the device, executed code, exfiltrate data, and so on.
  • Likely masquerades as an update for a Google service, as the target is shown phrases such as “Servizi Google” (Google Service) and “Aggiornamento effettuato con successo” (Successful Update).

What made him think that this might be the work of Hacking Team is the fact that the spyware contacts two IP address located in an address space used by previously known HackingTeam families.

The use of Italian in encrypted strings and SSL certificates is another circumstantial piece of evidence that seemed to point in that direction.

But two former Hacking Team employees and Citizen Lab researcher Bill Marczak believe that particular company was not involved in the creation of this malware.

The former analyzed the code and found it nothing like spyware samples developed by Hacking Team. The latter told Motherboard that the spyware’s infrastructure isn’t linked to Hacking Team’s – and he should know, as he’s been tracking it for a while.

But a mention in the SSL certificate used by one of the servers contains a string that might point to the right source: “Raxir”.


Raxir is the name of an Italian company, started in 2013 and housed at tech incubator “Citta’ Della Scienza” in Naples, Italy.

According to this description, the company develops software for investigations and intelligence gathering, its software can only be used by government and law enforcement agencies.

Currently, it is only being used by those entities in Italy, as well as by the Second University of Naples (“Seconda Università degli Studi di Napoli”), but the “company has ties with Germany, and would like to reach foreign markets, and especially emerging economies/countries.”

According to Marczak’s findings – a server whose digital certificate contains the string “ProcuraNapoliRaxirSrv” – it seems that Raxir’s products are being used by the Naples’ office of the prosecutor.

Both Hacking Team and Raxir did not answer Motherboard’s request for comment on the matter.

Help Net Security

Black Hat USA 2016 – Ruckus Wireless, a global company that specializes in wireless networking equipment for enterprises and service providers, is working on developing patches for several vulnerabilities identified by an expert in its access point (AP) products.

Tripwire researcher Craig Young discovered that Ruckus wireless APs are plagued by various types of security holes that can be exploited to gain complete access to the device and its underlying operating system. While the expert only tested the Ruckus ZoneFlex H500 model, the vendor has determined that all its APs are vulnerable, except for the “unleashed” product line.

Young quickly identified several vulnerabilities in the product’s web-based user interface. He first uncovered a command injection flaw that allowed him to get a root shell on the device. The researcher also found an authentication bypass issue that can be leveraged to process requests that should normally be possible only for authenticated users.

According to Young, Ruckus APs are also plagued by a weakness that allows attackers to cause the management interface to become unavailable (i.e. cause a denial-of-service condition) by accessing a certain page over HTTPS. The said page is normally accessible over HTTP without authentication.

A DoS condition can also be triggered by sending authenticated requests to a certain page, which causes the HTTP server to reload – and possibly disrupts other services – due to excessive memory consumption.Ruckus ZoneFlex AP vulnerabilities

The expert also noticed that the HTTP server leaks the device’s serial number, which he believes could be used in social engineering attacks.

Many of these vulnerabilities can be exploited via cross-site request forgery (CSRF) attacks, which, according to Young, are possible due to the general lack of CSRF tokens.

The security holes were uncovered in the first part of 2015, but Tripwire and the CERT Coordination Center (CERT/CC) had experienced difficulties in reporting the issues to the vendor. Ruckus only acknowledged the problem late last month after one of the company’s executives was contacted over LinkedIn by Tripwire’s chief research officer David Meltzer.

In an advisory shared with SecurityWeek, Ruckus pointed out that the flaws found by Tripwire are only exploitable if the APs web interface and IP are accessible from external hosts.

“Most of Ruckus APs are deployed in managed environment where there is WLAN controller that is managing the APs. In this mode of operation the Web interface is not enabled and in most cases even the IP address of the AP is not reachable from external sources. This prevents from these vulnerabilities from getting exploited,” Ruckus said in its advisory.

Until patches are made available – Ruckus expects to release firmware updates in the next 3-6 months – the company has advised customers to disable access to the AP’s web interface from the command line interface (CLI) or limit access to the internal network. For scenarios where the AP needs to be accessed over the Internet, firewall policies should be used to limit access to authorized IP addresses.

“Unleashed AP models are not vulnerable to un-authenticated command injection issue on the Web interface,” Ruckus said. “SZ/SCG and ZD product line are only vulnerable to CSRF. They are not vulnerable to un-authenticated command injection issue on the Web interface.”

Young agrees that most network administrators would have no reason to expose the vulnerable web interface to the Internet, but he believes remote attacks are still possible.

“The more likely attack vector as I see it would be from users connected directly to the access point or via cross-site request forgery through phishing, malvertising, or XSS flaws on popular web sites,” Young told SecurityWeek.

The researcher said the goal of this research has been to test if enterprise-grade networking products are more secure than the highly vulnerable SOHO devices.

“My experience auditing Ruckus equipment is very similar to some of the experiences I’ve had auditing the wireless routers you might find in a local computer store. In fact, the authentication bypass and command injection are essentially the same problems I have found on SOHO devices in the $ 100-$ 200 range,” Young said in a blog post.

“Organizations using Ruckus devices may be at risk for compromise, particularly when the access points are used to provide customers with Wi-Fi access,” the expert added. “An intruder to one of these systems could potentially become man-in-the-middle to all other users of the wireless network allowing a wide range of exploitation opportunities.”

Related: Cisco, Juniper Patch Operating System Flaws

Related: Critical Flaws Found in Cisco Networking Products

Related: Critical Flaw Exposes Mobile Devices, Networks to Attacks

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed