The Discovery of a Government Malware and an Unexpected Spy Scandal

Black Hat USA 2019

Presented by: Lorenzo Franceschi-Bicchierai
Date: Thursday August 08, 2019
Time: 15:50 - 16:40
Location: Islander FG

In early 2019, we revealed the existence of a new intrusion software built and primarily used in Italy by the authorities. The company that created this software managed to stay under the radar for several years, until we identified their Android mobile surveillance product, dubbed “Exodus.”

Exodus is a spyware equipped with extensive collection capabilities, able to turn a phone into a faithful surveillance companion—and distributed openly on the Google Play store. At the same time, it has some significant problems, both at the code level, and how it was deployed in the wild, accumulating hundreds of infections.

Little did we know, this was only going to be the tip of an iceberg that went deeper and darker than we expected—a major spy scandal in the heart of Europe.

The “Exodus” scandal is a poster boy for the sorry, dangerous state of the spyware industry, also known as the “lawful intercept” industry.

Due to the growing ubiquity of encryption on online services and communication systems, traditional passive wiretapping is becoming increasingly ineffective and collecting data off of the devices directly has become the new frontier of surveillance. The so-called “lawful intercept” industry is worth $12 billions, according to Moodys. NSO Group, one of the market leaders, employs 600 people, and has more than 40 customers all over the world.

How did we get here?

In this talk, we’ll delve into the case study of eSurv, a small Italian government contractor that was providing spyware all over Italy. From there, we’ll go back in time and draw the history of lawful intercept. From the 90s, where it was all Windows Trojans and some Symbian RATs, to the 2000s with the first professionalized boutique companies that made spyware for police and intelligence agencies all over the world. Finally, we’ll look at the present, where several companies battle to control a global unregulated market outside of the Five Eyes.

This is spaghetti, pizza, and spyware, a talk with the full spicy backstory of a threat intel and journalistic investigation.

Lorenzo Franceschi-Bicchierai

Lorenzo Franceschi-Bicchierai is a writer at Motherboard, where he covers hacking, information security, and digital rights.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats