According to Amnesty International, it found evidence that attackers testing the spyware were using the IP address of Indian cyber security firm Innefu Labs.
Amnesty International has accused an Indian cyber security company of developing Android spyware that has been used in targeted attacks against Togolese activists. The company, Innefu Labs, has denied the allegations.
According to Amnesty International, the spyware is distributed via email messages and the Facebook-owned messaging app WhatsApp. The campaign’s modus operandi involves phishing and social engineering techniques such as luring the victim into downloading the spyware through email or installing it on their device through WhatsApp chat.
Once installed, the spyware allows attackers to have full control over the device including the camera, microphone, read WhatsApp messages, steal files and photos remotely – all that without raising any alarm.
One Togolese activist who would like to keep their identity hidden shared WhatsApp screenshots showing an Indian WhatsApp number trying to lure them into downloading and installing ‘ChatLite,’ supposedly secure chat app.
In reality, it was actually a custom-developed Android spyware tool that, when successfully deployed, allows the attackers to collect sensitive data from victims’ mobile devices and install additional spyware tools.
In another attempt, the attacker used a Gmail account to send a malicious MS Word file to trick the activist into installing the spyware.
The spyware was initially attributed to a “hacker group” called Donot Team. It is worth noting that last year, the DoNot APT group was seen abusing Google Firebase cloud messaging to distribute Firestarter Android to exploit the Kashmir issue between India and Pakistan. Though, its prime target in the campaign was the Pakistani government.
However, Amnesty says it has found evidence that the Indian cyber security company Innefu Labs is behind the spyware. The spyware and Innefu Labs use the same infrastructure.
In addition, Amnesty found evidence that an attacker testing the spyware was using Innefu Labs’ IP address. Among other things, the spyware was used against an activist in Togo.
While discussing the connection between Innefu Labs and the spyware campaign in its report [PDF], Amnesty International went on to state that,
Amnesty International initially found the Innefu Labs IP address, 126.96.36.199, exposed in Android screenshots on the Android spyware test server. While this IP address is not registered directly to Innefu Labs, it is being used by the company, Amnesty claimed.
A subdomain for authshieldserver (dot) com has pointed to the Innefu Labs IP address since 2016. AuthShield is an Innefu Labs product. Additionally, the PassiveTotal service has also recorded TLS certificates containing the innefu.com domain on the same IP address.
The same Innefu Labs IP address also appeared in the SQL databases Amnesty International discovered on the URL shortener and Android spyware distribution servers. These SQL databases also contain records from previous spyware distribution servers which were no longer active at the time of discovery, added Amnesty.
Amnesty approached Innefu Labs, but it denies the allegations. According to the security company, there is no evidence that it is involved in spyware. Moreover, in a letter to the human rights movement, the company threatens legal action.
However, Amnesty sticks to the conclusion. “Based on the evidence gathered in this study, Amnesty believes Innefu Labs is involved in the development and/or distribution of a number of spyware tools previously linked to Donot Team,” maintains Amnesty.
The human rights movement is calling on the Indian government to launch an investigation into the security company, curb the use of surveillance technology and strictly regulate the export of spyware technology.