Malware hunters often say that it's really hard to point the finger at who's behind a cyberattack or a specific piece of malicious software—what's known in the cybersecurity community as "attribution." Hackers, especially if they work for a government, go to great lengths to obfuscate who they are and who employs them.
But sometimes hackers make mistakes, even blatant ones like leaving a link to the website of the company that developed the malware in the malware code itself. It would be like a burglar broke into your home and left their business card behind.
That's what happened with a piece of Android malware designed to spy on its victims that turned up in Asia last year. Security company BitDefender found the spyware and noted at the time that it seemed to "have been developed by Italian speakers targeting specific Android devices, selecting their victims based on their devices' IMEI codes," without going farther in its attribution.
As it turns out, according to two independent analyses of the malware, that spyware was developed by a company called GR Sistemi, yet another firm that got sloppy in the rush to get a cut of the booming and often unscrupulous surveillance business. (The company did not respond to multiple requests for comment.)
"The spyware gold rush has reached the comedy of errors stage."
GR Sistemi is yet another Italian firm that's been trying to enter the crowded market of government spyware, also known by insiders as "lawful interception." Milan-based Hacking Team and British-German FinFisher might be the two most well-known, but in the last few years, malware hunters and researchers have caught samples or traces of software made by several other companies too, such as the Italian Raxir and RCS Lab, the Indian Wolf Intelligence and Aglaya, and the Israeli NSO Group.
The market for "lawful interception" is expected to reach $1.3 billion by 2019, according to an estimate by the consulting firm Markets and Markets, up from $251 million in 2014. To some observers, we're living in the middle of a spyware gold rush. A time where several companies are trying to enter the market at all costs, offering governments around the world tools to monitor and surveil targets—even when they don't really have the technical chops to make tools that are reliable and won't get exposed.
Read more: The Forgotten Prisoner of a Spyware Deal Gone Wrong
"The spyware gold rush has reached the comedy of errors stage," said Morgan Marquis-Boire, a researcher and director of security at First Look Media, who found that the sample analyzed by BitDefender was created by GR Sistemi.
Marquis-Boire, who was among the first researchers to find Hacking Team malware around five years ago, explained that he looked at the GR Sistemi samples last year, and quickly found that one of the files contained the link to a site that would redirect to the official GR Sistemi website.
One of the samples analyzed by Marquis-Boire was spotted in Asia, according to Marius Tivadar, a researcher at BitDefender. Tivadar said that, however, there's no way to know whether the sample was uploaded by a researcher testing the detection or a real victim.
"It doesn't mean for sure that we have infected clients from China and Singapore," Tivadar told Motherboard in an email.
According to its website, GR Sistemi was founded in 2002, but the company has only recently entered the spyware market. In a leaked email from 2013, Hacking Team's chief technology officer called it a "newcomer." At the time, GR Sistemi attended a few events part of ISS World, an annual series of conferences that are informally known as the "Wiretappers' Ball."
The company, however, didn't attract much attention, according to an industry veteran who was also in attendance.
"They were the classic runaways who are trying to break into the industry," the source said, adding that the GR Sistemi employees at the conference barely spoke English.
Another source, who also asked to remain anonymous, said that at one of those ISS World, GR Sistemi was touting its spyware product, called Dark Eagle, showcasing what the company called a live demo. But, the source said, the demo was actually just an mpeg video file on loop.
"They ain't got shit to do with spyware."
In a leaked email, one of Hacking Team's executives blasted GR Sistemi, among other competitors, for claiming "to have more than they actually have" at an ISS conference in Prague in 2013.
"And, despite this, they seem to be still far behind," he wrote.
For most of its history, GR Sistemi has sold GPS trackers, and traditional wiretapping services to law enforcement but they also still provide an app to monitor fleets of trucks. According to a source, they work with local prosecutors in Lombardy, the region around Milan.
"They ain't got shit to do with spyware," the source said. "They smelled the business, that lawful interception was good money and they started offering solutions that were actually patched-up work."
In fact, the GR Sistemi's Dark Eagle spyware spotted by BitDefender is at least in part repackaged from an open source remote access or administration tool (RAT) called AndroRAT, according to Marquis-Boire and Tim Strazzere, another security researcher. Stazzere added that AndroRAT has often been repackaged by other hackers, as he noted in a paper he wrote while working at a mobile security firm.
Companies selling spyware to governments that's just repurposed or recycled code isn't unprecedented. In a leaked email, Hacking Team accused its competitor FinFisher of using code very similar to that of FlexiSpy, a company that markets its spyware for parents and jealous spouses. And as a Forbes investigation found, Wolf Intelligence borrowed some of its tools from another developer through a formal partnership.
These practices, as well as the mistakes that allow researchers to catch their malware in the wild, shows that some of these companies perhaps aren't really ready for prime time.
"The product itself sort of lags behind the sales pitch," Marquis-Boire said. "Maybe they're OK at writing software but they're definitely not great at espionage or operational security."
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.