The Egyptian government has been targeting and tracking citizens in a sophisticated spying program that allows it to read emails, log contacts and record their location, according to a new report by Check Point.
A wide range of Egyptian citizens, ranging from journalists to politicians, activists and lawyers, have been targeted in the program, the security organization claims, with most of the spying done through apps downloaded onto their smartphones.
Check Point has identified 33 individuals that were specifically targeted and encouraged to download apps that offered useful services but whose real intent was to bug the phone.
Secure Mail was a Gmail add-on that promised greater security but which prodded users to provide their password, which was then used to compromise their accounts. Another, iLoud200%, offered a smart storage solution that would free up storage space on your phone but which bypassed privacy settings and sent location details to outside servers. Another app, IndexY, offered a callerID service but stored and transmitted call logs.
These apps were available through the official Google Play store, giving victims a degree of confidence that they were legitimate but also demonstrating that the apps are sufficiently sophisticated to get past Google’s security review. Each app was also designed and promoted to minimize uncertainty: it would make sense for a Caller ID app, for example, to have access to call logs and contacts.
The data that was pulled off the devices was sent to a range of domain names that included names like “secure” and “verify” as a way of masking their true identity, but Check Point was able to draw connections between the domains, IP addresses and their administration.
Those behind the system screwed up on one of the domains - maillogin.live - and left its directory accessible online, which the researchers downloaded and reviewed, giving more details over how the spying operation was being conducted.
Great. Global internet freedoms take another dive as censorship and fake news proliferateREAD MORE
The researchers believe that may also have uncovered a secure messaging channel on Telegram that advertised itself as supporting protestors of the current Egyptian military administration but is likely under the control of the intelligence services.
Check Point was unable to find definitive proof that it was the Egyptian intelligence services behind the operation but considering those targeted, the clear intent and purpose of the apps, the structure and data downloaded and a number of clues - such as a server registered to the government’s IT ministry and a hardcoded location that corresponds to the HQ of Egypt’s main spy agency - it is almost certain that it was a government-sponsored activity.
“We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of non-profit organizations in Egypt,” the company wrote in a lengthy post outlining its findings. “The information we gathered from our investigation suggested that the perpetrators are Arabic speakers, and well familiar with the Egyptian ecosystem. Because the attack might be government-backed, it means that we are looking at what might be a surveillance operation of a country against its own citizens or of another government that screens some other attack using this noisy one.”
In recent months, ongoing tensions within Egypt have grown and the government has arrested a number of prominent opposition leaders in response to growing anti-government protests. ®