TagsAmnesty, India, Innefu Labs, Malware, security, Spyware, Togo
Super secure VPN
Minimal data logging
Amnesty International has accused an Indian cyber security company of developing Android spyware that has been used in targeted attacks against Togolese activists. The company, Innefu Labs, has denied the allegations.
According to Amnesty International, the spyware is distributed via email messages and the Facebook-owned messaging app WhatsApp. The campaign’s modus operandi involves phishing and social engineering techniques such as luring the victim into downloading the spyware through email or installing it on their device through WhatsApp chat.
Once installed, the spyware allows attackers to have full control over the device including the camera, microphone, read WhatsApp messages, steal files and photos remotely – all that without raising any alarm.
One Togolese activist who would like to keep their identity hidden shared WhatsApp screenshots showing an Indian WhatsApp number trying to lure them into downloading and installing ‘ChatLite,’ supposedly secure chat app.
In reality, it was actually a custom-developed Android spyware tool that, when successfully deployed, allows the attackers to collect sensitive data from victims’ mobile devices and install additional spyware tools.
In another attempt, the attacker used a Gmail account to send a malicious MS Word file to trick the activist into installing the spyware.
WhatsApp chat leading to the installation of ChatLite app that is spyware
The spyware was initially attributed to a “hacker group” called Donot Team. It is worth noting that last year, the DoNot APT group was seen abusing Google Firebase cloud messaging to distribute Firestarter Android to exploit the Kashmir issue between India and Pakistan. Though, its prime target in the campaign was the Pakistani government.
However, Amnesty says it has found evidence that the Indian cyber security company Innefu Labs is behind the spyware. The spyware and Innefu Labs use the same infrastructure.
In addition, Amnesty found evidence that an attacker testing the spyware was using Innefu Labs’ IP address. Among other things, the spyware was used against an activist in Togo.
The screenshot from a directory shared by Amnesty International shows screen grabs from already compromised Android devices – These screenshots were generated by the attackers while testing their Android spyware’s screen capture and keylogging capabilities.
While discussing the connection between Innefu Labs and the spyware campaign in its report [PDF], Amnesty International went on to state that,
Amnesty International initially found the Innefu Labs IP address, 184.108.40.206, exposed in Android screenshots on the Android spyware test server. While this IP address is not registered directly to Innefu Labs, it is being used by the company, Amnesty claimed.
A subdomain for authshieldserver (dot) com has pointed to the Innefu Labs IP address since 2016. AuthShield is an Innefu Labs product. Additionally, the PassiveTotal service has also recorded TLS certificates containing the innefu.com domain on the same IP address.
The same Innefu Labs IP address also appeared in the SQL databases Amnesty International discovered on the URL shortener and Android spyware distribution servers. These SQL databases also contain records from previous spyware distribution servers which were no longer active at the time of discovery, added Amnesty.
Amnesty approached Innefu Labs, but it denies the allegations. According to the security company, there is no evidence that it is involved in spyware. Moreover, in a letter to the human rights movement, the company threatens legal action.
However, Amnesty sticks to the conclusion. “Based on the evidence gathered in this study, Amnesty believes Innefu Labs is involved in the development and/or distribution of a number of spyware tools previously linked to Donot Team,” maintains Amnesty.
The human rights movement is calling on the Indian government to launch an investigation into the security company, curb the use of surveillance technology and strictly regulate the export of spyware technology.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Get the best stories straight into your inbox!
Don’t worry, we don’t spam
App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.