 The topic in this room today is state Trojans, not the kind of Trojans that criminals install. We have companies that do this professionally and more or less legally. State Trojans shouldn't actually be built because if they do get built they will get into the wrong hands and how we can use our court system and our legal system to get this onto a proper path properly organized according to the rule of law that will be explained by Ulf Burmaier now who has been a legal, given legal support to many club issues and also we have Thorsten Schröder who has been watching this topic for a long time as well and has looked at what's actually inside the Finfisher software. Have a huge applause please for Ulf Burmaier and Thorsten Schröder. Right, hi. Nice that you're all here. Welcome. Hi, hi. Welcome to Finfisher. See you in court. If one or other of you knows this, an American organization said see you in court to Donald Trump when he illegally tried to prevent migration to the United States immigration and we are dealing with the exact opposite, the migration out of Germany of evil software and short historical review. Look back. Don't worry. This is not going to be a terrible legal talk. Thorsten will make sure of that. But this will be about a further chapter in the fight against digital vermin and this will be a very specific form of digital vermin. Right, state Trojans, which a few years ago we did talk about in Congress already. Software that states use against criminals, opponents and so on. Thorsten's already said this is a topic which has been keeping the club in myself busy for a few years. This photo is from the 25th Chaos Communication Congress 11 years ago. That is because there was good news from Karlsruhe where the Federal Constitution Court is in Germany. You may remember that the court in 2008 defined a new basic right and that is the right that we know today as the computer basic rights. All in more clever speak, the right to integrity and confidentiality of IT systems. A term which only people that have been studying law for far too long can come up with. And when we did this talk and went in front of that red curtain, we were hoping that this basic right could change things. But unfortunately it has to be said it didn't. We found a state Trojan in 2011 which particularly violated that basic right. And maybe at the time the news hadn't reached the developers. That Trojan we had been given on a hard disk in a brown envelope. And we analyzed it and wrote a very elaborate report and gave a talk at what was then 28 C3. These are images when we were young and beautiful. And that was the first time I was on a stage together with Ulf. It seems like we only share a stage when the topic is state Trojan. And I think I'm even wearing the same black pullover. Yeah, we introduced the state Trojan didn't only describe it but also demonstrated how it violated that basic right by turning a computer into a bug. And making it possible to surveil every section of someone's private residence and downloading stuff from it. That was maybe the most blatant violation. And because the law didn't quite say what a state Trojan cannot or cannot do. It didn't prohibit it overall but it set up quite strict hurdles. And the makers from the digit task company didn't stick to those rules. And they even wrote what you could term a remote control software for Windows. And this state Trojan's task was only to monitor eavesdrop on Skype and maybe listen and find some chat messages. But it could do more we found much more. It could download further pieces of software, take screenshots and screenshots of non sent emails, draft emails, thoughts that you just type in it could record and send as well. So that is exactly the scenario that we've been criticizing in the club over and over again. And unfortunately this wasn't the end of the debate. As you could imagine for a true zombie state Trojan simply cannot be destroyed. And since 2017 we have another legal foundation for state Trojans. A new one in criminal procedural law. The criminal police office has been allowed to use these for long to prevent terrorism, to fight against terrorism that's been in law for a while. But there's a new law now that in most criminal proceedings allows that state Trojans could be used. Which is why the Gesellschaft für Freiheitsrechte, the Society for Civil Rights has filed a criminal complaint. Because again this state Trojan violates the constitution. And we're not only complaining about it not sticking to the limits that the constitutional courts has set up. That we ask how could the Trojan actually enter someone's system? How can it be introduced? Am I in there already as a famous TV ad for an early ISP went? So which security vulnerabilities are kept open intentionally so that the Trojan could enter the system? It's only in exceptional cases that authorities have access to a device. In most cases the Trojan has to be introduced from a remote location and you need vulnerabilities, backdoors for that. And the minimal demand by the Society for Civil Rights is that that is just not on. If you have a legal foundation for state Trojans you have to have clear rules which vulnerabilities could be used because otherwise there is a huge incentive to keep backdoor secrets and have all computers in the world remain unpatched. And not just German authorities of course are very interested and find state Trojans very sexy. No, quite the opposite. This world map of Trojan use is remarkably red. At least as far as Finfisher is concerned you see in this map that was made by CitizenLab places where the software has been found or used. That of course is a nice thing that we in Germany can strive to find proper legal foundations but if we can manage this that if we get a proper foundation that protects privacy that doesn't mean that we'll have got rid of the problem. No, quite the opposite. The thing is that we can assume that the software that's in use worldwide as we can see that that software is made in Germany and that is the problem made in Germany but not only used in Germany but across the whole world in places where the rule of law maybe is not that intact because of course it's very interesting to use state Trojans against people that for good reasons are in trouble with the state. This is Jose Eduardo Dos Santos from Angola in South West Africa who seems to be on Finfisher's customer list or Hamad bin Issa Al Khalifa who announced himself as the king of Bahrain and regarding press freedom in the index for press freedom in 2017 Bahrain is in a proud 164th place of 180 countries so press freedom in this country means to write what the boss wants you to write. Bahrain is one of the least free countries in the world. Censorship and repressive legalization legislation, repressive legislations prevents free journalism. Journalists are under arrest so that means that there are targeted attempts to hack people who have a critical voice. But the problems begin at home or very close to our own doorstep. Well, we also have, well even in Europe or in places that want to join the European Union, we have people in power who have an issue with their own population and their political opposition in particular and well there was a range of political unrest including an attempted military coup in Turkey in 2016. After that Turkey has increasingly turned into an increasingly repressive regime. After that failed a military coup attempt, more than 50,000 people were arrested, more than 140,000 people were removed from their positions of employment. Right now Turkey has become the country which in the entire world keeps the highest number of journalists in prison in relation in proportion to the population size. Right now there are at least 34 journalists who are under political arrests. Hundreds of journalists in many organizations were closed down. That's very, very obvious that often people really try to repeatedly point out that these people are suspected of being terrorists. Basically if you're in the wrong place at the wrong time you are a terrorist suspect immediately and can be arrested and put into prison. Luckily despite all repression at least in Turkey there is still a political opposition. For instance you can see in this picture in the summer of 2017 members of the opposition went out onto the streets under the motto Aralet to protest against the Turkish government. However after that the Turkish Secret Service or Intelligence Service had a particularly insidious idea because protests against the big master that's absolutely unacceptable. Hence the Intelligence Service created a website online which as you can see here in the picture at first sight looks like it may have been created by the organization, by an opposition organization. So it looks a bit like that with the logo and the picture as if this was being run by people who support the protests. And on this website which might look like a protest based website there was a really nice button on the lower right which looks like you're going to the World Play Store if you click on it. However if you click on this button you can download an Android software, an APK file and it's being offered for download in this particular instance. It was there for several weeks. But the problem is as you may suspect this wasn't a messenger app or some kind of calendar app that the opposition may have used to organize themselves but in reality this APK was an Android Trojan which we identified, we will continue to describe as the Adela Trojan from here on. So the question is where does this Trojan come from? Where did it come from? We believe based on what we have known right now that this Turkish Trojan that was used against this movement in Turkey came from Germany and we have invested an enormous amount of time to prove this and show you evidence for why we suspect that this is the case. As you can imagine Ana Bizelli said this very nicely two days ago. If there is a trojan somewhere the swine and the pigs aren't far away so if someone is waving around with dollar bundles then there will be if you have a dictator who's waving around money there will be companies not far away who are willing to sell them something, regard human rights, whatever. One of those institutions and companies is Finfisher from Munich which describes themselves as having been excellent in cyber investigation. Going up against such producers of Trojans is difficult from a legal perspective because under particular conditions these Trojans can be used legally because the mere fact that they're creating Trojans that in itself is not illegal especially if German institutions, government institutions are also some of their customers. For instance according to reporting by netspolitik.org the German criminal, federal criminal police office is also one of their customers. So it's the Berlin police but you cannot simply export Trojans to other places because they're considered cyber weapons. So there are restrictions on the export of Trojans. It's not generally banned but they're on a list of export controlled products because before you export Trojan you need the permission from the German government. There are only a few countries that are exempted from this need for permission that mostly EU countries and a few others. In the case of Adalet this was a really nice case because the Turkish government is using a Trojan against their political opposition. There was already some trouble with the Turkish government and this Trojan is apparently out of all places from Germany and the export of Trojans from Germany to Turkey was illegal because there was no permission at least according to the German government. So for us in this case which was netspolitik.org which is a German publication and the Society for Civil Rights and NGO that this is a case for the state attorney for the public prosecutor's office so we filed a complaint against the illegal export of cyber weapons and we worked with reporters without borders netspolitik.org and the ECCHR, the European Center for Constitutional and Human Rights and we joined up to submit a criminal complaint and submitted it this summer to achieve that the people who were responsible at FinFisher for this export of this Trojan are being held accountable because we think just as German weapons shouldn't be used to murder people in the entire world German Trojans shouldn't be used to suppress human rights in the rest of the world or even in Turkey. So here's a timeline and an overview. So this is the timeline for our criminal complaint or rather when this sample, that's what we talk about when we get some of the code from such an APK or malware we got that in June, it was spread in June 2017 so that was well after the guideline for expert restrictions was introduced it's very obvious that the target group were opposition members of the opposition in Turkey that was very obvious based on the website and as Ulf already said, we sent a request to the German government which confirmed that at least in this time between 2015 and 2017 there were no expert permissions for FinFisher in this direction at least for us it was clear that this was enough for a criminal complaint obviously we needed to investigate the facts a bit further but at the very least it was sufficient to notify the prosecutor's office of this case and we have a range of pieces of evidence that this case is being taken very seriously in September 2019 we published this criminal complaint amongst other things on netspolitik.org which is a German publication that reports on internet politics and we can very much assume that the people who run FinFisher are not very happy about this because they used illegal means to make netspolitik.org take that article down but luckily they had been getting so many, they got a range of donations and a large amount of donations so I hope that it won't create financial profit for the people who sue them but I heard that there are maybe archive type websites on the internet so you can read the article in its entirety on those types of websites so FinFisher and their friends are hitting back what we think that people who are, the docs who are hit essentially try to defend themselves so we asked for the, we asked the Chaos Computer Club to look at the evidence we've collected against FinFisher so far to look at it very closely to see whether there might not be additional evidence the aim of this mission is to essentially create further evidence that we have necessary evidence for a criminal, like a complaint based on the, for the law that essentially restricts illegal, that restricts illegal exports from the German external economy law I'll spare you the legal details it's pretty complex in detail but it basically, this reference is another external economy law where there is a list of particular goods starting from regular tanks all the way to a state Trojan and this is a list of goods that you can only export if you have a permission and we think that this is the law that FinFisher broke we asked the Chaos Computer Club to take a very detailed look at this Trojan and ask the two facts that have huge legal implications and that is one first, the time that the Trojan was made which is relevant when it is about finding, when you want to find whether the software was made after the deadline in mid-2015, I think yes, exactly so if you can prove that the software was only made after that time then we can assume that it was only exported afterwards as well and the second important question was if we take a very neutral approach who produced this sample there was initial evidence, initial clues that this was FinFisher but that would have to be clarified so we asked the Chaos Computer Club and they took a look and we've had previous analysis people have looked at FinSbi samples and these analysis were the starting point for you weren't they, yes we said that, yes could you take a look at these previous existing analysis first from Citizen Lab for example they did this not just for FinFisher products but also others and the issue was to check whether this is all plausible whether the findings could be reproduced and whether you could summarize it in a way that German investigating authorities could use them legally and we obtained an expertise from we looked at expertise written by others there is a certain plausibility check there from 2018 from a company and in 2018 Access Now published a report summarizing the current state of knowledge and for the criminal complaints there was a technical analysis in particular of this Aralette sample the actual subject of the whole complaint and we looked at all those documents and saw whether there were any gaps that needed to be filled whether things should be described in more detail and that was the main work that we ultimately had to do if you expect that this was completely groundbreaking new evidence about these two Trojans then sorry I'd have to disappoint you we verified a lot of work that other people did and we found some new clues that seemed much more grave than what has been said so far and I think you did find some very interesting technical details that we would come to for example the provisioning how does the Trojan get adapted that was a very interesting technical detail so then the day before yesterday it was yesterday you published the CCC's analysis yes we published it yesterday so that we had some material that we could refer to if time allows for the Q&A maybe and we wrote an in-depth report where we also evaluate and weigh up what we found and come to some conclusions so what we found very important in the work is that we published everything in contrast to the other organizations that did invest a lot of work we published all the samples on GitHub there is a link afterwards there will be one there will be all the tools we used are in that repository and the intermediate results intermediary results we found and the objective here was that everyone should be able to reproduce our results we have the samples you have the samples, you have the tools that we used for that 60 page report and you can just look at those conclusions and see how we think we really wrote a comprehensive summary and the commission of course you cannot really commission the CCC and in particular the Society for Civil Rights did not pay the computer case computer club that's an important thing to say we have commissioned expertise we just asked if you found this interesting then please take a look and I do believe that it's great that the CCC in the person of Thorsten here has taken the time to do this so to briefly summarize this was the commission analyze, verify, close gaps in the chain of clues and perform some targeted analysis of further samples when the Adelaide Trojan that was used in Turkey was made and second where does it actually come from and these here are a whole number of samples and we can see this listing that we analyzed these are the original malware files that are part of the Trojan this is all in that GitHub repository by Lignus Neumann who I did the whole analysis with thanks again to Lignus we spent several nights with this fantastic Trojan and as you say these Trojans were used in Turkey in Myanmar and Vietnam it's not that well there are some clues about where it was used regarding Turkey it's quite easy to say because we had this website which was targeted against these groups and also there are samples where we can be quite sure that they were used in Myanmar because a very well known Burmese ocean platform was used so the name was used to spread the sample and that of course is a very clear indication that it was targeted against this population about Vietnam I'm not so sure the attribution there is generally a difficult thing and it's also quite difficult to see where it was used because all the metadata that you can find in the samples IP addresses, phone numbers and all that they're not hard evidence but let's start with the important question when was the sample produced and you spent quite a lot of time thinking about this question and the central question was when was it actually made we looked at the samples and looked for indications that the software may have been made after 2015 there are various ways of trying to find that in general what we see in these binaries and these malware samples that is the earliest possible time if I can prove that a component of the software was only made in May 2016 or published at the time then that does mean that the whole software sample overall can only have been made after that time so we can prove the earliest possible time it could be possible that was only made in 2017 but no earlier than 2016 for sure so when a library has been published and used it cannot have been made before the library was published so we were looking for German compiler artefacts certain strings that open source products contain but then these apk files the android app files are distributed as apk that is technically nothing but a zip archive which most of you will probably know and within these archives you can find certificates about the developers that published this and with those certificates you can look at a time stamp for when the certificate was issued that for from a legal point of view is not very hard evidence because a certificate can be given anytime stamp you want you can say I'll go back in time or I'll date it into the future that's all possible but why should you do that? well maybe there is a good reason and because of that issue we looked at samples that went all the way back to 2016 we looked at those apk for the Trojan from 2012 and 2019 so when you have a sample of 2019 with something that was used in the past as well then you can ask whether this is plausible or not and also there are public documentation which is first the sample itself which we obtained from the internet from various sources but it's important therefore that all the 28 samples that we had should be looked at and you should ask when the individual sample was made and one clue was the time that a certain library was made and here you can see the disassembly of a shared object that was delivered and the android applications actually just java applications so there's java bytecode in that and in java you have the option to use the jama native interface to access other code that was perhaps provided by the operating system or written in C other programming languages that are also part of the delivery and in that sample we found a shared object file that in Linux operating system has the extension SO and under windows they have the extension DLL dynamic loadable libraries and there was a library in which we found certain strings that seemed to say that this was only made that can only have been made in 2016 we can see this because it's sqlite that is an open source database application and in the compiled file it leaves this string which is a date, a timestamp and a hash and if you look at the hash and see when does this string appear for the first time you can go to the website of that open source project and find that this version of sqlite is version 3.13 and that it was published in May 2016 and you can see that very checksum with the exact same string so you can very confidently 100% confidently say that no one came up with the idea in 2012 to write this, that is quite unlikely I hope I'm not going to laser into your eyes and then you were looking at those certificates with which the software was signed we did that as well and the other researchers did that too of course they worked in much the same way but we did want to analyze the analyses as well so for completeness we included that in our report and we included a timeline there's a nice table to up coming and you can see the output here of the certificate that the developer used to sign the piece of software you can see that it was produced in October 2016 so it fits the picture if you assume that the certificate was made when the sample was built and that is after May 2016 the question how long it is valid doesn't really matter but it would now be very nice what would we get if we back date this if we back date it that would be nice we could then mislead researchers if we would state that the certificate was produced in 2012 there would not be much we could say but later there will be these fingerprints certificates that's these long SHA values here that's a cryptographic hash calculated across the certificate and that is a unique value so if you go to those 28 samples and look at all those certificates we compare these SHA values as well because that is the the fingerprint expresses it quite well if we find this exact fingerprint in another sample then we can at least say that both samples regardless when they were produced come from the same maker and that is quite important evidence for the conclusions that we'll draw but these two aspects that you mentioned the libraries and the certificates can lead to the conclusion that the Adelaide sample was not made before the 18th of May 2016 the Adelaide library wasn't published before that that is such important such hard evidence that we can confidently say that it was not made before that date so that date is after the coming into force of the export controls so this sample if it really was exported into Turkey would violate foreign trade law and second aspect maybe even more important what is the origin what kind of being what kind of creature is this Adelaide creature and as we said we collected samples across a wide time range and looked at what they have in common how can you conclude that they come from the same source and you don't have to care what the source is called but it was important to see if there is a connection so we looked at these code signing certificates as I said there are some other indications for this time issue but those are not so important at the moment the coding style is important as I said these APKs are basically written in Java so there are some shared object libraries as well that were developed with other languages so you can decompile the Java code and also disassemble those libraries and obtain an insight into a certain coding style you can look at variable names see if obfuscation was used on the code so code origin and culture structure could be concealed that way if it was used the code base could be compared so what are the features of one application the functionality is that present in the other sample as well in the other application that we had in 2014 and 2017 and so on so we can compare these things and notice differences as well as things in common and therefore observe the evolution of that software and we took great care in looking for language native language of those developers and you can see that in some places you can see that quite clearly in some places and you can also look when and how they were provisioned whether they were similar to this provisioning means that the Trojan was adapted for the specific use the Trojan is basically standard software at least used in many cases but for every single country different parameters were set and we come to that as well and the interesting thing here is that these are parallels between different samples so you can then possibly say that these samples come from the same source but that doesn't say what source that is what the kitchen was where it was made the second step therefore is to find samples of confirmed origin if you see that samples are coming from the same source and at least one of the samples can be traced to a particular maker in a confirmed way then you have a very high probability that the other samples come from that origin as well from the same production line that is and we are very grateful there for Phineas Fischer who had a larger amount of who carried a large amount of stuff out from that company and published it filed with many many samples thank you Phineas Fischer in other words for this analysis it was really advantageous that there were particular samples that came from this Phineas Fischer hack that we could attribute with a high degree of confidentiality to Phineas Fischer because of all this evidence that there was so we kind of have two anchoring points and we can use those anchoring points as a basis for comparison of further samples and go further and further with that but obviously that doesn't change anything about the fact that attribution is hard so obviously we are still looking for further clues that might point to us towards the person who created or the entity that created this so for example in cases where the German parliament was hacked often in many cases someone says it was the Chinese it was the Russians but that's very hard obviously we have to do the attribution to some degree but we really use the clues and the context that we have with regards to for example where the sample was used what would have been possible to fake something like this for instance if I say I am part of a hacking group or maybe I am a rival of Phineas Fischer maybe I want to portray them in a bad light I want to make them look bad and so I might fake their malware and implement a false flag activity I mean that's hard but we think in these cases it's quite unlikely and something like this you could theoretically fake it oh yeah no you can definitely fake it but what we can see here is the processed outcome of such a configuration one of these provisions as Wolf mentioned these individual samples are not being compiled individually every single time there are basic parameters which are being used for each case that are necessary and then this is one of these configurations that are being used for compilation for example oh well the proxy for calling home is this IP address or maybe this hostname in a different place you can see a target ID which is called Adelaide which is what whoever built this trojan came up with then there are several phone numbers where you can send texts or that you can call and so in this case you can see quite obviously that this attribution is hard I mean the phone number is from Israel and the other phone number is an international reusable phone number so that's not super obvious there are no strong hints that it was definitely being used by Turkish government institutions with regards to the family of the samples that you looked at it looked slightly different because you can use the certificate that was used to sign these samples yeah there are a few indications that we got from this certificate based on which we essentially summarized samples as part of different groups as like things that definitely belong together and things that definitely don't belong together this list looks very confusing one thing that is marked as green that's the Adelaide sample that we're using as the basis for our analysis so we want to find things that are similar so everything in red has one parallel piece all of that is from the Phineas Fisher League everything that's in yellow at the top was published once in 2012 and so there are relevant analyses and several clues that it also is something that comes from Phineas Fisher so if we assume that all these red ones are from Phineas Fisher because it was part of the league from a Phineas Fisher hack then we have here one sample that is four to one A and D four to one seems to be the version number A and D seems to refer to Android and we can tell that this fingerprint of the certificate that I mentioned earlier that I was explaining earlier that we can find this fingerprint in a different sample from two years earlier so in two years earlier samples were leaked that had exactly the same fingerprint and so at top we have this typo Andrea that's one of their typos so maybe there was that seems to have been some kind of demo sample but the company apparently was trying to show to someone to demonstrate what this Trojan can do and so they provisioned it with different websites and had some server URLs that was at the same time at the time pointed towards Gamma International but in addition to that they also used the certificate to sign a sample in the wild this one called DRyze which was identified in Vietnam and which was also referencing Vietnamese IP addresses and phone numbers. Attribution is hard but in that case we can definitely say that this demo sample and this in the wild sample are definitely from the same place by using this certificate's fingerprint and the next step you did is that you were looking at the structure of these individual samples in particular how this software works from a logical progression so yeah we were looking at different functions and we looked at what different functions does this file have so we were also looking at their coding style which types of variables that they are using for example one you can look at non-opposited Java code what we can see here there are two different samples one is from the 2014 leak that's also some kind of demo version 2016 version so I say 2016 because it was definitely written after 2016 with the Adelaide sample and so we did a refactoring here where we renamed all the variables and the different functions but it's definitely one of the same function that's very obvious once you look at the code but I didn't want to show you the source code which is why I did a call flow based on the source code that I'm showing you here that's a function called run in the 2014 sample this is under a class called sms in the Adelaide sample it's under a function called sims which was written in lead speak and one thing we can see very clearly that this function basically executes exactly the same code with some marginal changes and differences at least in our opinion that can't be in coincidence so we think that's essentially a further evolution of the samples from 2012 and 2014 and now 2016 so that's the evolution that's the information that we could gain from looking at these in addition to that you can also draw conclusions from this piece of lead speak because if you think well the term sms is something you may understand it in other contexts where people might not use it at least in Germany it refers to text but in other places you use different terms but especially if you start thinking of the German term simsen which is a German term for to text that's extremely typically German and I really can't imagine that a German the Turkish programmer might suddenly start talking about simsen such as a German programmer might speak English might not do it this is a term that used to be very modern and was even included in the German lexicon of reference so it's very difficult to imagine that someone who is not a German native speaker might or would use this term as part of their code especially with regards to the context of catching texts and in the context and then is even trying to obfuscate it but you also found another piece of obfuscation that was especially smart at least I thought I was really impressed when I read this analysis which is with regards to how this data these parameters that we were talking about this data for provisioning was saved in these virus files was hidden there in that case the developer came up with a cover channel which is something similar to steganography were you hiding information in different data structures in an automated way so you cannot really recognize it by just looking at it with your bare eyes so what types of configurations do you have to hide here for instance I was talking about these phone numbers that are being called or that you can send text to these IP addresses that the malware is connecting with so it can connect with the control and command server can control the software how long the measure is going to run in this APK somehow and it has to be saved in there somehow and one thing that you noticed when you were looking at the samples is that all of them were using exactly the same procedure for this that's exactly the same procedure yeah we didn't even discover this others discovered this such as Josh Kunzweig in a blog entry in 2012 already wrote about this who was analyzing those Finspy samples so it's not something incredibly cutting edge but at least we can show and we can watch this procedure being used across these seven years in all of these samples and also since it's not kind of a standard measure or procedure that you can find in malware a lot we can basically assume that this technology really originated from the same developer which means that all of these samples these 28 samples that we had that they probably come from the same place what does this look like so this is the top of the file no so these are the APK as I mentioned is basically just in zip archive and this zip archive includes and contains metadata on the data that are included in the archive itself and so there you have the central directory structure with different fields so here you have the header which has different byte and bit fields which are defined and which essentially define the attributes of files that are included in this archive and describing the attributes of these files one really important piece of metadata that you can use to transport data without being detected too easily are file system attributes so for example this zip specification essentially assumes that you use 36 bit for internal signatures and for attributes in the target system so hence we have six bytes per central directory structure which you can use to hide data because of course you can write completely idiotic file attributes which is what they did so if you're unzipping these files on the target system they don't make any sense anymore but they don't have to because you're not using this data these are only dummy files here you can see it in the hex editor you can see this apk and you can see the structure you have the signature this pkzip signature that's in yellow at the very beginning and then you have an offset of 36 byte later you have these six bytes of file attributes and if you know anything about Unix file systems you can tell immediately that this is not a regular bit field for attributes that make any kind of sense instead what you see here are base 46 encoded files and so base 64 encoded and so if you parse this and you look at all of these signatures and then you put these file attributes together and then you decode the final string you base 64 decode this entire string then you get a binary file that basically is exactly the configuration of the sample of this malware and contains this malware's configuration as I said that something that someone has already documented previously we basically just went over this again and used this technique and checked for the entirety of the samples so in the first step we had to extract the files and then in the second step we have to parse these files and the tool for doing this is also on the GitHub so you don't have to believe us that this is the case but you can just check for yourself and download this file and run this tool and run it over the samples because we hope that maybe you can use this to analyze further samples and this is an overview of something like that looks like in its entirety and I think we have to jump a bit to see where we continue here so that's one of these configurations as it looks like in its entirety for example which is from 2012 which was already uploaded to VirusTotal in 2012 and as you can see you have these host names that already include the host name but I also have to say that this is not it doesn't have a lot of evidentiary power because if you just find these chains because Josh Kunzweig who already said in 2012 and already published a tool on GitHub which you can use to create such a configuration and insert it into such an APK so basically this means that you could also fake something like this so the piece of evidence that we get is not what is written in these hidden fights of configuration but all samples are using the same strategy and the same proprietary strategy which is pretty smart to hide the files in the APK file and the similarity is basically the main result from this analysis because all samples that you looked at are using this proprietary mechanism but you're also saying that the format was developed further and evolved so it looks like that if you look at the content of this binary file they're using some kind of directory to attribute different functions and names to different files and that's something that makes it easy to parse this file and to look at it to figure out which values mean what and so these values are for example this so for instance in the Adelaide sample we had different values that don't necessarily point towards Turkey from the same time there is a Flash 28 sample which had large similarities with the Adelaide sample which for example is using a proxy from New Zealand but they are still using the same Israeli phone number and then the De Rice sample as I mentioned has all these values that are pointing towards Vietnam so the proxy, the phone for texting, the call phone whether that means anything, I don't know but at least we also published all the conflicts that we extracted on GitHub and you can find it on Linus's Fins by Documentation where we also published our report and all these samples and so maybe there's someone who wants to look at these phone numbers and maybe someone knows about them from other contexts I think their different interesting conclusions might be able to draw from that so we would be really interesting to hear something like that so this is kind of like the overview of the samples that you analyzed so I think you can already tell that there is something like a family resemblance we think the one that's somewhat different is this one which we just called container because it doesn't have a different name which is an APK that has no parallels to the others at all but this one sample is different from the others in the sense that we included it here nevertheless it drops and essentially puts malware somewhere and so in this gray sample there's a root kernel exploit against a Unix kernel on Android devices and they are using a vulnerability known as Dirty Cow to become root on the phone and they also have several tools to stay root for the entire time frame and so there's another sample called Piaf app I don't know how to pronounce that but that's the one that we assume was used in a Burmese context which because Piaf is a very well known social media network in the region and the answer from a technical perspective we've basically said most of these things already but in conclusion in summary well as I said they're using all samples that we looked at are using the same proprietary mechanism for provisioning all these extracted configurations exist in a very particular binary format that is not something that is commonly used so that definitely has to come from the same place there's also large similarities with regards to the Java code that they use and there are also indications from somewhere in Germany we can also say that the Adelaide sample was created at the very earliest in the year 2016 and the samples from 2012 to 2014 can also be uniquely attributed to the company Finfisher so in conclusion we think it can be said pretty clearly that all of these samples that we're looking at from 2012 to 2019 can be attributed to the group or the company Finfisher and all of this you can read up on in detail in the study by the CCC which was published yesterday and as I said earlier we also really want these to exist and we want to publish them in English so we also put a pad for an English translation onto this file and this link this pad doesn't exist yet but this can be turned into a raw translation we would like to cross-source this translation quite a bit of work and so we ourselves can't just translate this ourselves during congress but here is the URL where we will cross-source this this report and then of course check the facts obviously our NGO will also check the facts and we assume that the prosecutors will do that as well but we really appreciate the fact that the CCC published all the tools for the analysis and all the files that they used for the analysis so you don't just have to believe them but you can essentially check their analysis yeah transparency is incredibly important and so just hello to the German prosecutors office you obviously also have access to these files in the newest version and maybe you can also have a look at it and we are always open for pull requests this is since the German criminal federal criminal office also bought the Trojan from Finfisher so a pull request from Wiesbaden or Berlin that would be interesting you can use Tor as well that's fine we're open towards any of these things and the Berlin criminal office state criminal office also has a file well they could also have a look at that so what does this mean for the criminal complaint yeah from the civil society society has a rights perspective and the club perspective we have no doubt that the German Finfisher Trojan was used against the Turkish opposition we are convinced that somehow this Trojan has to have made its way from Munich into the hands of the Turkish authorities and the violations against foreign trade law has not expired yet so the ball is now in the court of the Munich prosecutors because the question is how exactly has the Trojan reached Turkey we cannot prove that this certain agent with a black suitcase went somewhere and flew somewhere that's what the prosecuting authorities would have to investigate but as we said we filed the criminal complaint and the prosecutors have all the means to find it out and we are convinced that they will use all means possible because it's clear that human rights cannot only be violated using international coughs but also through trade Trojans and that has to be finished thanks a lot yes huge thanks we have a little time left one minute this is your applause great we unfortunately have no more time for questions at the very beginning before this talk I mentioned that there is C3Post and the speakers have mentioned that at the 28 C3 they received a hard disk surely it was delivered in different ways but I am the postman today and I can deliver a package to you oh this is yours okay only open after the talk thanks very much indeed thanks for listening to the translation please give us feedback on twitter using the hashtag C3T or on Mastodon this was Whitey Chan and Sybilis thanks a lot for listening you can also email us at hello at c3lingo.org so if you listen to this please let us know what you thought