The German Interior Ministry has approved for investigative use a spying Trojan developed by the German Federal Criminal Police (a so-called “federal Trojan”). In fact, it could end up being used as early as this week.
The police will have to get a court order to use the spyware, and prove that the suspect is involved in a crime threatening citizens’ “life, limb or liberty”.
The malware has been developed in-house, and has been available since autumn 2015. It is supposed to be used only for so-called telecommunication surveillance at the source, i.e. to read emails, chats and wiretap phone calls made by the target via his or her computer or smartphone, and not to access files, steal passwords, or set up video or audio surveillance via the device.
It’s seems, though, that it is capable of doing all of that.
And that is what worries experts from the Chaos Computer Club (CCC), Germany’s and Europe’s largest hacker association.
Frank Rieger, a spokesman for the group, says that there aren’t many technical differences between a Trojan that can perform surveillance of digital communications and that which can set up video or audio surveillance.
Back in 2011, the CCC analyzed a government-made Trojan used by German law enforcement and discovered that it also had the ability to set up a backdoor, update its functionalities, take screenshots and activate the computer’s camera and microphone.
At the time, ministers of several German states admitted they used it in criminal investigations, but said it was used only to to effect telecommunication surveillance of suspects.
They claimed that the CCC analyzed the test version of the Trojan created by German firm DigiTask, which was rejected because it could be easily made to take screenshots. The latter version, they said, could only perform telecommunication surveillance.
Rieger notes that it is difficult to for law enforcement to identify, without a doubt, the device that they want to target, and the communications of other, innocent users can end up being surveilled.
He is also pointed out that the German Federal Criminal Police will likely be forced to buy vulnerability information to deploy this malware, and will not want to share vulnerability info with its citizens.
Deutschlandfunk reports (in German) that along with this in-house developed malware, the police has also ordered another spying Trojan from German-British company Elaman / Gamma International – an adaptation of the infamous FinFisher malware.