{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/surveillance/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ToTok","iOS App Store"],"_cs_severities":["critical"],"_cs_tags":["spyware","ios","surveillance","totok"],"_cs_type":"advisory","_cs_vendors":["Apple","Breej Holding Ltd.","Facebook"],"content_html":"\u003cp\u003eThe ToTok application, developed by Breej Holding Ltd., gained popularity in the United Arab Emirates (UAE) due to the blocking of other VoIP services like Skype and WhatsApp. However, American officials identified ToTok as a spying tool used by the UAE government to track users. The application collects extensive user data, including microphone, calendar, location, photos, contacts, and camera information. This data is transmitted over the network, with traffic primarily routed through the capi.im.totok.ai server. The application\u0026rsquo;s Info.plist reveals it requests permissions for accessing sensitive user information, and uses HTTP, which is atypical for iOS applications, as iOS typically enforces HTTPS only. The application has since been removed from the iOS App Store after these concerns were raised.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser downloads and installs the ToTok application from the iOS App Store.\u003c/li\u003e\n\u003cli\u003eThe application requests permissions to access microphone, calendar, location, photos, contacts, camera, and Siri integration.\u003c/li\u003e\n\u003cli\u003eUser grants the application permissions to access their data.\u003c/li\u003e\n\u003cli\u003eThe application collects user data, including contacts, location, and communications.\u003c/li\u003e\n\u003cli\u003eThe application transmits collected data to the capi.im.totok.ai server.\u003c/li\u003e\n\u003cli\u003eNetwork communications are encrypted via SSL, but the application uses a self-signed certificate, potentially undermining trust.\u003c/li\u003e\n\u003cli\u003eThe UAE government leverages the collected data for surveillance purposes.\u003c/li\u003e\n\u003cli\u003eThe application runs in the background due to UIBackgroundModes, continuously collecting and transmitting data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe ToTok application enabled mass surveillance by the UAE government, impacting tens of thousands of users. User privacy was compromised, with conversations, movements, relationships, appointments, sounds, and images being tracked. The application\u0026rsquo;s ability to run in the background allowed for continuous data collection, and the use of a self-signed certificate raises concerns about the security and integrity of the transmitted data. The removal of the app from the iOS App Store indicates a recognition of the severe security and privacy risks posed by ToTok.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to the domain \u003ccode\u003eim.totok.ai\u003c/code\u003e and block if found, as this was the primary communication channel (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement a detection rule to identify applications using self-signed certificates issued from the United Arab Emirates (AE), as observed with the ToTok application (see rule: \u0026ldquo;Detect iOS App Connecting to Host with UAE Self-Signed Certificate\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDevelop a Sigma rule to detect iOS applications requesting access to microphone, camera, location, photos, contacts, siri integration, and calendar permissions simultaneously, as this is indicative of potentially malicious data collection (see rule: \u0026ldquo;Detect iOS App Requesting Excessive Permissions\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T18:22:00Z","date_published":"2024-01-27T18:22:00Z","id":"/briefs/2024-01-totok-spyware/","summary":"The ToTok iOS application, developed by Breej Holding Ltd., was identified as a spying tool used by the government of the United Arab Emirates (UAE) to track users' conversations, movements, and relationships by collecting sensitive user data and transmitting it to servers using self-signed certificates.","title":"ToTok iOS Application Used for Government Surveillance","url":"https://feed.craftedsignal.io/briefs/2024-01-totok-spyware/"}],"language":"en","title":"CraftedSignal Threat Feed — Surveillance","version":"https://jsonfeed.org/version/1.1"}