Cyber weapons company executives arrested. Government agencies, their biggest clients

It is well known that there are multiple companies that offer spying software (also known as spyware) to governments around the world to perform follow-up activities against dissidents, activists or political adversaries. This is already undesirable on its own, although things can always get way worse. According to information security experts, companies that sell spyware to governments sometimes maintain control of the servers through which intercepted information circulates; Diego Fasano, an Italian developer, appears to be related to a similar scheme.

Fasano is an executive at eSurv, a seemingly benign mobile app developer. However, recent research found that Fasano actually distributed a hidden spyware as an app to fix errors on the smartphone.

According to the information security report, target users were tricked into installing the app in question. After its installation, this app gave law enforcement agencies access to various resources of the victim’s smartphone, such as microphone, camera, stored files and encrypted messages. Spyware was known among developers and law enforcement as “Exodus”.

Multiple agencies would have acquired Exodus spyware. Fasano’s alleged clients include L’Agenzia Informazioni and Sicurezza Esterna, the Italian NSA counterpart. In addition, to make matters worse, an Italian prosecutor found that the information intercepted by this spyware was not adequately stored by Fasano and his company, so it was completely exposed in an Amazon Web Services (AWS) server based in Oregon, available to any user who knows where to look for such resources.

The Italian prosecutor’s office notes that, among the compromised information, are personal photos, audio samples of conversations, private messages, emails, videos, among other files, collected from multiple devices infected by Exodus. According to information security specialists, a total of 80 TB were leaked, equivalent to more than 40 thousand hours of audiovisual material.

A court has already ruled that Exodus was designed for malicious purposes, so legal proceedings were started against Fasano and other executives of the developer company. It should be noted that, although this accusation implies that Italian government agencies used malware against specific targets to illegally obtain information, there is no way to bring a legal case against them.