Four German states have confessed to using spyware to track people online, days after the Chaos Computer Club hacker group accused German authorities of distributing upgradeable malware.
The states of Bavaria, Baden-Württemberg, Brandenburg and Lower Saxony all say they have deployed malware to varying degrees, according to Deutsche Welle. However, it is not certain that these were all the same malware, nor that any were using what the CCC has dubbed the 'Bundestrojaner light' — security experts are calling it 'R2D2' instead, after a reference in its code.
Brandenburg is using spyware in a single, ongoing investigation, according to the report on Tuesday. Baden-Württemberg has used it to investigate multiple cases, and both Bavaria and Lower Saxony have been using similar means for two years.
The highly-regarded CCC said on Saturday that it had reverse-engineered and analysed malware, sent to it anonymously, that was written to spy on people. Lawyer Patrick Schladt subsequently claimed that the malware had been installed on his client's computer by customs officials at Munich Airport (in Bavaria), and he had passed the hard drive on to the CCC with his client's permission.
It is legal in Germany for authorities to use limited malware that can listen in to VoIP conversations, in much the same way that traditional phone lines can be tapped, if authorised through a court order, and only in serious criminal investigations.
However, the CCC said the malware it had analysed could execute code that had been remotely uploaded to it, effectively meaning it could grossly overstep what is allowed in German law. The hacker group said the malware could even track what was going on through a user's microphone and webcam, while capturing screenshots.
To compound the matter, the group also said the malware was riddled with security flaws, making it quite possible for someone to upload false evidence to the control centre monitoring the suspect.
Germany's federal crime investigation agency, the Bundeskriminalamt (BKA), has denied having anything to do with the malware, and the country's justice minister has expressed outrage at its existence.
According to the security firm Sophos, the R2D2 Trojan can not only record Skype conversations, but also "eavesdrop on the likes of the MSN Messenger and Yahoo Messenger chat clients, and record keystrokes in browsers such as Firefox, Opera, Internet Explorer and SeaMonkey".
The malware seems to "connect to an IP address, 22.214.171.124, which appears to be based in Düsseldorf or Neuss", Sophos added.