ToTok, Part 2: The Masterminds of Mobile Malware

The New York Times published an expose on the ToTok mobile messenger application on December 22nd, 2019. The article suggested, in so many words, that ToTok was a covert spyware application. The developers behind ToTok did not take kindly to that accusation.

Giacomo Ziani was one of those developers. Born in the Mestre borough of Venice, he has a degree in economics and international management. Following his years as a student, Giacomo–more commonly referred to as “Giac” –worked largely in project management and marketing. In 2019, he became the face of ToTok.

And he’s a good face to have! He’s a handsome young guy, thin, nice hair and a perfectly-shaved 5 o’clock shadow. Let’s just say: if he were trying to sell me covert spyware, I’d probably get too lost in his pretty brown eyes to figure it out.

In response to the Times investigation, Giac gave a written interview to the Khaleej Times, the English-language news branch of the United Arab Emirates government. In it, he denied that his app was anything other than a private, politically neutral startup venture.

He suggested that any suspicion of wrongdoing might be motivated by just how popular his app was. Then, at a certain point in the interview, he was asked the following question, quote:

“Are there any independent evaluations that can verify the app is secure?”

End quote. He responded, confidently. Quote:

“The irony is that our accusers requested a technical analysis by a former NSA employee who concluded that ToTok “simply does what it claims to do, and really nothing more. No spyware, no backdoors and no malware.”

Okay, let’s take a step back. Let’s face it – If you’ve listened to our previous episode, you’ve probably concluded that ToTok is, in fact, spyware. But, according to Giac, a former NSA employee had verified that it “simply does what it claims to do.” That’s a pretty ringing endorsement, right? Who was this mysterious former NSA employee, who proved ToTok’s legitimacy?

“[Patrick Wardle] All I know it’s flattered. It means they’re reading my research.”

In the last episode of our show, Patrick Wardle–a cybersecurity researcher, and former NSA employee–said the following:

“[Patrick Wardle] If you look at the application with kind of blinders on, meaning you just look at the binary code or just look at the functionality of the application. It really, in a sense, is not doing anything massively wrong. You know, kind of oversteps, right? It kind of maybe it’s a little aggressive about gathering your address book, perhaps using your location and other such things. But compared to like a piece of malware, it’s essentially fully benign. But again, I want to caveat that. That is when you’re solely looking at the application kind of in a vacuum, not at the broader picture of, for example, who’s behind the said application.”

You probably didn’t hear that as a ringing endorsement of ToTok. Now, consider what would happen if I just made one or two edits to that quote. Listen again:

“[Patrick Wardle] If you [. . .] just look at the functionality of the application. It really, in a sense, is not doing anything […] wrong. [. . .] compared to like a piece of malware, it’s essentially fully benign.”

See what happened there?

“[Patrick Wardle] the quote they took out was basically me saying, “Hey, this application does what it’s designed to do and nothing more.” But then in that same sentence, I went on to say, “Hey, this is the genius of the whole mass surveillance operation, right? You don’t need any exploits, you don’t need any backdoors, you don’t need any malware. [. . .] So the fact that they just took the first half of the state– of my statement and didn’t really – and used that I would argue fully out of context, in my opinion, really make them look even more guilty.”

“[Bill Marczak] Hi, I’m Bill Marczak. I am a Senior Research fellow at the Citizen Lab at the University of Toronto. I’m also a post doctoral researcher in Computer Science at UC Berkeley and the International Computer Science Institute in Berkeley.”

Citizen Lab is one of the world’s premier cyber research institutions. Its reporting has contributed to the research we’ve done for our episodes on ISIS, China versus Github, and spyware. For this episode, Bill will act as our guide. Where Patrick figured out the “what” of ToTok, it was Bill’s investigative work that tied together the “who” and, perhaps, some of the “why.” Nate Nelson, our Senior Producer, asked Bill how did he come to work on this case.

“[Bill Marczak] Well, it’s actually kind of an interesting story. You know at Citizen Lab, we’re very interested in looking at these sorts of apps which might have a security vulnerabilities or privacy vulnerabilities. [. . .] And so then when this ToTok case came up, we were contacted by some individuals who felt that maybe this app was sort of a spy app or you know was designed for surveillance. So they said, “Hey Citizen Lab, can you guys take a look at this?””

The first part of Bill’s investigation was, probably, the easiest. It didn’t take a researcher of his talent to figure out that Giacomo Ziani and his cofounder, Long Ruan, weren’t being completely straightforward with the public.

“[Bill Marczak] There’s no indication in my mind that either despite the reports that this is some sort of startup that is sort of organically funded and these people, oh, just decided to make this app. I think it’s very unlikely if that’s the case because there’s just no prior discussion of this.”

Before co-founding ToTok, Long Ruan spent two years as the VP of Marketing and then two more years as the Chief Operations Officer for YeeCall, the app which ToTok acquired and largely used as its own.

“[Bill Marczak] So these people had no previous association with the name ToTok. What they did have was a previous association with Group 42.”

And Group 42 interesting because –

“[Bill Marczak] ToTok was developed under the name “Group 42 IM” before it became the named as ToTok.”

On LinkedIn, Giac lists himself as having been the marketing and communications manager at Group 42 before co-founding ToTok. Long’s connection is less clear.

At a certain point in 2019, Group 42 changed its name to Breej Holding LTD.

“[Bill Marczak] So in this case, the App Store listed a company called Breej Holding which seemed kind of weird. I mean initially, my first thought was hmm, wait a minute. This is an Arabic name and the address on the Google Play store for ToTok is in Singapore. So that’s weird. Like why is it – why is one from Singapore, one had this seemingly Arabic-sounding name?

So I started digging a bit more to Breej and I found they had an address in this economic free zone in the UAE. So like a separate geopolitical entity inside the UAE that has its own – you know ultimate UAE federal law is enforced but it has its own sort of business law which is different from standard UAE law. So they have their own website for registering the corporation and looking up corporation data. So I was able to use those sorts of websites and dig into Breej.

There was also another company called ToTok Holding which had its own set of the directors and investors and all this. So that’s where I started, was looking at, OK, well, I know the address. I know that this corporation should be registered on this website, what does the website say about who owns it, who operates it and who might be behind it?

So as I started digging more and more, I started uncovering like a web of individuals and companies.”

This “web of individuals and companies” was terribly complex. Trying to understand who’s really behind ToTok is a little like trying to figure out who farted on a crowded bus: the smell is diffuse enough that a lot of people could have done it, and whoever actually did do it will do their best to play it off as if they didn’t.

Ultimately, though, every path that begins with ToTok ends with one very rich and powerful man at the heart of the Emirati state. His name is Sheikh Tahnoon bin Zayed al-Nahyan.

“[Bill Marczak] So, Sheikh Tahnoon bin Zayed Al-Nahyan is a member of the UAE Royal family. He’s the son of the founder of the UAE, Sheikh Zayed and he’s the brother of Mohammed bin Zayed who is the powerful Crown Prince of Abu Dhabi. So he’s very well connected in terms of the UAE power circles.”

Tahnoon is exceptionally powerful. A precise analogy is tough, because here in the Western world we try to avoid nepotism in politics. The closest American equivalent to Tahnoon, maybe, would be Hillary Clinton.

“[Bill Marczak] I think it was in 2016, Sheikh Tahnoon was given the title of National Security Adviser for the UAE. And it’s been reported, I think it was in The Washington Post and some other places that he’s a fairly senior role in the UAE intelligence apparatus.

Interestingly, he sort of first came to light to us and other security researchers back in 2012 actually when an activist in the UAE was targeted with spyware. And it turned out that the spyware that was used was purchased from an Italian company Hacking Team but it connected back in the UAE to the offices of Sheikh Tahnoon bin Zayed Al-Nahyan.”

Tahnoon has a long and established history in large-scale cyberspying, including having a business relationship with Hacking Team–one of the most notorious spyware companies we discussed at length in our “How is Spyware Legal?” episode.

“[Bill Marczak] When the Hacking Team themselves were hacked all these documents were leaked, we saw that this entity headed by Sheikh Tahnoon which was doing the surveillance had purchased licenses to spy on 1,000 people simultaneously. So it’s probably a much larger scale of the surveillance that he was involved in which we don’t know about. And that was of course, before his promotion to “National Security Adviser.””

Tahnoon was the centerpiece of the ToTok operation. But the only reason we know this is because of Bill’s investigative work. His name wasn’t to be found anywhere near the name ToTok. The name publicly registered as director of Breej Holding was “Hassan al-Rumaithi.”

“[Bill Marczak] So Hassan Al Rumaithi was listed on the Abu Dhabi Global Market which is this economic free zone where ToTok was registered. He was listed as the director ToTok. [. . .] I found his voter registration record. And his voter registration record gave his birthday and there was also a series of news articles about a Hassan Al Rumaithi who was a mixed martial arts fighter and a jiu-jitsu fighter and enlisted his birthday which matched the voter record and was described in these reports that the jiu-jitsu MMA Hassan Al Rumaithi was the adopted son of Sheikh Tahnoon bin Zayed Al-Nahyan.

In other words, as a kid, Sheikh Tahnoon had adopted… I think the story goes, he adopted some of war orphans from the UAE and Hassan Al Rumaithi was one of them. And then, of course, the jiu-jitsu connection comes in because Sheikh Tahnoon is a big jiu-jitsu guy. He’s the one who brought jiu-jitsu to the Middle East. And it sort of makes sense that Hassan Al Rumaithi would be trained in jiu-jitsu as he’s growing up.

So yeah [. . .] Hassan Al Rumaithi, the director of Breej Holding, the developer of ToTok is the adopted son Sheikh Tahnoon.”

Al-Rumaithi, probably, has never actually directed a company in his life. But as one member of a large royal family–and an adopted one at that–he was a useful signatory that allowed Tahnoon’s name to stay out of public record.

The final member of Tahnoon’s inner circle that’s important to mention here is Hamal Al-Shamsi, his PR Director, and the man listed as sole director of the holding company which connected Giac Ziani to Long Ruan: Group 42.

I know this is getting really complicated, so let’s go back and look at the wider picture again.

“[Bill Marczak] We have Sheikh Tahnoon at the top because he’s the guy that ties these all together. And then we have three sort of entities which… three corporate entities which are linked to the ToTok app. There’s Breej, which as I mentioned is the developer listed on the iPhone App Store. Then there is ToTok Holding company or ToTok Technology Company, excuse me, which is linked to ToTok because the name ToTok Technology Company appears in SSL certificates used by the code. So this company is clearly linked to ToTok. And then there’s also Group 42 which is linked by virtue of the Group 42 IM app which then got apparently rebranded as ToTok.”

Do you see what’s going on here? Companies and parent companies and firms and partnerships–it’s like when a hacker routes their connection to a target machine through different countries and service providers. The corporate structure supporting ToTok involved at least half a dozen real companies, shell companies and intelligence groups, name changes and rebrandings, with the individuals who actually operated the app being hidden behind other individuals given sinecure jobs and ponied around to the public as the supposed developers.

But the point of all this wasn’t just to hide Tahnoon’s name. The real reason to go through all this trouble was to hide one, crucial bread crumb.

That bread crumb was Group 42.

“[Bill Marczak] Probably the same team of people was developing Group 42 as developing ToTok. So it was kind of interesting because Group 42 is an artificial intelligence company. And in fact, Group 42, it appears received this unit which used to be a unit of DarkMatter, a UAE government’s defense contract – intelligence contractor.”

Group 42 had a direct connection to DarkMatter, a known government intelligence organization.

DarkMatter wasn’t just a government entity, it was a notorious government entity. Think of it like the UAE’s NSA. It no longer exists–in name at least–but only because it was discovered to be a hub for criminal offensive cyber operations.

“[Bill Marczak] There was this incident sparked by a report in Reuters about DarkMatter which caused the UAE authorities to apparently cease and reorganize DarkMatter, the intelligence contractor and send its various units to various other companies.”

We’ve just gone down a long, winding path. To review: ToTok, owned by Breej Holding–under the adopted son of Sheikh Tahnoon–branched off from Group 42–under Tahnoon’s PR manager–which is largely comprised of government hackers.

In other words, ToTok is run by one of the country’s most powerful government officials, and developed by some of the country’s most powerful current or former government-contracted hackers.

“[Patrick Wardle] So if you’re a government that wants to surveil a large portion or a large percentage of your population, it’s very difficult or very costly rather to procure these remote exploits and then use them on scale because these exploits are one – very expensive. And two they don’t often scale as well. A far better approach, and again, this is kind of the genius of this ToTok operation is that you can really write an essentially fully legitimate application that you know on papers doing nothing wrong, right?”

Just think about how much somebody could learn about you, with access to your phone through WhatsApp, or Facebook. We’re talking about contacts, all ongoing and saved messaging history, login data, camera and microphone access and, probably, your location at any given time of the day.

The Emirati government didn’t target mobile devices by chance. They knew how powerful it is to crack somebody’s phone, even when compared to, say, a typical remote access trojan aimed at somebody’s laptop. Here’s Roy Akerman, VP of the Product Incubation at Cybereason:

“[Roy Akerman] So you know once you’re getting an access to mobile, first of all, there is the… [. . .] tracking you and learning more about you in order to extort or do something else. There’s a usage of the mic, of course, that can record every conversation around there. [. . .]

And then we’ve learned that hackers are trying to look at the storage of device in order to get the most interesting pieces of data out of it. So for example, think about yourself. You’re opening a specific attachment, OK, in your email, 95% of customers or like of the users don’t really know where this attachment is being saved. They just like left them until they run out of new storage and they need to delete it all.

So all the pieces of importing data that you have is there and the hacker can actually get access to it. More than that, you have all the payment methods and all the PIN codes and the passwords that are stored there and you know that nowdays most of the apps are Cloud-based, so a lot of access can be gained or a lot of types of access can be gained by just like simply collecting these types of privileges from the device and then use them externally in order to get the access to the Cloud accounts.

Now, these are the basic things. Let’s move to the second stage of a more sophisticated hacker that’s trying to use the mobile devices, a hopping point through the entire life of the user. So think about you as Gmail customer or a bank app customer, user. You lost your password. You’re trying to reset it. There are several security questions that are quite basic. But then the bank system actually sends you a text message or an email with a new PIN code that will… and a link that will allow you to reset your password. Since the hacker is already on the device, he can actually use it in order to restore or reset the password and then regain access from another way, OK, or another place.

[. . .]

When a hacker has access to your phone while you’re connected to the organization, it can use your phone like he has his own laptop, OK, hooked to the jack at the wall. He can scan the network, he can impact the network traffic, hijack sessions, redirect sessions, infect machines that are trying to communicate outside the network or even inside the network.”

ToTok represents a major step forward in government cyberespionage, and it positions the Emiratis world leaders in this field. If it was indeed Sheikh Tahnoon bin Zayed al-Nahyan who orchestrated this ingenious plan to hide a spyware in plain sight and convince the people to download and use it even though everybody suspects it is a spyware – then perhaps we can see in it Sheikh Tahnoon’s appreciation for jiu-jitsu. After all, one of main principles of jiu-jitsu is using your opponent’s force against themselves, rather than using your own.

ToTok is hardly the UAE’s first venture into spyware. It maintains a significant cyber-ops apparatus responsible for deploying even more sophisticated mobile exploits than ToTok, and supporting some of the most egregious human rights abuses of the past decade.

But the best part? They got it all from the Americans.

Coming up in Part Three of our three-part series on mobile security: UAE human rights crimes, and the Americans carrying them out.

Latest episodes

ToTok, Part 2: The Masterminds of Mobile Malware

Hosted By

Ran Levi

Special Guest

Bill Marczak

Senior Research Fellow at Citizen Lab

Roy Akerman

VP Product Incubation @ Cybereason