Hacker group Chaos Computer Club (CCC) has uncovered a new piece of Trojan malware that it argues is being used by German police forces to spy on users' screens and internet communication such as Skype calls and instant messaging.
German courts allow the use of malware by law enforcement agencies if they have obtained the appropriate legal approval, however since 2008 the so-called Quellen-TKÜ software is only able to be used to tap VoIP calls.
Although it has not revealed any hard evidence linking the piece of malware it analysed – dubbed R2D2 – to Quellen-TKÜ, the CCC is claiming it is a government-backed Bundestrojaner, or "federal Trojan".
It argued that the functionality of the malware goes "much further than to just observe and intercept internet-based telecommunication, and thus violates the terms set by the constitutional court".
"The Trojan can, for example, receive uploads of arbitrary programs from the internet and execute them remotely," read the blog. "Activation of the computer's hardware like microphone or camera can be used for room surveillance."
The Trojan, because it gives the user complete control over a victim's PC, could even provide the ability to upload falsified evidence against the PC owner, said CCC.
"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown Trojan is possible in practice – or even desired," said a CCC spokesperson.
"Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."
A Sophos investigation into the Trojan found that it is able to snoop on not just Skype but Yahoo Messenger, MSN and other communications apps as well as log keystrokes and even take screenshots of users' screens.
However, Sophos senior technology consultant, Graham Cluley, cautioned that the German authorities have so far not admitted any involvement.
"The comments in the Trojan's binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous Bundestrojaner," he argued.
Facebook and CVs. What could possibly go wrong?
OnePlus volte face will also enable users to opt-out of company's device data collection practice
Dorsey promises "more aggressive stance" on rules and enforcement
A team of US researchers have confirmed that an exploit can hack into any WPA-2 wireless network, but details are slim