FinSpy and FinFisher spy on you via your cellphone and PC

We read that “FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc.’s iPhone and Research in Motion Ltd.’s BlackBerry…”, at the opening of a Bloomberg article that several readers of the ESET blog sent us yesterday, along with a number of questions that boil down to: How scary is this FinSpy, and should I be worried?

Title: "Hydrangea and Kingfisher" by And?, Hiroshige, 1797-1858, Library of CongressWe think that Gamma Group, the company responsible for FinFisher, which encompasses a variety of surveillance code for desktop and notebook computers as well as mobile devices, would likely answer that their products are not scary if you’re a law-abiding citizen, so there is nothing to worry about. Right there on the company website it says: “The FinFisher product portfolio is solely offered to Law Enforcement and Intelligence Agencies.”

Can Secret Software Like FinFisher be Contained?

If you’ve ever managed a computer virus lab you will know that confining a piece of software to one group of people is very difficult. So something called “mobile intrusion software” raises a perennial question in malware circles: Can and should malicious software be used to try to catch/thwart bad guys, and what happens if the technology ends up in the wrong hands?

The answer probably depends on which group of people you ask. Folks who’ve spent a lot of time and effort fighting malware, like IT managers and antivirus software developers, might find it hard to see the good side of secretly installed software that accesses confidential data without authorization. For example, my colleague, Stephen Cobb, opined a few months ago in the context of the nation state malwares Stuxnet and Flame: “There’s just no good malware.”

While the U.K. based software company behind FinFisher claims it’s merely helping law enforcement do their job, the potential for bad actors to co-opt the technology for their evil ends is all too real. Consider what happened to DarkComet RAT which we looked at here on the blog a few months ago. Like FinFisher, DarkComet RAT has extensive espionage capabilities and the author claims to have no malicious intentions. But the genocidal Assad regime in Syria was quick to use DarkComet RAT against Syrians seeking freedom from oppression.

Yes, Your Cellphone Can Spy on You

So just what does Gamma Group’s product do to enable spying? They won’t really say for sure, but researchers (after tearing into samples) say the software at least enables mobile phones to record conversations, track location, read email, listen to voice phone calls, and capture SMS. And yes, it can enable cameras on the device. Which devices? Here, Gamma isn’t too specific, presumably trying to thwart would-be reverse engineers of the technology. Researchers have found it on iPhones and Blackberry platforms but it may well be available for other mobile phone operating systems.

From a technical perspective, all of the above actions are not terribly hard to accomplish, based on how much access you have to the physical device. According to Stephen Cobb, the U.S. Secret Service was already confiscating “spyphones” back in the mid-nineties, regular-looking cellphones that had been illegally re-engineered for remote operation and eavesdropping. All the bad guy had to do was get the phone into the hands of the target (perhaps as a gift, since any kind of cellphone was expensive back then).

What is different today is a. the sheer amount of personal and presumed confidential information passing through your average smart phone, b. the ability to trick smart phone users into installing spyware from websites.

So what happens when this technology goes astray? Well, right now there’s a fair amount of effort trying to understand how samples got to Bahrain, an area the company claims it didn’t sell any software in. Researchers at the Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada, have been monitoring the Bahrain situation for some time.

Based on what we have seen in the past, just about any malicious code that is deployed in anger, such as Stuxnet, is destined to become public knowledge and public property, open to abuse by criminals, crazies, nation states and hacktivists. The same is true of other government Trojan code, as documented in March by ESET malware researchers Robert Lipovsky writing about German code, and Alexis Dorais-Joncas addressing potentially Chinese code.

And then there’s the nuance that law enforcement in various localities where the software is sold aren’t scrambling to do any full disclosures of what context they are using the spy features in. Speaking of which, various countries have legislation against various forms of wiretapping, including here in the U.S., where court orders seem to be required in order to wiretap (well, except the pen registry “requests”). Here, Gamma says it complies with export regulations, so allegedly they only attempt to sell in legal areas.

Don’t have a mobile device handy? They also sell software that can be used on more traditional PC’s, which brings the subject back to the anti-malware vendors’ front doorstep. The next step in the debate about “good malware” is whether and how anti-malware technology should deal with it. I mean, the thing “acts” an awful lot like traditional malware set on doing nasty things like messing with your camera, microphone, keystrokes, etc. And here’s the rub. Eventually it had to happen, and now it’s happening in your pocket.

The difference, or course, is that the information stream derived from your mobile device is potentially far spookier in terms of what information it conveys than a home computer in a spare bedroom just used to play games. After all, your mobile device is (almost) always on, connected, and reporting, or at least storing for reporting.

What Does FinFisher and FinSpy Mean for You and Your Company?

The answer, as it often is in the case of new malware developments, is increased vigilance. Make sure you are running up-to-date antivirus on all devices, desktop, laptop, and mobile. (ESET products detect this malware as Win32/Belesak.D Trojan.) And make sure your employees are all freshly trained on the do’s and don’ts of malware infection paths and protection strategies, like clicking on links in email (that’s a don’t) and reporting suspicious activity (that’s a do).

As of this post, we are not aware of this software being spread through drive-by methods. It is more likely to be installed by sending a deceptive link to the target. And right now it does not appear to be part of large-scale industrialized attacks but rather limited and highly targeted attacks. Obviously, if your company is doing business in the Middle East you are already on high alert for attacks of this type.

We will continue our global monitoring of infections by spyware like FinFisher and provide updated coverage if the threat level increases.

Cameron Camp
Security Researcher

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s