Vulnerabilities / Threats
8/31/2012
12:02 PM
Connect Directly
RSS
E-Mail
50%
50%

FinFisher Mobile Spyware Tracking Political Activists

Developer of spyware that can take over iPhone and BlackBerry devices draws fire after researchers spot the spyware in use against activists in Bahrain.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Spyware developed and sold by U.K.-based Gamma Group can infect BlackBerrys, iPhones, and other mobile devices, and is being used to actively target dissidents in countries governed by autocratic regimes.

The capabilities of the spyware, known as FinFisher, include location tracking, remotely activating a built-in microphone and conducting live surveillance via "silent calls," as well as the ability to monitor all forms of communication on the device, including emails and voice calls, according to a study released Thursday by the University of Toronto Munk School of Global Affairs' Citizen Lab.

According to The New York Times, Google engineer Morgan Marquis-Boire and Ph.D. student Bill Marczak volunteered to help tear down the spyware, which had been sent to three activists in the Gulf state of Bahrain, and found that it was FinFisher.

According to their resulting analysis, the iOS version of the FinFisher spyware "appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up," according to the Citizen Lab study. The software is signed by an Apple-generated developer's certificate assigned to Martin Muench, who The New York Times has reported is managing director of Gamma International as well as head of its FinFisher product portfolio.

[ Learn more about new malware. Read Java Zero-Day Malware Attack: 6 Facts. ]

Meanwhile, the Citizen Lab said it's also recovered versions of the spyware that target the BlackBerry OS, Windows Mobile, Nokia's Symbian platform, as well as Android. It said that it's seen "structurally similar" Android spyware communicating with command-and-control servers in the United Kingdom and the Czech Republic.

Earlier this year, a study from Rapid7 identified FinSpy--the control software for FinFisher command-and-control servers--as being active in Australia, the Czech Republic, Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the UAE, and the United States.

"We have identified several more countries where FinSpy command and control servers were operating," according to the Citizen Lab. "Scanning has thus far revealed two servers in Brunei, one in Turkmenistan's Ministry of Communications, two in Singapore, one in the Netherlands, a new server in Indonesia, and a new server in Bahrain." But according to news reports, some of those servers appear to have been taken offline in the wake of the report.

Gamma Group's business practices have been drawing scrutiny from human rights activists, especially after last year, when Egyptian protesters who took over state security headquarters purportedly found documents from Gamma Group offering to sell FinFisher to the Mubarak regime.

According to the Gamma Group website, "the FinFisher product portfolio is solely offered to Law Enforcement and Intelligence Agencies." The company also claims that it doesn't sell software to the Gulf state of Bahrain, where the ruling regime has been accused of perpetuating a string of human rights violations, especially involving police forces putting down anti-government protests.

In the wake of the Citizen Lab's report, Muench at Gamma Group told Bloomberg via email that the firm was investigating whether the spyware used by Bahrain was a stolen demonstration copy, saying it was likely "that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere."

Gamma Group later issued a statement claiming that a sales demonstration server had been hacked into, and code stolen. "The information that was stolen has been used to identify the software Gamma used for demonstration purposes," the release said. "No operations or clients were compromised by the theft."

Security and privacy researcher Christopher Soghoian, via Twitter, likened the company's claim to being "the dog ate my homework for surveillance tech vendors."

Security experts have criticized software firms that create and market software such as FinFisher, saying it's too difficult to police how the software may be used. "While the U.K. based software company behind FinFisher claims it's merely helping law enforcement do their job, the potential for bad actors to co-opt the technology for their evil ends is all too real," said security researcher Cameron Camp at ESET in a blog post.

"Consider what happened to DarkComet RAT which we looked at here on the blog a few months ago," he said. "Like FinFisher, DarkComet RAT has extensive espionage capabilities and the author claims to have no malicious intentions. But the genocidal Assad regime in Syria was quick to use DarkComet RAT against Syrians seeking freedom from oppression."

Many security vendors, meanwhile, have responded to the FinFisher revelations by noting that their products will block any spyware products they know about and can detect, regardless of which government may have launched it. "We detect all malware regardless its purpose&origin," said Kaspersky Lab chief Eugene Kaspesrky via Twitter

But until researchers Marquis-Boire and Marczak found active samples of FinFisher in May, security firms hadn't managed to get their hands on a real copy of the spyware or create signatures to stop it.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
9/1/2012 | 10:55:42 PM
re: FinFisher Mobile Spyware Tracking Political Activists
Figured this would be coming any day now, looks like it's already here.

With the ubiquity of mobile devices, and the stories of how they are used in various movements around the world to rally supporters, etc. it only makes sense that those who want to bring an end to those movements would seek to spy on the members.

I just have to wonder if anything like that is going on in the US, given that it's an election year, hotly contested and any advantage would be a bonus to either side. But no, that couldn't happen here, could it?

I wonder if there are any packet analyzers on the market that can watch traffic into and out of mobile devices to help determine if these things are onboard. I'd actually be somewhat flattered if there was an organization out there who wanted to go to such levels to spy on me. But, I get the feeling that there are others who wouldn't share that feeling.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.