Vulnerabilities / Threats
8/31/2012
12:02 PM
50%
50%

FinFisher Mobile Spyware Tracking Political Activists

Developer of spyware that can take over iPhone and BlackBerry devices draws fire after researchers spot the spyware in use against activists in Bahrain.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Spyware developed and sold by U.K.-based Gamma Group can infect BlackBerrys, iPhones, and other mobile devices, and is being used to actively target dissidents in countries governed by autocratic regimes.

The capabilities of the spyware, known as FinFisher, include location tracking, remotely activating a built-in microphone and conducting live surveillance via "silent calls," as well as the ability to monitor all forms of communication on the device, including emails and voice calls, according to a study released Thursday by the University of Toronto Munk School of Global Affairs' Citizen Lab.

According to The New York Times, Google engineer Morgan Marquis-Boire and Ph.D. student Bill Marczak volunteered to help tear down the spyware, which had been sent to three activists in the Gulf state of Bahrain, and found that it was FinFisher.

According to their resulting analysis, the iOS version of the FinFisher spyware "appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up," according to the Citizen Lab study. The software is signed by an Apple-generated developer's certificate assigned to Martin Muench, who The New York Times has reported is managing director of Gamma International as well as head of its FinFisher product portfolio.

[ Learn more about new malware. Read Java Zero-Day Malware Attack: 6 Facts. ]

Meanwhile, the Citizen Lab said it's also recovered versions of the spyware that target the BlackBerry OS, Windows Mobile, Nokia's Symbian platform, as well as Android. It said that it's seen "structurally similar" Android spyware communicating with command-and-control servers in the United Kingdom and the Czech Republic.

Earlier this year, a study from Rapid7 identified FinSpy--the control software for FinFisher command-and-control servers--as being active in Australia, the Czech Republic, Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the UAE, and the United States.

"We have identified several more countries where FinSpy command and control servers were operating," according to the Citizen Lab. "Scanning has thus far revealed two servers in Brunei, one in Turkmenistan's Ministry of Communications, two in Singapore, one in the Netherlands, a new server in Indonesia, and a new server in Bahrain." But according to news reports, some of those servers appear to have been taken offline in the wake of the report.

Gamma Group's business practices have been drawing scrutiny from human rights activists, especially after last year, when Egyptian protesters who took over state security headquarters purportedly found documents from Gamma Group offering to sell FinFisher to the Mubarak regime.

According to the Gamma Group website, "the FinFisher product portfolio is solely offered to Law Enforcement and Intelligence Agencies." The company also claims that it doesn't sell software to the Gulf state of Bahrain, where the ruling regime has been accused of perpetuating a string of human rights violations, especially involving police forces putting down anti-government protests.

In the wake of the Citizen Lab's report, Muench at Gamma Group told Bloomberg via email that the firm was investigating whether the spyware used by Bahrain was a stolen demonstration copy, saying it was likely "that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere."

Gamma Group later issued a statement claiming that a sales demonstration server had been hacked into, and code stolen. "The information that was stolen has been used to identify the software Gamma used for demonstration purposes," the release said. "No operations or clients were compromised by the theft."

Security and privacy researcher Christopher Soghoian, via Twitter, likened the company's claim to being "the dog ate my homework for surveillance tech vendors."

Security experts have criticized software firms that create and market software such as FinFisher, saying it's too difficult to police how the software may be used. "While the U.K. based software company behind FinFisher claims it's merely helping law enforcement do their job, the potential for bad actors to co-opt the technology for their evil ends is all too real," said security researcher Cameron Camp at ESET in a blog post.

"Consider what happened to DarkComet RAT which we looked at here on the blog a few months ago," he said. "Like FinFisher, DarkComet RAT has extensive espionage capabilities and the author claims to have no malicious intentions. But the genocidal Assad regime in Syria was quick to use DarkComet RAT against Syrians seeking freedom from oppression."

Many security vendors, meanwhile, have responded to the FinFisher revelations by noting that their products will block any spyware products they know about and can detect, regardless of which government may have launched it. "We detect all malware regardless its purpose&origin," said Kaspersky Lab chief Eugene Kaspesrky via Twitter

But until researchers Marquis-Boire and Marczak found active samples of FinFisher in May, security firms hadn't managed to get their hands on a real copy of the spyware or create signatures to stop it.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
9/1/2012 | 10:55:42 PM
re: FinFisher Mobile Spyware Tracking Political Activists
Figured this would be coming any day now, looks like it's already here.

With the ubiquity of mobile devices, and the stories of how they are used in various movements around the world to rally supporters, etc. it only makes sense that those who want to bring an end to those movements would seek to spy on the members.

I just have to wonder if anything like that is going on in the US, given that it's an election year, hotly contested and any advantage would be a bonus to either side. But no, that couldn't happen here, could it?

I wonder if there are any packet analyzers on the market that can watch traffic into and out of mobile devices to help determine if these things are onboard. I'd actually be somewhat flattered if there was an organization out there who wanted to go to such levels to spy on me. But, I get the feeling that there are others who wouldn't share that feeling.

Andrew Hornback
InformationWeek Contributor
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/29/2016 | 7:13:24 AM
Marquis-Boire and Marczak Classic
Kudos to Marquis-Boire and Marczak for all their work over the years.  In reviewing older news related to the work they have done, this is one of my favorite pieces.  It reminds the industry to look to their work in the context of the world stage and to remember that code is easily repurposed.  We have a responsibility to protect the work that is done for good such that it is no easy task to repurpose it for evil.  I know many programmers have a sense of "the work is the work" and to let it loose, taking no responsibility for the uses it is put to.  While I wouldn't go so far as to say programmers should be held accountable for evil done using their software (just as I don't think we should go after gun manufacturers as the responsible party for the death of innocent victims of shootings), I will say that when you program something intended for good use, it's important to do all that can be done to protect that tool from use by the very people you are fighting against.  This is no easy task, but one that must be attempted, nonetheless.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.