Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

FinFisher Mobile Spyware Tracking Political Activists

Developer of spyware that can take over iPhone and BlackBerry devices draws fire after researchers spot the spyware in use against activists in Bahrain.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Spyware developed and sold by U.K.-based Gamma Group can infect BlackBerrys, iPhones, and other mobile devices, and is being used to actively target dissidents in countries governed by autocratic regimes.

The capabilities of the spyware, known as FinFisher, include location tracking, remotely activating a built-in microphone and conducting live surveillance via "silent calls," as well as the ability to monitor all forms of communication on the device, including emails and voice calls, according to a study released Thursday by the University of Toronto Munk School of Global Affairs' Citizen Lab.

According to The New York Times, Google engineer Morgan Marquis-Boire and Ph.D. student Bill Marczak volunteered to help tear down the spyware, which had been sent to three activists in the Gulf state of Bahrain, and found that it was FinFisher.

According to their resulting analysis, the iOS version of the FinFisher spyware "appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up," according to the Citizen Lab study. The software is signed by an Apple-generated developer's certificate assigned to Martin Muench, who The New York Times has reported is managing director of Gamma International as well as head of its FinFisher product portfolio.

[ Learn more about new malware. Read Java Zero-Day Malware Attack: 6 Facts. ]

Meanwhile, the Citizen Lab said it's also recovered versions of the spyware that target the BlackBerry OS, Windows Mobile, Nokia's Symbian platform, as well as Android. It said that it's seen "structurally similar" Android spyware communicating with command-and-control servers in the United Kingdom and the Czech Republic.

Earlier this year, a study from Rapid7 identified FinSpy--the control software for FinFisher command-and-control servers--as being active in Australia, the Czech Republic, Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the UAE, and the United States.

"We have identified several more countries where FinSpy command and control servers were operating," according to the Citizen Lab. "Scanning has thus far revealed two servers in Brunei, one in Turkmenistan's Ministry of Communications, two in Singapore, one in the Netherlands, a new server in Indonesia, and a new server in Bahrain." But according to news reports, some of those servers appear to have been taken offline in the wake of the report.

Gamma Group's business practices have been drawing scrutiny from human rights activists, especially after last year, when Egyptian protesters who took over state security headquarters purportedly found documents from Gamma Group offering to sell FinFisher to the Mubarak regime.

According to the Gamma Group website, "the FinFisher product portfolio is solely offered to Law Enforcement and Intelligence Agencies." The company also claims that it doesn't sell software to the Gulf state of Bahrain, where the ruling regime has been accused of perpetuating a string of human rights violations, especially involving police forces putting down anti-government protests.

In the wake of the Citizen Lab's report, Muench at Gamma Group told Bloomberg via email that the firm was investigating whether the spyware used by Bahrain was a stolen demonstration copy, saying it was likely "that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere."

Gamma Group later issued a statement claiming that a sales demonstration server had been hacked into, and code stolen. "The information that was stolen has been used to identify the software Gamma used for demonstration purposes," the release said. "No operations or clients were compromised by the theft."

Security and privacy researcher Christopher Soghoian, via Twitter, likened the company's claim to being "the dog ate my homework for surveillance tech vendors."

Security experts have criticized software firms that create and market software such as FinFisher, saying it's too difficult to police how the software may be used. "While the U.K. based software company behind FinFisher claims it's merely helping law enforcement do their job, the potential for bad actors to co-opt the technology for their evil ends is all too real," said security researcher Cameron Camp at ESET in a blog post.

"Consider what happened to DarkComet RAT which we looked at here on the blog a few months ago," he said. "Like FinFisher, DarkComet RAT has extensive espionage capabilities and the author claims to have no malicious intentions. But the genocidal Assad regime in Syria was quick to use DarkComet RAT against Syrians seeking freedom from oppression."

Many security vendors, meanwhile, have responded to the FinFisher revelations by noting that their products will block any spyware products they know about and can detect, regardless of which government may have launched it. "We detect all malware regardless its purpose&origin," said Kaspersky Lab chief Eugene Kaspesrky via Twitter

But until researchers Marquis-Boire and Marczak found active samples of FinFisher in May, security firms hadn't managed to get their hands on a real copy of the spyware or create signatures to stop it.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/29/2016 | 7:13:24 AM
Marquis-Boire and Marczak Classic
Kudos to Marquis-Boire and Marczak for all their work over the years.  In reviewing older news related to the work they have done, this is one of my favorite pieces.  It reminds the industry to look to their work in the context of the world stage and to remember that code is easily repurposed.  We have a responsibility to protect the work that is done for good such that it is no easy task to repurpose it for evil.  I know many programmers have a sense of "the work is the work" and to let it loose, taking no responsibility for the uses it is put to.  While I wouldn't go so far as to say programmers should be held accountable for evil done using their software (just as I don't think we should go after gun manufacturers as the responsible party for the death of innocent victims of shootings), I will say that when you program something intended for good use, it's important to do all that can be done to protect that tool from use by the very people you are fighting against.  This is no easy task, but one that must be attempted, nonetheless.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
9/1/2012 | 10:55:42 PM
re: FinFisher Mobile Spyware Tracking Political Activists
Figured this would be coming any day now, looks like it's already here.

With the ubiquity of mobile devices, and the stories of how they are used in various movements around the world to rally supporters, etc. it only makes sense that those who want to bring an end to those movements would seek to spy on the members.

I just have to wonder if anything like that is going on in the US, given that it's an election year, hotly contested and any advantage would be a bonus to either side. But no, that couldn't happen here, could it?

I wonder if there are any packet analyzers on the market that can watch traffic into and out of mobile devices to help determine if these things are onboard. I'd actually be somewhat flattered if there was an organization out there who wanted to go to such levels to spy on me. But, I get the feeling that there are others who wouldn't share that feeling.

Andrew Hornback
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27187
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
CVE-2020-7752
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7127
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
CVE-2020-7196
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
CVE-2020-7197
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...