FinFisher Mobile Spyware Tracking Political Activists

Developer of spyware that can take over iPhone and BlackBerry devices draws fire after researchers spot the spyware in use against activists in Bahrain.

Mathew J. Schwartz, Contributor

August 31, 2012

5 Min Read
Dark Reading logo in a gray background | Dark Reading

11 Security Sights Seen Only At Black Hat

11 Security Sights Seen Only At Black Hat


11 Security Sights Seen Only At Black Hat (click image for larger view and for slideshow)

Spyware developed and sold by U.K.-based Gamma Group can infect BlackBerrys, iPhones, and other mobile devices, and is being used to actively target dissidents in countries governed by autocratic regimes.

The capabilities of the spyware, known as FinFisher, include location tracking, remotely activating a built-in microphone and conducting live surveillance via "silent calls," as well as the ability to monitor all forms of communication on the device, including emails and voice calls, according to a study released Thursday by the University of Toronto Munk School of Global Affairs' Citizen Lab.

According to The New York Times, Google engineer Morgan Marquis-Boire and Ph.D. student Bill Marczak volunteered to help tear down the spyware, which had been sent to three activists in the Gulf state of Bahrain, and found that it was FinFisher.

According to their resulting analysis, the iOS version of the FinFisher spyware "appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up," according to the Citizen Lab study. The software is signed by an Apple-generated developer's certificate assigned to Martin Muench, who The New York Times has reported is managing director of Gamma International as well as head of its FinFisher product portfolio.

[ Learn more about new malware. Read Java Zero-Day Malware Attack: 6 Facts. ]

Meanwhile, the Citizen Lab said it's also recovered versions of the spyware that target the BlackBerry OS, Windows Mobile, Nokia's Symbian platform, as well as Android. It said that it's seen "structurally similar" Android spyware communicating with command-and-control servers in the United Kingdom and the Czech Republic.

Earlier this year, a study from Rapid7 identified FinSpy--the control software for FinFisher command-and-control servers--as being active in Australia, the Czech Republic, Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the UAE, and the United States.

"We have identified several more countries where FinSpy command and control servers were operating," according to the Citizen Lab. "Scanning has thus far revealed two servers in Brunei, one in Turkmenistan's Ministry of Communications, two in Singapore, one in the Netherlands, a new server in Indonesia, and a new server in Bahrain." But according to news reports, some of those servers appear to have been taken offline in the wake of the report.

Gamma Group's business practices have been drawing scrutiny from human rights activists, especially after last year, when Egyptian protesters who took over state security headquarters purportedly found documents from Gamma Group offering to sell FinFisher to the Mubarak regime.

According to the Gamma Group website, "the FinFisher product portfolio is solely offered to Law Enforcement and Intelligence Agencies." The company also claims that it doesn't sell software to the Gulf state of Bahrain, where the ruling regime has been accused of perpetuating a string of human rights violations, especially involving police forces putting down anti-government protests.

In the wake of the Citizen Lab's report, Muench at Gamma Group told Bloomberg via email that the firm was investigating whether the spyware used by Bahrain was a stolen demonstration copy, saying it was likely "that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere."

Gamma Group later issued a statement claiming that a sales demonstration server had been hacked into, and code stolen. "The information that was stolen has been used to identify the software Gamma used for demonstration purposes," the release said. "No operations or clients were compromised by the theft."

Security and privacy researcher Christopher Soghoian, via Twitter, likened the company's claim to being "the dog ate my homework for surveillance tech vendors."

Security experts have criticized software firms that create and market software such as FinFisher, saying it's too difficult to police how the software may be used. "While the U.K. based software company behind FinFisher claims it's merely helping law enforcement do their job, the potential for bad actors to co-opt the technology for their evil ends is all too real," said security researcher Cameron Camp at ESET in a blog post.

"Consider what happened to DarkComet RAT which we looked at here on the blog a few months ago," he said. "Like FinFisher, DarkComet RAT has extensive espionage capabilities and the author claims to have no malicious intentions. But the genocidal Assad regime in Syria was quick to use DarkComet RAT against Syrians seeking freedom from oppression."

Many security vendors, meanwhile, have responded to the FinFisher revelations by noting that their products will block any spyware products they know about and can detect, regardless of which government may have launched it. "We detect all malware regardless its purpose&origin," said Kaspersky Lab chief Eugene Kaspesrky via Twitter

But until researchers Marquis-Boire and Marczak found active samples of FinFisher in May, security firms hadn't managed to get their hands on a real copy of the spyware or create signatures to stop it.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights