Researchers link mobile spyware cases with FinFisher toolkit


FinFisher, spyware which has been used to spy on dissidents in nations overseas, also can infect mobile devices, according to a new report.

Researchers at the Citizen Lab, based at the University of Toronto's Munk School of Global Affairs, published a report Wednesday analyzing mobile variants that appeared to be the work of FinSpy Mobile, a product of the FinFisher surveillance toolkit distributed by U.K-based Gamma International.

The mobile trojans have compromised several platforms, including iOS, Android, BlackBerry, Windows Mobile and Symbian, according to the report.

Eva Galperin, a coordinator at the Electronic Frontier Foundation, which collaborates with the Citizen Lab, told on Thursday that suspicions about how FinFisher was being used, termed by Gamma as “governmental IT intrusion and remote-monitoring solutions,” began last year.

“Gamma appears to be selling FinFisher and FinSpy to different countries,” Galperin said. “Citizen Lab [found] samples of what they thought were FinSpy software on Bahraini government computers [to spy on dissidents] about a month ago.”

Earlier this month, The New York Times reported that Gamma executives denied the claim that spyware running on servers in several countries was their product.

“The latest report from the Citizen Lab shows a few interesting things,” Galperin said. “They have a whole bunch of samples, some of which are for phones. Some of the samples appear to be demo copies, which are consistent with [Gamma's] claims that [their] demo copies were stolen. Some of the [samples] were legitimate copies, some running in Turkmenistan, which is one of the most repressive regimes in the world.”

FinFisher can turn on users' microphones or cameras without them knowing, take periodic screenshots and log keystrokes, she said. The FinSpy Mobile component carries a range of capabilities – including recording phone calls, tracking GPS locations, intercepting text messages and logging keystrokes.

Galperin did not disclose a specific number of mobile malware cases discovered so far, but said “many samples” have been spotted. Users can be infected only by them taking some action to install the trojan, such as clicking on a malicious email or instant message.

Research in Motion (RIM), BlackBerry's Canada-based manufacturer, responded to on Thursday via email, with advice for users on its platform.

“The spyware in question requires extensive user interaction to be installed, and we urge customers to use the controls built into their BlackBerry [devices], such as requiring a password to install applications,” said Michael Brown, vice president of BlackBerry security management and research at RIM.

Apple did not respond to a request for comment.  

One tactic the mobile spyware may use to dupe victims into installing it is through messages directing users to download programs from an app store, Galperin said. Victims see no immediate signs that their devices have been infected.

In an email to Thursday, Claudio Guarnieri, a security researcher at Boston-based vulnerability management firm Rapid7, advised smartphone users to avoid jailbreaking their devices, along with keeping applications updated. 

"These trojans are very silent and resilient, and it's very hard for a regular user to even spot an anomaly," said Guarnieri. "If you do suspect that your device has been compromised, you should verify the SMS and phone call logs with your operator, [as] the logs on the device are most likely tampered to not show the trojan's traffic. [Also] see if there is suspicious activity with numbers you don't recognize."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.