FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc. (AAPL:US)’s iPhone and Research in Motion Ltd. (RIM)’s BlackBerry, an analysis of presumed samples of the software shows.
The program can secretly turn on a device’s microphone, track its location and monitor e-mails, text messages and voice calls, according to the findings, being published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab. Researchers used newly discovered malicious software samples to further pull back the curtain on the elusive cyber weapon.
The hunt for clues to the software’s deployment has gained speed since July, when research based on e-mails obtained by Bloomberg News identified what looked like a FinFisher product that infects personal computers. In that case, the malware targeted activists from the Persian Gulf kingdom of Bahrain.
The latest analysis, led by security researcher Morgan Marquis-Boire, may demonstrate how such spyware can reach a broader range of devices to follow their owners’ every move.
“People are walking around with tools for surveillance in their pockets,” says John Scott-Railton, a doctoral student at the University of California Los Angeles’ Luskin School of Public Affairs who assisted with the research. “These are the tools that can be used to turn on your microphone and turn your phone into a tracking device.”
The findings -- which are consistent with Gamma’s own promotional materials for a FinFisher product called FinSpy Mobile -- illustrate how the largely unregulated trade in offensive hacking tools is transforming surveillance, making it more intrusive as it reaches across borders and peers into peoples’ digital devices.
FinFisher products can secretly monitor computers, intercepting Skype calls, turning on Web cameras and recording keystrokes. They are marketed by Gamma for law enforcement and government use.
“I can confirm that Gamma supplies a piece of mobile intrusion software -- FinSpy Mobile,” Gamma International GmbH Managing Director Martin J. Muench said in an Aug. 28 e-mail. “I certainly don’t intend to discuss how or on what platforms it works. I do not wish to inform criminals of how any of our detection systems are used against them.”
Muench, who is based in Munich, said his company didn’t sell FinFisher spyware to Bahrain. “I am still investigating how a piece of our software went astray,” he said in his e- mail.
In a news release today, Gamma said that information from its sales demonstration server had been stolen at an unknown time by unknown methods.
“The information that was stolen has been used to identify the software Gamma used for demonstration purposes,” the release said. “No operations or clients were compromised by the theft.” The Gamma statement said that while its demo products contain the word “FinSpy” -- a marker the researchers used to help identify samples -- its more sophisticated operational products don’t.
Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio.
Muench says that Gamma only sells to governments and their agencies and complies with the export regulations of the U.K., U.S. and Germany.
The July report on Bahrain led security professionals and activists to give Marquis-Boire’s team additional samples of malware for testing.
Several of those samples became the basis of the new report, and include what appear to be a FinSpy Mobile demonstration copy and live versions sent to actual targets.
The report contains no information about any individuals who were targeted, or whether devices were infected.
In December, anti-secrecy website WikiLeaks published a promotional brochure and video for FinSpy Mobile. The video shows a BlackBerry user receiving a message to click on a link for a fake update -- and then making the mistake of doing so.
“When FinSpy Mobile is installed on a mobile phone it can be remotely controlled and monitored no matter where in the world the Target is located,” a FinSpy brochure published by WikiLeaks says.
Systems that can be targeted include Microsoft Corp. (MSFT:US)’s Windows Mobile, the Apple iPhone’s iOS and BlackBerry and Google Inc. (GOOG:US)’s Android, according to the company’s literature. Today’s report says the malware can also infect phones running Symbian, an operating system made by Nokia Oyj (NOK1V), and that it appears the program targeting iOS will run on iPad tablets.
A mobile device’s user can become infected by being tricked into going to a Web link and downloading the malware, which can be disguised as something other than FinSpy.
As Gamma’s promotional video illustrates, the process can be as simple as sending someone a text message with a link that looks as if it comes from the phone maker, and asking the user to “please install this system update,” Marquis-Boire says.
Otherwise, without the use of a previously undiscovered vulnerability, the person sneaking the program onto a phone must gain physical access to the device or know its passwords, the study says.
The spyware doesn’t appear to take advantage of any vulnerability in the phones or their operating systems, the study says.
FinSpy software written for Windows Mobile shouldn’t be able to infect the newer Windows Phone system, which Microsoft introduced in 2010, said Claudio Guarnieri, a researcher for Boston-based security risk-assessment company Rapid7, who analyzed the Windows portion of the malware for the new report.
Redmond, Washington-based Microsoft said its anti-malware software blocks the FinSpy Trojan, and that Windows Phone doesn’t allow for the installation of unknown, third-party software.
“We strongly encourage Windows Mobile owners to avoid clicking on or otherwise downloading software or links from unknown sources, including text messages,” Microsoft said in a statement.
“BlackBerry smartphones give customers control over what can be installed on the device in addition to prompting users to grant permissions to third-party applications,” Waterloo, Ontario-based RIM said in a statement. “We recommend customers only download applications from trusted sources to help protect against potentially malicious software.”
Espoo, Finland-based Nokia’s press office issued a statement saying users would need to actively choose to install an application such as FinFisher.
“Though we have seen claims made for similar products in the past, we have not had any reported incidents from customers as a result of such spyware,” the statement said. Nokia decided last year to abandon Symbian in favor of Windows Phone.
Cupertino, California-based Apple and Mountain View, California-based Google declined to comment, spokeswomen for the companies said.
The researchers said it appeared an Apple developer’s certificate in Muench’s name was used in building the application that targets iOS, citing text found in the program. Muench said the certificate was used only for research purposes. An Apple spokeswoman didn’t immediately respond to a request for comment on the certificate.
The new study also sheds light on FinFisher’s global reach, bolstering separate findings by researchers who said on Aug. 8 that computers in at least 10 countries on five continents show signs of being command servers to which computers infected by FinFisher send their pilfered data. That study was led by Guarnieri of Rapid7.
The research published today used the original Bahraini samples to establish a unique pattern in which command computers communicate with infected machines -- and then scanned computer networks for such patterns.
The scanning effort, led by Bill Marczak, a computer science doctoral candidate at the University of California Berkeley, turned up many of the same machines found by Guarnieri, who had used a different method. It also identified new countries, bringing the total number of nations with suspected command servers to at least 15.
The mobile-infecting samples obtained for the report, which transmit data via the Internet and text message, also provided clues to FinFisher’s deployment.
In one case, a sample was found transmitting to the same Internet address in the Czech Republic that Guarnieri had identified in his study as a likely FinFisher command computer.
It’s unclear whether any government agencies in the countries identified in the studies are Gamma clients or whether the users may be based in other countries.
A spokesman at the Czech Republic’s interior ministry said he has no information of Gamma being used there, nor any knowledge of its use at other state institutions. A spokeswoman for the Defense Ministry said it has never used Gamma products. The Czech secret service didn’t respond to an e-mailed request for comment.
Gamma’s Muench said the focus on his product was unfair because there are other intrusion tools that lack the oversight provided by FinFisher, which is designed to gather evidence for use in court and is only sold to governments.
He pointed to Rapid7, which while investigating Gamma also distributes Metasploit, a product downloadable for free that contains a database of exploits, which hackers can use to take advantage of vulnerabilities in systems or software. Rapid7 markets Metasploit as a defensive tool for testing whether computers can be penetrated.
“Why is no one making a fuss about the free malware available through their website which is completely unrestricted and could and does go anywhere?” Muench said in his e-mail. “Can Rapid7 claim that they have never directly or indirectly supplied malwares worldwide?”
Rapid7 said in a statement that it provides the security industry with a way to test defenses against known exploits that are already being abused, and levels the playing field with malicious attackers. “Metasploit is not malware,” the statement said.
The research published today can be found at: https://citizenlab.org/2012/08/the-smartphone-who-loved-me- finfisher-goes-mobile.
To contact the reporter on this story: Vernon Silver in Rome at email@example.com
To contact the editor responsible for this story: Melissa Pozsgay at firstname.lastname@example.org