Security Experts:

Researchers Look Inside Mobile Variants of FinFisher Spy Tools

IT intrusion tools, sometimes known as lawful interception technologies, are a fixture in the headlines when it comes to privacy. One of the firms offering such abilities to governments and law enforcement is Gamma International, with their FinFisher suite. Researchers from The Citizen Lab have released new data that examines the mobile side of FinFisher, as well as possible locations for its use.

Gamma International first entered the spotlight in April of 2011, when it was discovered that their FinFisher software was given to Egypt’s SSIS. The Egyptian State Security Investigations Service (Mabahith Amn al-Dawla) has been linked to torture, by both international watchdogs and citizens alike, as well as several other human rights violations.

FinFisher MobileThe discovery of tools such as FinFisher within their control caused outrage for privacy advocates, considering the actions of the government Egyptian revolt. In fact, FinFisher was discovered when activists stormed the headquarters of the SSIS in March 2011.

But what is FinFisher exactly?

In 2010, Gamma’s Marketing Manager, Johnny Debs, gave a presentation at ISS World that explained some of the basics. According to an outline of his talk, “FinFisher combines offensive IT Intrusion methods of different applications and areas into one comprehensive portfolio covering all major fields of operation.”

In addition, Gamma confirms that FinFisher can do more than just bug a computer, including GSM, GPRS, and UMTS monitoring, passive telephone monitoring, SMS interception, speech identifying tools, and RF monitoring.

After Egypt, FinFisher and Gamma fell off out of the news cycle, but remained in the watchful eye of privacy advocates. The quiet didn’t last though, as the company and their product returned to the headlines two weeks ago.

Earlier in the summer, Bahraini pro-democracy activists received email messages with what was believed to be FinFisher attached to them. The malware was delivered as an image using the RLO, meaning right-to-left override.

Filenames with RLO employed will look normal when displayed on a computer. For example, a user would see exe.file.jpg and Windows would display the icon associated with an image. In reality however, the actual name of the file is gpj.elif.exe.

“Believing that they are opening a harmless “.jpg,” victims are instead tricked into running an executable “.exe” file,” a Citizen Lab report explained at the time.

When researchers at Citizen Lab infected a virtual machine with the malware, they observed it run as normal. Further examination yielded the opportunity to examine the memory segments injected by the malware, which included the string “finspy” – one of the tools used by FinFisher.

Researchers at Rapid7 went a step further and as part of their research into the FinFisher malware itself, they were able to determine the command and control server locations, some of them at least. There were ten C&C servers discovered in total, located in Indonesia, Australia, Qatar, Ethiopia, two in the Czech Republic, Estonia, the U.S., Mongolia, Latvia, and Dubai. After the press picked up on Rapid7’s research, and the report from the Citizen Lab, the identified servers suddenly stopped responding.

“We believe that this unusual behavior could have actually been a deception technique adopted by the FinSpy Proxy to disguise the nature of the service, but that when they realized it was actively used for fingerprinting the C&C servers was promptly disabled to prevent further discoveries,” Rapid7’s Claudio Guarnieri wrote in a blog post earlier this month.

Gamma didn’t take kindly to the reports coming out in the press, and when the topic of their C&C servers came up, their Managing Director, Martin J. Muench, attempted to spin things in an interview with Bloomberg, asking why no one was “making a full about the free malware available their website...” referring to Rapid7’s Metasploit. His attempts did little to help the company’s position on the topic at hand, and Rapid7 dismissed them, commenting that Metasploit isn’t malware.

On Wednesday, Citizen Lab published additional information, this time focusing on mobile abilities of FinFisher. The research was possible due to samples that were sent to them from the security and activist communities.

“From these, we identified several apparent mobile Trojans for the iOS, Android, BlackBerry, Windows Mobile and Symbian platforms. Based on our analysis, we found these tools to be consistent in functionality with claims made in the documentation for the FinSpy Mobile product, a component of the FinFisher toolkit,” the Citizen Lab report explains.

Several of the samples appear to be demo versions, which can be customized, while other samples appear to be active. In addition, they were able to identify several other FinFisher C&C servers, and partially replicate the conclusions from Rapid7’s analysis of the C&Cs.

When contacted about the research, Gamma’s Muench told Bloomberg that he can confirm that Gamma does indeed supply a piece of “mobile intrusion software -- FinSpy Mobile.” “I certainly don’t intend to discuss how or on what platforms it works. I do not wish to inform criminals of how any of our detection systems are used against them.” Bloomberg’s coverage is here.

As for Gamma, they are investigating how the researchers were able to obtain the samples and a video that demonstrates the BlackBerry version of the malware.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.