Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researchers Look Inside Mobile Variants of FinFisher Spy Tools

IT intrusion tools, sometimes known as lawful interception technologies, are a fixture in the headlines when it comes to privacy. One of the firms offering such abilities to governments and law enforcement is Gamma International, with their FinFisher suite. Researchers from The Citizen Lab have released new data that examines the mobile side of FinFisher, as well as possible locations for its use.

IT intrusion tools, sometimes known as lawful interception technologies, are a fixture in the headlines when it comes to privacy. One of the firms offering such abilities to governments and law enforcement is Gamma International, with their FinFisher suite. Researchers from The Citizen Lab have released new data that examines the mobile side of FinFisher, as well as possible locations for its use.

Gamma International first entered the spotlight in April of 2011, when it was discovered that their FinFisher software was given to Egypt’s SSIS. The Egyptian State Security Investigations Service (Mabahith Amn al-Dawla) has been linked to torture, by both international watchdogs and citizens alike, as well as several other human rights violations.

FinFisher MobileThe discovery of tools such as FinFisher within their control caused outrage for privacy advocates, considering the actions of the government Egyptian revolt. In fact, FinFisher was discovered when activists stormed the headquarters of the SSIS in March 2011.

But what is FinFisher exactly?

In 2010, Gamma’s Marketing Manager, Johnny Debs, gave a presentation at ISS World that explained some of the basics. According to an outline of his talk, “FinFisher combines offensive IT Intrusion methods of different applications and areas into one comprehensive portfolio covering all major fields of operation.”

In addition, Gamma confirms that FinFisher can do more than just bug a computer, including GSM, GPRS, and UMTS monitoring, passive telephone monitoring, SMS interception, speech identifying tools, and RF monitoring.

After Egypt, FinFisher and Gamma fell off out of the news cycle, but remained in the watchful eye of privacy advocates. The quiet didn’t last though, as the company and their product returned to the headlines two weeks ago.

Earlier in the summer, Bahraini pro-democracy activists received email messages with what was believed to be FinFisher attached to them. The malware was delivered as an image using the RLO, meaning right-to-left override.

Advertisement. Scroll to continue reading.

Filenames with RLO employed will look normal when displayed on a computer. For example, a user would see exe.file.jpg and Windows would display the icon associated with an image. In reality however, the actual name of the file is gpj.elif.exe.

“Believing that they are opening a harmless “.jpg,” victims are instead tricked into running an executable “.exe” file,” a Citizen Lab report explained at the time.

When researchers at Citizen Lab infected a virtual machine with the malware, they observed it run as normal. Further examination yielded the opportunity to examine the memory segments injected by the malware, which included the string “finspy” – one of the tools used by FinFisher.

Researchers at Rapid7 went a step further and as part of their research into the FinFisher malware itself, they were able to determine the command and control server locations, some of them at least. There were ten C&C servers discovered in total, located in Indonesia, Australia, Qatar, Ethiopia, two in the Czech Republic, Estonia, the U.S., Mongolia, Latvia, and Dubai. After the press picked up on Rapid7’s research, and the report from the Citizen Lab, the identified servers suddenly stopped responding.

“We believe that this unusual behavior could have actually been a deception technique adopted by the FinSpy Proxy to disguise the nature of the service, but that when they realized it was actively used for fingerprinting the C&C servers was promptly disabled to prevent further discoveries,” Rapid7’s Claudio Guarnieri wrote in a blog post earlier this month.

Gamma didn’t take kindly to the reports coming out in the press, and when the topic of their C&C servers came up, their Managing Director, Martin J. Muench, attempted to spin things in an interview with Bloomberg, asking why no one was “making a full about the free malware available their website…” referring to Rapid7’s Metasploit. His attempts did little to help the company’s position on the topic at hand, and Rapid7 dismissed them, commenting that Metasploit isn’t malware.

On Wednesday, Citizen Lab published additional information, this time focusing on mobile abilities of FinFisher. The research was possible due to samples that were sent to them from the security and activist communities.

“From these, we identified several apparent mobile Trojans for the iOS, Android, BlackBerry, Windows Mobile and Symbian platforms. Based on our analysis, we found these tools to be consistent in functionality with claims made in the documentation for the FinSpy Mobile product, a component of the FinFisher toolkit,” the Citizen Lab report explains.

Several of the samples appear to be demo versions, which can be customized, while other samples appear to be active. In addition, they were able to identify several other FinFisher C&C servers, and partially replicate the conclusions from Rapid7’s analysis of the C&Cs.

When contacted about the research, Gamma’s Muench told Bloomberg that he can confirm that Gamma does indeed supply a piece of “mobile intrusion software — FinSpy Mobile.” “I certainly don’t intend to discuss how or on what platforms it works. I do not wish to inform criminals of how any of our detection systems are used against them.” Bloomberg’s coverage is here.

As for Gamma, they are investigating how the researchers were able to obtain the samples and a video that demonstrates the BlackBerry version of the malware.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...