Olivier Le Moal - stock.adobe.co

New FinSpy versions extend surveillance capabilities

New versions of the FinSpy malware for iOS and Android smartphones have extended targeted surveillance capabilities, warn security researchers

The latest versions of the advanced malicious surveillance tool FinSpy have been discovered by security researchers at security firm Kaspersky.

The software is produced and sold to governments and law enforcement agencies by Gamma International, which has branches in the UK and Germany.

FinSpy for desktop devices were first described in 2011 by Wikileaks, and mobile implants were discovered in 2012. Since then, Kaspersky has monitored the development of this malware and the emergence of new versions in the wild.

In 2014, Wikileaks revealed that FinSpy, also known as FinFisher, was being used by police in New South Wales, Australia, as well as national police in the Netherlands, Mongolia, Estonia and Singapore, and the secret services of Hungary, Italy, and Bosnia and Herzegovina.

Former FinSpy licence holders include Belgium, Italy, South Africa, Bahrain, Pakistan, Vietnam, Nigeria, and state security in Slovakia and Qatar.

The latest versions of FinSpy work on both iOS and Android devices, can monitor activity on almost all popular messaging services – including encrypted ones – and hide their traces better than before, according to the Kaspersky researchers.

The surveillance tool allows attackers to spy on all device activities and exfiltrate sensitive data such as GPS location, messages, photos and call information.

To guard against FinSpy, Kaspersky researchers advise users to

  • Not leave your smartphone or tablet unlocked and always make sure nobody is able to see your pin-code when you enter it.
  • Not jailbreak or root your device because it will make an attacker’s job easier.
  • Install only mobile applications from official app stores, such as Google Play.
  • Not follow suspicious links sent from unknown numbers.
  • Block the installation of programs from unknown sources in device settings.
  • Avoid disclosing the password or passcode to mobile devices to anyone.
  • Not store unfamiliar files or applications on device.

According to the researchers, FinSpy is an “extremely effective” software tool for targeted surveillance that has been observed stealing information from international NGOs, governments and law enforcement organisations all over the world. Its operators can tailor the behavior of each malicious FinSpy implant to a specific target or group of targets, the researchers found.

The basic functionality of the malware includes almost unlimited monitoring of the device’s activities: such as geolocation, all incoming and outgoing messages, contacts, media stored on the device, and data from popular messaging services like WhatsApp, Facebook messenger or Viber. All the exfiltrated data is transferred to the attacker via text messages or the HTTP protocol.

The latest known versions of the malware extend this surveillance functionality to additional messaging services, including those considered “secure”, such as Telegram, Signal and Threema.

They are also more adept at covering their tracks, with the versions targeting iOS 11 and older versions now able to hide signs of jailbreaking. The new version for Android contains an exploit capable of gaining root privileges or almost unlimited, complete access to all files and commands on an unrooted device.

However, based on the information available to Kaspersky, to successfully infect both Android and iOS-based devices, attackers need either physical access to the phone or an already jailbroken/rooted device. For jailbroken/rooted phones, there are at least three possible infection vectors: text message, email or push notifications.

Read more about spyware

According to Kaspersky telemetry, “several dozen” mobile devices have been infected with FinSpy in the past year.

“The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes,” said Alexey Firsh, security researcher at Kaspersky Lab.

“Moreover, they follow trends and implement functionality to exfiltrate data from applications that are currently popular. We observe victims of the FinSpy implants on a daily basis, so it’s worth keeping an eye on the latest platform updates and installing them as soon as they’re released.

“Regardless of how secure the apps you use might be, and how protected your data, once the phone is rooted or jailbroken, it is wide open to spying,” he said.

Up-to-date versions of FinSpy used in the wild were detected in almost 20 countries. “However, assuming the size of Gamma’s customer base, it’s likely that the real number of victims is much higher,” the researchers said.

Read more on Privacy and data protection