Citizen Lab discovers mobile malware: FinFisher spyware variants target smartphones

Citizen Lab published research showing how FinSpy variants, from the Gamma Group's FinFisher surveillance toolkit, target smartphones including Windows Mobile, Apple's iPhone and iPad tablets, Google's Android, RIM's BlackBerry and Nokia's Symbian systems.

On the heels of the patent battle with Apple, Samsung surprised the world today by announcing in Berlin that it launched the world's first smartphone using Microsoft's latest mobile software. However, we're going to look at how the Gamma Group's FinFisher spyware has gone mobile to infect smartphones. The mobile surveillance malware targets Windows Phone, Apple's iPhone and iPad tablets, Google's Android, RIM's BlackBerry and Nokia's Symbian systems.

The Citizen Lab published research and reported that it had "identified several apparent mobile Trojans for the iOS, Android, BlackBerry, Windows Mobile and Symbian platforms. Based on our analysis, we found these tools to be consistent in functionality with claims made in the documentation for the FinSpy Mobile product, a component of the FinFisher toolkit."

FinFisher spyware can secretly monitor computers, intercept Skype calls, turn on Web cameras and record every keystroke. WikiLeaks Spy Files previously dumped the dirt on FinFisher, including the Gamma FinFisher Trojan FinSpy for "Remote Monitoring & Infection Solutions."

This sneaky surveillance has been used to target activists. After FinFisher was found in the wild, "the public domain," Dennis Portney, president of Security Forensics, told CSO Online, "Every government the world over should assume that those who intend to seek and destroy or steal and manipulate will be studying the mechanics of how this application was designed and will undoubtedly develop more of its kind."

Citizen Lab has a terrific breakdown of how Gamma International's FinFisher spyware has gone mobile as well as how the Trojan infects each mobile OS. It "notified vendors, as well as members of the AV community, but advised:

These tools provide substantial surveillance functionality; however, we'd like to highlight that, without exploitation of the underlying platforms, all of the samples we've described require some form of interaction to install. As with the previously analyzed FinSpy tool this might involve some form of socially engineered e-mail or other delivery, prompting unsuspecting users to execute the program. Or, it might involve covert or coercive physical installation of the tool, or use of a user's credentials to perform a third-party installation.

We recommend that all users run Anti-Virus software, promptly apply (legitimate) updates when they become available, use screen locks, passwords and device encryption (when available). Do not run untrusted applications and do not allow third parties access to mobile devices.

Rapid7 researcher Claudio Guarnieri said FinSpy software written for Windows Mobile shouldn't be able to infect the newer Windows Phone system which was introduced in 2010. Microsoft said "its anti-malware software blocks the FinSpy Trojan, and that Windows Phone does not allow for the installation of unknown, third-party software." Microsoft told Bloomberg, "We strongly encourage Windows Mobile owners to avoid clicking on or otherwise downloading software or links from unknown sources, including text messages." Nokia dropped Symbian last year and reported no claims of the spyware since switching to Windows Phone.

RIM issued this statement, "BlackBerry smartphones give customers control over what can be installed on the device in addition to prompting users to grant permissions to third-party applications. We recommend customers only download applications from trusted sources to help protect against potentially malicious software." Bloomberg reported that Apple and Google both declined to comment.

After Rapid7 analyzed and identified FinFisher Command and Control servers in at least 10 countries on five continents, including on EC2 Amazon cloud service in the U.S., Martin  Muench, managing director at Gamma Group, denied it to the New York Times. "FinFisher servers would not respond in such a way and would not be able to be fingerprinted with such a technique," Muench disputed in an e-mail. "None of our server components send out strings like 'Hallo Steffi.' The core FinSpy servers are protected with firewalls which only allow incoming connections from the setup proxies, and therefore a global scan by third parties would not reveal any real FinSpy servers."

Rapid7 distributes the wildly popular and free Metasploit, so Muench then complained to Bloomberg. "Why is no one making a fuss about the free malware available through their website which is completely unrestricted and could and does go anywhere? Can Rapid7 claim that they have never directly or indirectly supplied malwares worldwide?"

This is not the first time the surveillance industry has objected when spying secrets on mass monitoring are exposed to the harsh light of public scrutiny. In case you don't know, Metasploit "provides the security industry with a way to test their defenses against known exploits that are already being abused, and levels the playing field with malicious attackers." It seems sad that Rapid7 even had to issue a statement due to Gamma/FinFisher, but it said "Metasploit is not malware."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!