FinFisher commercial spyware toolkit goes mobile
The existence of FinFisher, a commercial spyware toolkit created by UK-based Gamma Group International, has recently grabbed the attention of the general public when two security researchers from Toronto released the results of the analysis of FinSpy, a module that is part of the toolkit and gets installed on PCs.
The samples for the analysis were provided by two pro-democracy Bahraini activists who received them via faked emails, and the analysis revealed that FinSpy is a very thorough spying tool that is capable of recording chats, screenshots, keystrokes, grabbing other information from infected systems and passing it on to C&C servers set up by the attackers around the world.
Following this discovery, Gamma Group stated that they did not sell any of their products to Bahrain, and that the sample the researchers received was probably stolen or a result of reverse-engineering efforts.
Now those same researchers – Citizen Lab security researcher Morgan Marquis-Boire and Berkley computer science doctoral candidate Bill Marczak – have received samples that proved that FinFisher also has a component that can spy on mobile users.
Called FinSpy Mobile, the spyware records calls, text messages, emails, downloaded files, keystrokes and audio sounds via the devices’ microphone, makes silent calls, extracts contact lists and uses GPS to keep tabs on the users’ position.
No mobile user is safe, it seems, as FinSpy Mobile is able to compromise iOS, Android, BlackBerry, Windows Mobile and Symbian-run devices.
Still, the component can’t be installed without user interaction, and the researchers speculate that the targets get infected via socially engineered e-mails, Trojanized apps, or even by someone they know who downloads and installs the malware without the user knowing.
“We recommend that all users run Anti-Virus software, promptly apply (legitimate) updates when they become available, use screen locks, passwords and device encryption (when available),” the researchers advise. “Do not run untrusted applications and do not allow third parties access to mobile devices.”