Has FinSpy gone mobile?

“The Gamma Group of companies, established in 1990, provides advanced technical surveillance, monitoring solutions, and advanced government training, as well as international consultancy to National and State Intelligence Departments and Law Enforcement Agencies,” blandly boasts their web page.

But earlier this year, “Bahraini Human Rights activists were targeted by an email campaign that delivered a sophisticated Trojan,“ say online privacy and security researchers at Canada’s Citizen Lab, continuing:

“In From Bahrain with Love: FinFisher’s Spy Kit Exposed? we characterized the malware, and suggested that it appeared to be FinSpy, part of the FinFisher commercial surveillance toolkit. Vernon Silver concurrently reported our findings in Bloomberg, providing background on the attack and the analysis, and highlighting links to FinFisher’s parent company, Gamma International.

“After these initial reports, Rapid7, a Boston-based security company, produced a follow-up analysis that identified apparent FinFisher Command and Control (C&C) servers on five continents. After the release of the Rapid7 report, Gamma International representatives spoke with Bloomberg and The New York Times’ Bits Blog, and denied that the servers found in 10 countries were instances of their products.

“It is one of the more elusive commercial cyberespionage tools available,” says the New York Times.  “It is marketed as a way for governments to spy on criminals. And for over a year, virus hunters unsuccessfully tried to track it down. Now it is popping up across the globe, from Qatar to an Amazon server in the United States,”

States Bloomberg News, “ For the past year, human rights advocates and virus hunters have scrutinized FinFisher, seeking to uncover potential abuses. They got a glimpse of its reach when a FinFisher sales pitch to Egyptian state security was uncovered after that country’s February 2011 revolution. In December, anti-secrecy website WikiLeaks published Gamma promotional videos showing how police could plant FinFisher on a target’s computer.”

Now, under the heading  the smart phone who loved me, has FinFisher gone mobile? – ask Security asks Citizen Lab.

For more than a year, virus hunters unsuccessfully tried to track it down.

The Citizen Lab  has announced the release of a  virtual blow-by-blow analysis  of what Finspy does, and how it does it. It’s a collaborative research report written and coordinated by Morgan Marquis-Boire analyzing  “several samples we believe to be mobile variants of the FinFisher Spy Kit targeting iPhone, Android, Blackberry, Windows Mobile and Symbian platforms.”

The emails “generally suggested that the attachments contained political content of interest to pro-democracy activists and dissidents,” it says. To disguise the nature of the attachments, a  “malicious usage of the cluster 3righttoleftoverride’ (RLO) character was employed, ”  say the researchers, continuing,  “The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim’s desktop as ‘exe.Rajab1.jpg’ (for example), along with the default Windows icon for a picture file without thumbnail,”.

“But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as “gpj.1bajaR.exe”. Believing that they are opening a harmless ‘.jpg’, victims are instead tricked into running an executable “.exe” file.”

Once executed,  “these files install a multi-featured trojan on the victim’s computer,  says the research paper, going on,

“This malware provides the attacker with clandestine remote access to the victim’s machine as well as comprehensive data harvesting and exfiltration capabilities.

States the Citizen Lab, Among the capabilities of the Spy Kit samples we analyzed are:

  • Recording of common communications like Voice Calls, SMS/MMS and Emails
  • Live surveillance through silent calls
  • File download (Contacts, Calendar, Pictures, Files)
  • Country tracing of target (GPS and Cell ID)
  • Full recording of all BlackBerry Messenger communications
  • Covert communications with headquarters

The report also analyzes the results of an ongoing scan for FinFisher command and control servers, and identifies potential servers in the following countries: Bahrain, Brunei, the Czech Republic, Ethiopia, Indonesia, Mongolia, Singapore, the Netherlands, Turkmenistan, and the United Arab Emirates.