FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including iPhones and BlackBerrys, an analysis of presumed samples of the software shows.
Systems that can be targeted include Microsoft Corp.’s Windows Mobile, the Apple iPhone’s iOS, BlackBerry and Google Inc.’s Android, according to the company’s literature.
The program can secretly turn on a device’s microphone, track its location and monitor e-mails, text messages and voice calls, according to the findings, published this week by the University of Toronto Munk School of Global Affairs’ Citizen Lab
. Researchers used newly discovered malicious software samples to further pull back the curtain on the elusive cyber weapon.
The hunt for clues to the software’s deployment has gained speed since July, when research based on e-mails obtained by Bloomberg News identified what looked like a FinFisher product that infects personal computers. In that case, the malware targeted activists from the Persian Gulf kingdom of Bahrain.
The latest analysis, led by security researcher Morgan Marquis-Boire, may demonstrate how such spyware can reach a broader range of devices to follow their owners’ every move.
“People are walking around with tools for surveillance in their pockets,” says John Scott-Railton, a doctoral student at the University of California Los Angeles’ Luskin School of Public Affairs who assisted with the research. “These are the tools that can be used to turn on your microphone and turn your phone into a tracking device.”
The findings — which are consistent with Gamma’s own promotional materials for a FinFisher product called FinSpy Mobile — illustrate how the largely unregulated trade in offensive hacking tools is transforming surveillance, making it more intrusive as it reaches across borders and peers into peoples’ digital devices.
FinFisher products can secretly monitor computers, intercepting Skype calls, turning on Web cameras and recording keystrokes. They are marketed by Gamma for law enforcement and government use.
“I can confirm that Gamma supplies a piece of mobile intrusion software — FinSpy Mobile,” Gamma International GmbH Managing Director Martin J. Muench said in an Aug. 28 e-mail. “I certainly don’t intend to discuss how or on what platforms it works. I do not wish to inform criminals of how any of our detection systems are used against them.”
Muench, who is based in Munich, said his company didn’t sell FinFisher spyware to Bahrain. “I am still investigating how a piece of our software went astray,” he said in his e- mail.
In an Aug. 29 news release, Gamma said that information from its sales demonstration server had been stolen at an unknown time by unknown methods.
“The information that was stolen has been used to identify the software Gamma used for demonstration purposes,” the release said. “No operations or clients were compromised by the theft.” The Gamma statement said that while its demo products contain the word “FinSpy” — a marker the researchers used to help identify samples — its more sophisticated operational products don’t.
Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio.
Muench says that Gamma sells only to governments and their agencies and complies with the export regulations of the U.K., U.S. and Germany.
The July report on Bahrain led security professionals and activists to give Marquis-Boire’s team additional samples of malware for testing.
Several of those samples became the basis of the new report, and include what appear to be a FinSpy Mobile demonstration copy and live versions sent to actual targets.
The report contains no information about any individuals who were targeted, or whether devices were infected.
In December, anti-secrecy website WikiLeaks published a promotional brochure and video for FinSpy Mobile. The video shows a BlackBerry user receiving a message to click on a link for a fake update — and then making the mistake of doing so.
“When FinSpy Mobile is installed on a mobile phone it can be remotely controlled and monitored no matter where in the world the Target is located,” a FinSpy brochure published by WikiLeaks says.
Systems that can be targeted include Windows Mobile, the Apple iPhone’s iOS and BlackBerry and Google’s Android, according to the company’s literature. Wednesday’s report says the malware can also infect phones running Symbian, an operating system that it appears the program targeting iOS will run on iPad tablets.
A mobile device’s user can become infected by being tricked into going to a Web link and downloading the malware, which can be disguised as something other than FinSpy.
As Gamma’s promotional video illustrates, the process can be as simple as sending someone a text message with a link that looks as if it comes from the phone maker, and asking the user to “please install this system update,” Marquis-Boire says.
Otherwise, without the use of a previously undiscovered vulnerability, the person sneaking the program onto a phone must gain physical access to the device or know its passwords, the study says.
The spyware doesn’t appear to take advantage of any vulnerability in the phones or their operating systems, the study says.
FinSpy software written for Windows Mobile shouldn’t be able to infect the newer Windows Phone system, which Microsoft introduced in 2010, said Claudio Guarnieri, a researcher for Boston-based security risk-assessment company Rapid7, who analyzed the Windows portion of the malware for the new report.
Redmond, Wash.-based Microsoft said its anti-malware software blocks the FinSpy Trojan, and that Windows Phone doesn’t allow for the installation of unknown, third-party software.
“We strongly encourage Windows Mobile owners to avoid clicking on or otherwise downloading software or links from unknown sources, including text messages,” Microsoft said in a statement.
“BlackBerry smartphones give customers control over what can be installed on the device in addition to prompting users to grant permissions to third-party applications,” Waterloo, Ont.-based RIM said in a statement. “We recommend customers only download applications from trusted sources to help protect against potentially malicious software.”
Espoo, Finland-based Nokia’s press office issued a statement saying users would need to actively choose to install an application such as FinFisher.
© Copyright 2014 Bloomberg News. All rights reserved.