FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc. (AAPL)’s iPhone and Research in Motion Ltd. (RIM)’s BlackBerry, an analysis of presumed samples of the software shows.
The program can secretly turn on a device’s microphone, track its location and monitor e-mails, text messages and voice calls, according to the findings, being published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab. Researchers used newly discovered malicious software samples to further pull back the curtain on the elusive cyber weapon.
The hunt for clues to the software’s deployment has gained speed since July, when research based on e-mails obtained by Bloomberg News identified what looked like a FinFisher product that infects personal computers. In that case, the malware targeted activists from the Persian Gulf kingdom of Bahrain.
The latest analysis, led by security researcher Morgan Marquis-Boire, may demonstrate how such spyware can reach a broader range of devices to follow their owners’ every move.
“People are walking around with tools for surveillance in their pockets,” says John Scott-Railton, a doctoral student at the University of California Los Angeles’ Luskin School of Public Affairs who assisted with the research. “These are the tools that can be used to turn on your microphone and turn your phone into a tracking device.”
Transforming Surveillance
The findings -- which are consistent with Gamma’s own promotional materials for a FinFisher product called FinSpy Mobile -- illustrate how the largely unregulated trade in offensive hacking tools is transforming surveillance, making it more intrusive as it reaches across borders and peers into peoples’ digital devices.
FinFisher products can secretly monitor computers, intercepting Skype calls, turning on Web cameras and recording keystrokes. They are marketed by Gamma for law enforcement and government use.
“I can confirm that Gamma supplies a piece of mobile intrusion software -- FinSpy Mobile,” Gamma International GmbH Managing Director Martin J. Muench said in an Aug. 28 e-mail. “I certainly don’t intend to discuss how or on what platforms it works. I do not wish to inform criminals of how any of our detection systems are used against them.”
Muench, who is based in Munich, said his company didn’t sell FinFisher spyware to Bahrain. “I am still investigating how a piece of our software went astray,” he said in his e- mail.
In a news release today, Gamma said that information from its sales demonstration server had been stolen at an unknown time by unknown methods.
FinSpy Marker
“The information that was stolen has been used to identify the software Gamma used for demonstration purposes,” the release said. “No operations or clients were compromised by the theft.” The Gamma statement said that while its demo products contain the word “FinSpy” -- a marker the researchers used to help identify samples -- its more sophisticated operational products don’t.
Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio.
Muench says that Gamma only sells to governments and their agencies and complies with the export regulations of the U.K., U.S. and Germany.
More Samples
The July report on Bahrain led security professionals and activists to give Marquis-Boire’s team additional samples of malware for testing.
Several of those samples became the basis of the new report, and include what appear to be a FinSpy Mobile demonstration copy and live versions sent to actual targets.
The report contains no information about any individuals who were targeted, or whether devices were infected.
In December, anti-secrecy website WikiLeaks published a promotional brochure and video for FinSpy Mobile. The video shows a BlackBerry user receiving a message to click on a link for a fake update -- and then making the mistake of doing so.
“When FinSpy Mobile is installed on a mobile phone it can be remotely controlled and monitored no matter where in the world the Target is located,” a FinSpy brochure published by WikiLeaks says.
Systems that can be targeted include Microsoft Corp. (MSFT)’s Windows Mobile, the Apple iPhone’s iOS and BlackBerry and Google Inc. (GOOG)’s Android, according to the company’s literature. Today’s report says the malware can also infect phones running Symbian, an operating system made by Nokia Oyj (NOK1V), and that it appears the program targeting iOS will run on iPad tablets.
Simple Process
A mobile device’s user can become infected by being tricked into going to a Web link and downloading the malware, which can be disguised as something other than FinSpy.
As Gamma’s promotional video illustrates, the process can be as simple as sending someone a text message with a link that looks as if it comes from the phone maker, and asking the user to “please install this system update,” Marquis-Boire says.