FinFisher, a controversial spyware toolkit being used by oppressive regimes to track activists, can also take over smartphones, researchers announced last week.
Earlier this year, Bahraini activists sent U.S.-based researchers samples of computer spyware that was being delivered through spoofed emails. When downloaded onto Windows systems, the spyware would record Skype calls, copy emails, take screenshots, capture keystrokes, and send the data to remote servers (command and control centres, or C&C). So far, with the help of Rapid7, C&Cs have been found in 15 countries across five continents, including the United States, Australia, Singapore and Bahrain. In most cases it's unclear if the governments of these countries are manning the servers or if they're just intermediaries.
The researchers, led by Citizen Lab, identified the spyware as part of the FinFisher toolkit sold by UK-based Gamma International. Gamma markets the products as software to help governments and law enforcement agencies capture criminals, but privacy advocates say it is being used by oppressive governments to clamp down on activists without criminal records.
"You're carrying a potential wire tap"
Shortly after Bloomberg broke the story about the PC version of FinFisher, samples of Gamma's mobile spyware, called FinSpy Mobile, were sent to researchers.
FinSpy Mobile has even more functionality: It monitors calls, texts, WhatsApp messages, and emails, captures keystrokes, steals contact lists, turns on the device microphone to record ambient sounds, and tracks owners via GPS. Citizen Lab posted a pretty thorough overview of how the Trojan works on iPhones, Androids, BlackBerries, Windows Mobiles, and Symbian devices.
Like the PC variant, FinSpy Mobile requires some sort of human interaction to infect devices. Although Citizen Lab hasn't confirmed seeing actual delivery methods, most likely they are being distributed through Trojanised, legitimate-looking apps attached to text messages and emails.
Bill Marczak, a computer science doctoral candidate at the University of California Berkeley who has been co-leading the research into Finfisher, is more worried about the mobile than the PC spyware.
"What scares me more is the possibility of mobile phone Trojans," Marczak told us. "Sure I've got my computer in my room, but my mobile phone follows me everywhere I go. It always knows my location, it has my contacts, email addresses, texts, Whatsapp conversations. It has a mic.”
He added: “You carry your phone everywhere and don’t even realise you're carrying a potential wire tap."
The scale of spying
For now, FinSpy Mobile isn't your everyday consumer security concern, as it only appears to be used in specifically aimed attacks on activists living in oppressive regimes.
In a blog post last Thursday, ESET researcher Cameron Camp wrote that FinFisher hasn't been seen in large-scale industrial attacks, but rather in limited, highly-targeted attacks.
He noted: "Obviously, if your company is doing business in the Middle East you are already on high alert for attacks of this type.”
Bigger picture repercussions, like the potential spread of FinSpy Mobile to the masses, or the issue of who Gamma International should be allowed to sell its products to, are another discussion altogether.
That said, the research does present some useful lessons for consumers.
The first one is dead obvious for most security-conscious smartphone owners: Don't install apps from untrusted sources.
Will installing an antivirus app help? Sort of. According to Marczak: "As we saw with respect to the desktop version of FinFisher, antivirus alone isn't enough, as it bypassed antivirus scans."
By now some antivirus providers will hopefully have updated their signatures to include FinSpy. There are additional precautions you can take, however, as Marczak advises:
1. Don't click on unknown links or download attachments if you aren't confident in the sender.
2. Don't give your device to untrusted people who might secretly install the malware on your device.
3. For the same reason, password-protect your phone.
4. Keep your operating system and apps patched (yes, that's a problem for Android).
5. For Android owners, activate the built-in encryption, which requires a password to decrypt every time you turn on your device.
Encrypted communication protocols are a good idea, but Marczak said they wouldn't protect you from this type of threat, since FinFisher infects devices before an encrypted call or text even leaves the device. "Skype likes to talk about how it encrypts communications, but FinSpy intercepts calls before they even go out," he said.