Following on the heels of last month's first-ever public analysis of the elusive spyware FinSpy, security researchers at Citizen Lab have released an analysis of samples that appear to be FinSpy Mobile, the smartphone component in the FinFisher toolkit. As with last month's analysis, Bloomberg has published an early report summarizing the technical analysis and describing responses from the companies in question.
The FinFisher suite is developed by the UK-based Gamma Group, which faces troubling questions about its use by repressive regimes around the world. EFF has called for companies that produce surveillance technology for use by governments and law enforcement agencies to adopt "Know Your Customer" standards, like those required by Foreign Corrupt Practices Act and other export regulations, in order to avoid becoming "repression's little helper." An EFF white paper from April of this year, "Human Rights and Technology Sales," addresses this issue in detail.
The samples studied by the researchers collectively work on nearly all major smartphone platforms, with the capability to collect and transmit information ranging from GPS location data to the content of voice calls and text messages. The programs created for different smartphone platforms vary, but the Citizen Lab analysis of the Windows Mobile version describes the following software modules as an example of the possible scope of the surveillance:
AddressBook: Providing exfiltration of details from contacts stored in the local address book.
CallInterception: Used to intercept voice calls, record them and store them for later transmission.
PhoneCallLog: Exfiltrates information on all performed, received and missed calls stored in a local log file.
SMS: Records all incoming and outgoing SMS messages and stores them for later transmission.
Tracking: Tracks the GPS locations of the device.
In addition to the description of the software's functions, Citizen Lab's analysis of the command-and-control servers raises serious questions about the customers for Gamma Group's products. The company has been defensive about the use of its products by repressive governments, insisting that it only sells to legitimate government agencies and does not break the law. That characterization may be at odds with the discovery of a command-and-control server in the Ministry of Communications of Turkmenistan, classified by Human Rights Watch as "one of the world's most repressive countries." In December, German public broadcaster NDR's ZAPP investigative journalism program aired a report alleging that Gamma had worked with Swiss Dreamlab AG to sell spyware to Turkmenistan. At the time, ZAPP was unable to prove that the products were actually operating in the country, but the discovery of the command-and-control server running in Turkmenistan is consistent with ZAPP's allegations.
Gamma Group has maintained that the FinSpy software discovered in use in Bahrain and elsewhere has been unlicensed and unauthorized, or modified demonstration versions. Indeed, some of the FinSpy Mobile packages have indications of being demostration software, connecting to subdomains of the Gamma International website labelled "demo." But other samples have been analyzed that do not connect to any "demo" subdomain. One published sample sends data back to an IP address and a phone number in Indonesia, while another sends its data back to a IP address in the Czech Republic.
FinSpy Mobile is a Trojan, which means that it depends on deceiving the user into approving its installation. It does this by using apparently innocuous names and descriptions, ranging from "install_manager.app" on iOS to "Android Services" on Android.
In a statement to Bloomberg News, Microsoft, Nokia, and RIM each provided similar advice: avoid downloading or clicking on unknown attachments. Additionally, users should monitor what permissions an application requests during installation, rejecting reject software that overreaches, and avoid giving untrusted parties physical access to the smartphone device itself.
As with the FinSpy analysis, the new information about FinSpy Mobile will allow vulnerable and at-risk users to better understand the threat of government surveillance and make better judgements to protect their security and privacy. This software is sophisticated and powerful, but this work from security researchers and vigilance from users can help to limit its distribution and use.