Research Sheds Light On Scary New Surveillance Apps for Smartphones
Following on the heels of last month's first-ever public analysis of the elusive spyware FinSpy, security researchers at Citizen Lab have released an analysis of samples that appear to be FinSpy Mobile, the smartphone component in the FinFisher toolkit. As with last month's analysis, Bloomberg has published an early report summarizing the technical analysis and describing responses from the companies in question.
The FinFisher suite is developed by the UK-based Gamma Group, which faces troubling questions about its use by repressive regimes around the world. EFF has called for companies that produce surveillance technology for use by governments and law enforcement agencies to adopt "Know Your Customer" standards, like those required by Foreign Corrupt Practices Act and other export regulations, in order to avoid becoming "repression's little helper." An EFF white paper from April of this year, "Human Rights and Technology Sales," addresses this issue in detail.
The samples studied by the researchers collectively work on nearly all major smartphone platforms, with the capability to collect and transmit information ranging from GPS location data to the content of voice calls and text messages. The programs created for different smartphone platforms vary, but the Citizen Lab analysis of the Windows Mobile version describes the following software modules as an example of the possible scope of the surveillance:
AddressBook: Providing exfiltration of details from contacts stored in the local address book.
CallInterception: Used to intercept voice calls, record them and store them for later transmission.
PhoneCallLog: Exfiltrates information on all performed, received and missed calls stored in a local log file.
SMS: Records all incoming and outgoing SMS messages and stores them for later transmission.
Tracking: Tracks the GPS locations of the device.
In addition to the description of the software's functions, Citizen Lab's analysis of the command-and-control servers raises serious questions about the customers for Gamma Group's products. The company has been defensive about the use of its products by repressive governments, insisting that it only sells to legitimate government agencies and does not break the law. That characterization may be at odds with the discovery of a command-and-control server in the Ministry of Communications of Turkmenistan, classified by Human Rights Watch as "one of the world's most repressive countries." In December, German public broadcaster NDR's ZAPP investigative journalism program aired a report alleging that Gamma had worked with Swiss Dreamlab AG to sell spyware to Turkmenistan. At the time, ZAPP was unable to prove that the products were actually operating in the country, but the discovery of the command-and-control server running in Turkmenistan is consistent with ZAPP's allegations.
Gamma Group has maintained that the FinSpy software discovered in use in Bahrain and elsewhere has been unlicensed and unauthorized, or modified demonstration versions. Indeed, some of the FinSpy Mobile packages have indications of being demostration software, connecting to subdomains of the Gamma International website labelled "demo." But other samples have been analyzed that do not connect to any "demo" subdomain. One published sample sends data back to an IP address and a phone number in Indonesia, while another sends its data back to a IP address in the Czech Republic.
FinSpy Mobile is a Trojan, which means that it depends on deceiving the user into approving its installation. It does this by using apparently innocuous names and descriptions, ranging from "install_manager.app" on iOS to "Android Services" on Android.
In a statement to Bloomberg News, Microsoft, Nokia, and RIM each provided similar advice: avoid downloading or clicking on unknown attachments. Additionally, users should monitor what permissions an application requests during installation, rejecting reject software that overreaches, and avoid giving untrusted parties physical access to the smartphone device itself.
As with the FinSpy analysis, the new information about FinSpy Mobile will allow vulnerable and at-risk users to better understand the threat of government surveillance and make better judgements to protect their security and privacy. This software is sophisticated and powerful, but this work from security researchers and vigilance from users can help to limit its distribution and use.
Recent DeepLinks Posts
Jul 6, 2015
Jul 6, 2015
Jul 6, 2015
Jul 2, 2015
Jul 1, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games