Malware only hits Android and is only created by scumbags, right? Wrong. Malware can hit any operating system (regardless of how secure people claim XXX OS is) and can be used for “good” or evil. In this case the spotlight is on ‘FinFisher’, malware created by British company Gamma Group for use by law enforcement agencies.
Gamma Group has been creating ‘FinSpy’ for use by government agencies for a while now. ‘FinSpy Mobile’, which contains the malware known as FinFisher, is Gamma’s move into the modern mobile space, a trojan that allows remote control of iOS, Android, Windows Phone, BlackBerry, and Symbian devices. According to Gamma, once installed on a device, FinSpy Mobile can remotely control and monitor infected devices regardless of where the devices are located in the world. More specifically, FinSpy Mobile can do the following, according to Gamma:
- Recording of common communications like Voice Calls, SMS/MMS and Emails
- Live Surveillance through silent calls
- File Download (Contacts, Calendar, Pictures, Files)
- Country Tracing of Target (GPS and Cell ID)
- Full Recording of all BlackBerry Messenger communications
- Covert Communications with Headquarters
A study on FinFisher conducted by University of California doctoral student John Scott-Railton claims FinSpy is installed on devices by downloading it through the web or downloading it through a fake “system update” text message notification. Once installed, FinFinsher infects a device and Gamma (or whoever their clients are) can remotely access, control, and track the device.
According to Scott-Railton, FinSpy does not appear to exploit any vulnerabilities in devices or operating systems to get itself installed; FinSpy gets in devices via installation just like any other app. However, this claim by Scott-Railton raises a few questions.
Android and BlackBerry provide users with the freedom to install apps that aren’t from their official app stores. So it is conceivable that FinSpy can infect Android and BlackBerry devices after a user downloads (and installs) FinSpy accidentally, assuming targeted devices have sideloading enabled, without FinSpy having to exploit any operating system vulnerabilities. However, iOS and Windows Phone block the installation of non-App Store/non-Windows Store apps so either FinSpy can only affect jailbroken iDevices and homebrewed Windows Phone devices or Scott-Railton is wrong.
Since FinSpy Mobile is a commercial app (meaning it is designed to be sold to legitimate entities) the risk of being hit by FinSpy is low (unless you are specifically targeted by a client of Gamma Group). However, Gamma says they have lost a demonstration unit so it is very possible some scumbag acquires that demo unit, takes FinSpy Mobile, and modifies it for in-the-wild attacks.
If Scott-Railton’s claim is correct about no exploitation of OS vulnerabilities, then if you follow the rule of thumb of not downloading/installing stuff you don’t recognize — and try to stick to official app stores — you should stay safe from FinFisher regardless of what platform you are on. If Scott-Railton is wrong… then, well, let’s hope your mobile anti-virus recognizes FinFisher before it does any harm.