Published on July 10th, 2019 📆 | 2902 Views ⚑0
New versions of FinFisher mobile spyware discovered in Myanmar
The malware is designed to pillage mobile device data.
Security researchers from Kaspersky Lab have discovered new and improved versions of the FinFisher spyware.
The new versions, which target Android and iOS phones, have been in use since 2018, and the most recent FinFisher implants have been discovered active as late as last month, in Myanmar, a country in the midst of multiple human rights abuse scandals.
The upgraded FinFisher (FinSpy) versions are now capable of collecting and exfiltrating a wide array of personal data from infected phones, such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, and data from the phone’s RAM.
Furthermore, the samples can also record phone calls and dump images and messages from popular instant messaging clients.
FnFisher has always had implants for both desktop and mobile operating systems, but these new versions targeting smartphones put the mobile implants on par with the more advanced desktop versions.
FinFisher mobile implant capabilities
According to a technical analysis of the new samples, the Android and iOS versions have nearly identical capabilities, according to Kaspersky, with a few differences here and there in regards to infection methodology and supported IM clients.
Per the Russian antivirus vendor, the Android IM clients from which FinFisher can dump and steal chats, pictures, videos, and contacts, include Facebook Messenger, Skype, Signal, BlackBerry Messenger, Telegram, Threema, Viber, WhatsApp, Line, and InstaMessage.
On iOS, supported clients are Facebook Messenger, Skype, Threema, Signal, InstaMessage, BlackBerry Messenger, but also WeChat. Furthermore, on iOS, the new FinFisher version can also record VoIP calls made through IM clients, such as WhatsApp, Skype, Line, Viber, WeChat, Signal, BlackBerry Messenger, and KakaoTalk.
As for infection capabilities, the new FinFisher implant for iOS doesn’t work with the newer iOS 12.x, but support has been added for future developments, suggesting the company is actively looking to improve its tool.
Clues in the iOS implant’s code suggest remote infection vectors such as SMS, email, or WAP Push don’t work unless the device has been jailbroken.
If the iPhone has not been jailbroken, Kaspersky says the only infection vector is through physical access to the device — as the implant contains code that has been fine-tuned to clean traces of publicly available jailbreaking tools and hide the jailbreaking operation from the phone’s owner.
Jailbreaking doesn’t play a big role on Android smartphones, though. Kaspersky researchers say the FinFisher Android variant will look for tools like SuperSU and Magisk that are installed on the user’s phone, or use the DirtyCow exploit, to get root privileges.
FinFisher iOS and Android implants found in 20 countries
Since the detection of these new FinFisher implants for iOS and Android in late-2018, Kaspersky said they’ve identified infected phones across 20 countries.
“However, assuming the size of Gamma’s customer base, it’s likely that the real number of victims is much higher,” Kaspersky said.
The FinFisher spyware is a commercial malware kit manufactured and sold by Gamma Group, a UK and Germany-based company known for selling surveillance software to governments around the globe.
In 2014, a hacker breached the company’s servers and dumped Gamma’s hacking tools online, including the FinFisher kit. Since the incident, Gamma has worked years to rebuild its tool from the ground up, as the old kit became useless, being detected by all antivirus vendors.
While FinFisher mobile versions have existed for years, its desktop implants have been the ones that were usually being found in live infections, and not the mobile implants.
Notorious past incidents include when FinFisher was being deployed across two countries with the help of state-managed internet service providers; when the spyware was linked to the Indonesian government; or when FinFisher samples were found in war-torn Ukraine, presumably deployed by Russian hackers.