Subscribe:

Tuesday 4 September 2012

Lessons Learnt From FinFisher Mobile Spyware


FinFisher, a controversial spyware toolkit being used by oppressive regimes to track activists, can also take over smartphones, researchers unveiled on Wednesday.  

Earlier this year, Bahraini activists sent U.S.-based researchers samples of computer spyware that was being delivered through spoofed emails. When downloaded onto Windows systems, the spyware would record Skype calls, copy emails, take screenshots, capture keystrokes, and send the data to remote servers (command and control centers, or C&C). So far, with the help of Rapid7, C&Cs have been found in 15 countries across five continents, including the United States, Australia, Singapore, and Bahrain. For most cases it's unclear if the governments of these countries are manning the servers or if they're just intermediaries. 

The researchers, led by Citizen Lab, identified the spyware as part of the FinFisher toolkit sold by UK-based Gamma International. Gamma markets the products as software to help governments and law enforcement agencies capture criminals, but advocates say it is being used by oppressive governments to clamp down on activists without criminal records. 

"You're Carrying a Potential Wire Tap"
Shortly after Bloomberg broke the story about the PC version of Finfisher, samples of Gamma's mobile spyware, called FinSpy Mobile, were sent to researchers.

FinSpy Mobile has even more functionality: it monitors calls, texts, WhatsApp messages, and emails, captures keystrokes, steals contact lists, turns on the device microphone to record ambient sounds, and tracks owners by GPS. Citizen Lab posted a pretty thorough overview of how the Trojan works on iPhones, Androids, BlackBerries, Windows Mobiles, and Symbian devices. 

Like the PC variant, FinSpy Mobile requires some sort of human interaction to infect devices. Although Citizen Lab hasn't confirmed seeing actual delivery methods, most likely they are being distributed through Trojanized, legitimate-looking apps attached to text messages and emails. 

Bill Marczak, a computer science doctoral candidate at the University of California Berkeley who has been co-leading the research into Finfisher, is more worried about the mobile than the PC spyware. 

"What scares me more is the possibility of mobile phone Trojans," Marczak told Security Watch. "Sure I've got my computer in my room, but my mobile phone follows me everywhere I go. It always knows my location, it has my contacts, email addresses, texts, Whatsapp conversations. It has a mic," he said. "You carry your phone everywhere and don’t even realize you're carrying a potential wire tap."

The Takeaway For You and Me
For now, FinSpy Mobile isn't your every day consumer security concern, as it only appears to be used in highly-targeted attacks on activists living in oppressive regimes.

In a blog post on Thursday, ESET researcher Cameron Camp wrote that Finfisher hasn't been seen in large-scale industrial attacks, but rather, in limited, highly targeted attacks. "Obviously, if your company is doing business in the Middle East you are already on high alert for attacks of this type," he wrote. Bigger picture repercussions, like the potential spread of FinSpy Mobile to the masses, or who Gamma International should be allowed to sell its products to, are another discussion altogether. 

That said, the research does present some useful lessons for consumers. 

The first one is dead obvious for most security-conscious smartphone owners: don't install apps from untrusted sources.

Will installing an antivirus app help? Sort of. According to Marczak, "As we saw with respect to the desktop version of Finfisher, antivirus alone isn't enough, as it bypassed antivirus scans." By now most leading antivirus providers have updated their signatures to include FinSpy, but that wouldn't have helped you, say, last week. 

That's why Marczak advises taking a few additional precautions:
  1. Don't click on unknown links or download attachments if you aren't confident in the sender
  2. Don't give your device to untrusted people who might secretly install the malware on yor device
  3. For the same reason, password-protect your phone
  4. Keep your OSes and apps patched (yes, that's a problem for Android) 
  5. For Android owners, activate the built-in encryption, which requires a password to decrypt every time you turn on your device. 
Encrypted communication protocols are a good idea, but Marczak said they wouldn't protect you from this type of threat, since Finfisher infects devices before an encrypted call or text even leaves the device. "Skype likes to talk about how it encrypts communications, but Finspy intercepts calls before they even go out," he said.

Source:Pcmag.com


No comments:

Post a Comment