Mobile variants of the commercial FinSpy trojan are currently in circulation. Researchers from the University of Toronto’s Citizen Labreport that they have sighted mobile variants of FinSpy for Android, BlackBerry, iOS, Symbian and Windows Mobile devices. The location of the command and control (C&C) servers suggests target areas in the Middle East.
The commercial FinFisher FinSpy spyware trojan was created byGamma International, and its development is believed to take place in Germany. The company sells its trojan toolkit – which is thought to currently support all major operating systems including Linux, Mac OS X and Windows – to governments for use by security agencies. Until now, relatively little was known about the mobile variant of the trojan.
Based on the available code samples, Citizen Lab is convinced that the mobile trojans it analysed are a mobile variant of FinSpy. The trojan is believed to be capable of monitoring rooms through silent calls, downloading files, tracking a user’s location, and forwarding phone calls, SMS text messages and emails. FinSpy can also apparently intercept BlackBerry Messenger messages. The trojan typically infects smartphones via specially crafted emails.
The iOS variant requires iOS 4 or later and is executable on all iPad models, on iPhone 4 and 4S devices, and on third and fourth generation iPod Touch devices. The app installs in the background, downloads further code, and injects this code into the startup routine, anchoring itself deep into the system. The researchers found “FinSpyV2” references in the binary. As the binary contains a valid developer certificate and an ad-hoc distribution profile, iOS devices accept it without the need for a jailbreak. The certificate was issued to Martin Münch – the managing director of Gamma International’s German subsidiary.
On Android smartphones, the program installs itself as a signed “Android Services” component, while on Symbian devices it identifies itself as a “System Update” originating from “Cyan Engineering Services”. The BlackBerry variant identifies itself as “rlc_channel_mode_updaters” and is signed with RIM keys. Several phone numbers could be extracted from the developer key, but they appear to be red herrings: the German number, for example, connects to a private residence. Under Windows Mobile, the FinSpy dropper masquerades as a system service in a similar way to the Android variant, calling itself “services.exe” and injecting two DLLs into smartphones.
The Citizen Lab researchers say that they have identified suspected FinFisher C&C servers in ten countries: Ethiopia, Bahrain, Brunei, Indonesia, Mongolia, Singapore, Turkmenistan and in the United Arab Emirates, as well as the Netherlands and the Czech Republic. This list is partially, but not completely identical to the findings in the FinFisher analysis by security researchers at Rapid 7.
Spyware trojan toolkits seem to be en vogue: at the end of July, the Crisis trojan was found to be part of the Italian “Da Vinci” spyware, whose modules could infect Mac OS X and Windows devices as well as Windows Mobile smartphones.