FinSpy Malware Can Intercept Messages on FB Messenger, Skype, Signal, and Other Platforms
The homepage of a German company called Gamma Group claims that it provides 'turnkey telecommunications solutions, expertise, and consultancy'. But is this really all there is to it?
Well, have a look at an archived version of Gamma Group's website, and you'll notice that six years ago, it had quite a few more things on it. Among them was an ad for what Gamma called an "IT intrusion" tool by the name of FinFisher which could allegedly give law enforcement and intelligence agencies "unsurpassed IT investigation and surveillance techniques within the IT environment". In other, clearer words, Gamma Group was selling a spyware program.
FinFisher, also known as FinSpy might be gone from Gamma Group's website, but it certainly hasn't disappeared from the face of the earth. Recently, for example, researchers from Kaspersky noticed dozens of infections in Myanmar, and after some investigation, they saw FinSpy-related activity "in almost 20 countries".
Table of Contents
FinSpy is as formidable as ever
FinSpy has been through a lot. The desktop version had already made a name for itself when in 2012, Gamma Group released implants for Android, iOS, and other mobile operating systems that were popular at the time. In 2014, however, hackers leaked about 40GB worth of source code and internal data related to FinSpy, which made detection and protection much easier. The spyware's developers basically started from scratch, and over the last five years or so, they have been hard at work.
Historically, FinSpy's desktop incarnation has been a bit more versatile than the mobile one, but the Android and iOS implants Kaspersky analyzed come with so many different functions, that they could very well make FinSpy's mobile version the weapon of choice for many intelligence agencies.
The capabilities that you'd expect from a serious spying tool are all there. FinSpy can steal and hide SMS messages, emails, and files, and it can also track the target's geolocation and record their phone calls. A network of anonymized proxies ensures that the location of FinSpy's operators is not revealed during the data exfiltration process.
Instant messaging applications hit hard
Apparently, many FinSpy targets use instant messaging applications to communicate with other people. The malware comes with modules that can exfiltrate not only messages, but also contact lists, received files, and recordings of voice and video calls from a number of different chat apps. Predictably, popular services like Facebook Messenger, Skype, and Viber are on the list, but there are also apps that supposedly keep your conversations private like WhatsApp, Telegram, and Signal.
There are still a few improvements to be made
FinSpy for iOS, in particular, does have one or two problems. Remote infection on devices that haven't been jailbroken is not possible, which means that physical access might be required. Even then, an infection with the implants Kaspersky analyzed won't be possible if the iDevice runs iOS 12 or newer. To give you an idea of what this means, iOS 12.x is currently installed on just over 84% of all iPhones and iPads. The Android implant also needs a rooted device in order to work, though it comes with a Dirty Cow exploit that can sort things out.
These details do limit the number of potential targets somewhat, but FinSpy's definitively shows that the spyware's developers are nothing if not motivated to continue improving their surveillance tools, so the problems will likely be ironed out sooner or later. This is something potential targets of government and intelligence agencies should bear in mind.
