Like any competitive company, a spyware vendor has to innovate when its proprietary data is exposed or stolen.
For the distributors of the notorious FinSpy spyware, the definitive moment came in 2014, when Gamma Group, the original company behind the product, was hacked and information about the software and clients was dumped online. Since then, FinSpy’s authors have revamped big portions of the software, improving the encryption and making the code harder for analysts to parse, according to new research from cybersecurity company Kaspersky.
The updated spyware implants for iOS and Android have been used in nearly 20 countries in the last year or so across Asia, Europe, and the Middle East, the researchers said Wednesday. In Myanmar, an ongoing campaign has infected several dozen phones. The researchers suspect there are many more victims out there, given how popular FinSpy has been with government clients.
“The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes,” said Alexey Firsh, a security researcher at Kaspersky. “We observe victims of the FinSpy implants on a daily basis.”
Like spyware made by Israeli company NSO Group, FinSpy turns a mobile phone into a multifaceted surveillance device that can siphon off text messages, emails, GPS location, and more. The market for such technology is thriving, as more governments realize how effective the software can be in tracking targets domestically and abroad.
The companies insist that the spyware is only sold to licensed governments to hunt terrorists and criminals. But there is ample documentation of the software’s abuse. FinSpy was used to target critics of the Turkish government in 2017, according to digital rights advocacy Access Now. NSO Group’s Pegasus spyware has been used to target anticorruption watchdogs, political dissidents, and journalists in multiple countries, according to Amnesty International and Citizen Lab.
The most updated version of FinSpy has some particularly clever features for both iOS and Android, Kaspersky researchers found. One of the modules in the iOS version covers up the malware’s tracks by hiding from the list of applications displayed in the phone’s geolocation settings. For its part, the Android implant uses an exploit to gain root-level, or privileged, access to a device that isn’t configured for root access.
It’s generally harder to develop spyware for iOS, the iPhone’s operating system, because malware writers have to reverse-engineer the system manually, Firsh told CyberScoop. “When it comes to Android, such tools are freely available and very well described.”
In an email to CyberScoop, Gamma Group representative Louthean Nelson did not address the technical findings of the research. He instead dismissed the Kaspersky report, and said Gamma Group stopped spelling the product in 2012. FinFisher GmbH, which spun off into a reportedly independent company from Gamma in 2013, did not respond to a request for comment.
The use of spyware to abuse human rights has come under the microscope following the grisly murder of Saudi journalist Jamal Khashoggi last year. Pegasus was allegedly used to track Khashoggi before his murder, according to a lawsuit filed by a Saudi dissident. NSO Group denies the allegation.
Last month, the United Nations special rapporteur on freedom of speech said there should be a global moratorium on the sale and use of spyware until governments curb its abuses.
But it will likely take much more than that to put a dent in the spyware market. Firsh said his team is already working on analyzing newer samples of FinSpy.
UPDATE, 07/11/19, 9:48 a.m. EDT: This story has been updated with a comment from Gamma Group.