This article is more than 1 year old

Dodgy-govt fave FinSpy snoopware is back and badder than ever for Android and iOS kit

Dictators, er, er, freedom-loving leaders' spyware choice gets upgrade, claims Kaspersky

A nasty new variant of the FinSpy snoopware tool that infects and slurps data from Android and iOS phones and tablets is being peddled, we're told.

Kaspersky said this week the notorious commercial spyware, developed by Gamma Group and sold by its subsidiary Gamma International to allegedly respectable governments, has been showing up in the wild since late last year, most recently in a group of devices located in Myanmar this June.

While FinSpy, also known as FinFisher, has been touted as mobile device surveillanceware as far back as 2012, the Kaspersky research team said this latest version is particularly invasive in its ability to collect user chats, physical movements, and stored files from a wide range of applications. The new code been spotted in 20 countries, with the actual reach likely being much greater, it is claimed.

Bear in mind this software is typically deployed against selected targets, such as foreign agents, journalists, activists, and so on: it's not usually lobbed at the masses.

"Mobile implants for iOS and Android have almost the same functionality," Kaspersky said in its report on the matter.

"They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers."

Long a favorite tool of oppressive government regimes, FinSpy is classified as malware by most security firms and has been implicated in human-rights abuses.

Getting the malware onto the target's gizmo is, however, up to FinSpy's buyers. Kaspersky notes that while FinSpy uses a number of tricks to elevate its privileges once installed, actually getting the malware onto a mobile device will require spies to either have direct access to the handheld (not particularly hard for most dictatorships to accomplish) or utilize an exploit from a third-party.

For iOS devices, the attacker will have to take the extra step of first jailbreaking the Apple phone or tablet – this is because the snooping capabilities of FinSpy depend on the Cydia package manager in iOS. On Android, the malware will attempt to get complete access through elevating itself to root by deploying the DirtyCow exploit on unpatched handsets.


Researchers claim ISPs are 'complicit' in latest FinSpy snooping rounds


"The Android implant has functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that Gamma's solution doesn’t provide infection exploits for its customers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools," Kaspersky explains.

"That might imply physical access to the victim in cases where devices are not already jailbroken. At the same time, multiple features that we haven’t observed before in malware designed for this platform are implemented."

Once the malware is placed on the handheld, it looks not only for locally stored media and SMS messages, but also puts out feelers for any number of popular messaging apps like WhatsApp, Skype, BlackBerry Messenger and Signal. The spyware attempts to collect communications from those applications, and siphon them off to a server belonging to whoever bought and deployed the software nasty.

The spyware's customer is also given a set of tools to fine-tune the code for each infection, defining precisely which applications they want to target and what information they need to harvest. This makes FinSpy more practical for governments in geographical areas where one messaging app or means of communication is more popular than others.

The malware is also able to log keystrokes and record voice calls both on the cell network and over VoIP calling services, as well as access to GPS tracking and the ability to hide specific files and utilities on the device.

In short, the Kaspersky team says that despite being around for the better part of a decade, FinSpy remains as invasive and capable as it ever was.

"Since the leak in 2014, Gamma Group has recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market," they note. ®

More about


Send us news

Other stories you might like