Spyware Matching FinFisher Can Take Over IPhone and BlackBerry (Bloomberg)
Spyware Matching FinFisher Can Take Over IPhone and BlackBerry
By Vernon Silver - Aug 29, 2012 8:05 AM CT
FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc. (AAPL)’s iPhone and Research in Motion Ltd. (RIM)’s BlackBerry, an analysis of presumed samples of the software shows.
The program can secretly turn on a device’s microphone, track its location and monitor e-mails, text messages and voice calls, according to the findings, being published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab. Researchers used newly discovered malicious software samples to further pull back the curtain on the elusive cyber weapon.
The hunt for clues to the software’s deployment has gained speed since July, when research based on e-mails obtained by Bloomberg News identified what looked like a FinFisher product that infects personal computers. In that case, the malware targeted activists from the Persian Gulf kingdom of Bahrain.
The latest analysis, led by security researcher Morgan Marquis-Boire, may demonstrate how such spyware can reach a broader range of devices to follow their owners’ every move.
“People are walking around with tools for surveillance in their pockets,” says John Scott-Railton, a doctoral student at the University of California Los Angeles’ Luskin School of Public Affairs who assisted with the research. “These are the tools that can be used to turn on your microphone and turn your phone into a tracking device.”
The findings -- which are consistent with Gamma’s own promotional materials for a FinFisher product called FinSpy Mobile -- illustrate how the largely unregulated trade in offensive hacking tools is transforming surveillance, making it more intrusive as it reaches across borders and peers into peoples’ digital devices.
FinFisher products can secretly monitor computers, intercepting Skype calls, turning on Web cameras and recording keystrokes. They are marketed by Gamma for law enforcement and government use.
“I can confirm that Gamma supplies a piece of mobile intrusion software -- FinSpy Mobile,” Gamma International GmbH Managing Director Martin J. Muench said in an Aug. 28 e-mail. “I certainly don’t intend to discuss how or on what platforms it works. I do not wish to inform criminals of how any of our detection systems are used against them.”
Muench, who is based in Munich, said his company didn’t sell FinFisher spyware to Bahrain. “I am still investigating how a piece of our software went astray,” he said in his e-mail.
In a news release today, Gamma said that information from its sales demonstration server had been stolen at an unknown time by unknown methods.
“The information that was stolen has been used to identify the software Gamma used for demonstration purposes,” the release said. “No operations or clients were compromised by the theft.” The Gamma statement said that while its demo products contain the word “FinSpy” -- a marker the researchers used to help identify samples -- its more sophisticated operational products don’t.
Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio.
Muench says that Gamma only sells to governments and their agencies and complies with the export regulations of the U.K., U.S. and Germany.
The July report on Bahrain led security professionals and activists to give Marquis-Boire’s team additional samples of malware for testing.
Several of those samples became the basis of the new report, and include what appear to be a FinSpy Mobile demonstration copy and live versions sent to actual targets.
The report contains no information about any individuals who were targeted, or whether devices were infected.
In December, anti-secrecy website WikiLeaks published a promotional brochure and video for FinSpy Mobile. The video shows a BlackBerry user receiving a message to click on a link for a fake update -- and then making the mistake of doing so.
“When FinSpy Mobile is installed on a mobile phone it can be remotely controlled and monitored no matter where in the world the Target is located,” a FinSpy brochure published by WikiLeaks says.
Systems that can be targeted include Microsoft Corp. (MSFT)’s Windows Mobile, the Apple iPhone’s iOS, BlackBerry and Google Inc. (GOOG)’s Android, according to the company’s literature. Today’s report says the malware can also infect phones running Symbian, an operating system made by Nokia Oyj (NOK1V), and that it appears the program targeting iOS will run on iPad tablets.
A mobile device’s user can become infected by being tricked into going to a Web link and downloading the malware, which can be disguised as something other than FinSpy.
As Gamma’s promotional video illustrates, the process can be as simple as sending someone a text message with a link that looks like it comes from the phone maker, and asking the user to “please install this system update,” Marquis-Boire says.
Otherwise, without the use of a previously undiscovered vulnerability, the person sneaking the program onto a phone must gain physical access to the device or know its passwords, the study says.
The spyware doesn’t appear to take advantage of any vulnerability in the phones or their operating systems, the study says.
FinSpy software written for Windows Mobile shouldn’t be able to infect the newer Windows Phone system, which Microsoft introduced in 2010, said Claudio Guarnieri, a researcher for Boston-based security risk-assessment company Rapid7, who analyzed the Windows portion of the malware for the new report.
Redmond, Washington-based Microsoft said its anti-malware software blocks the FinSpy Trojan, and that Windows Phone does not allow for the installation of unknown, third-party software.
“We strongly encourage Windows Mobile owners to avoid clicking on or otherwise downloading software or links from unknown sources, including text messages,” Microsoft said in a statement.
“BlackBerry smartphones give customers control over what can be installed on the device in addition to prompting users to grant permissions to third-party applications,” Waterloo, Ontario-based RIM said in a statement. “We recommend customers only download applications from trusted sources to help protect against potentially malicious software.”
Espoo, Finland-based Nokia’s press office issued a statement saying users would need to actively choose to install an application such as FinFisher.
“Though we have seen claims made for similar products in the past, we have not had any reported incidents from customers as a result of such spyware,” the statement said. Nokia decided last year to abandon Symbian in favor of Windows Phone.
Cupertino, California-based Apple and Mountain View, California-based Google declined comment, spokeswomen for the companies said.
The new study also sheds light on FinFisher’s global reach, bolstering separate findings by researchers who said on Aug. 8 that computers in at least 10 countries on five continents show signs of being command servers to which computers infected by FinFisher send their pilfered data. That study was led by Guarnieri of Rapid7.
The research published today used the original Bahraini samples to establish a unique pattern in which command computers communicate with infected machines -- and then scanned computer networks for such patterns.
The scanning effort, led by Bill Marczak, a computer science doctoral candidate at the University of California Berkeley, turned up many of the same machines found by Guarnieri, who had used a different method. It also identified new countries, bringing the total number of nations with suspected command servers to at least 15.
The mobile-infecting samples obtained for the report, which transmit data via the Internet and text message, also provided clues to FinFisher’s deployment.
In one case, a sample was found transmitting to the same Internet address in the Czech Republic that Guarnieri had identified in his study as a likely FinFisher command computer.
It’s unclear if any government agencies in the countries identified in the studies are Gamma clients or if the users may be based in other countries.
A spokesman at the Czech Republic’s interior ministry said he has no information of Gamma being used there, nor any knowledge of its use at other state institutions. A spokeswoman for the Defense Ministry said it has never used Gamma products. The Czech secret service didn’t respond to an e-mailed request for comment.
Gamma’s Muench said the focus on his product was unfair because there are other intrusion tools that lack the oversight provided by FinFisher, which is designed to gather evidence for use in court and is only sold to governments.
He pointed to Rapid7, which while investigating Gamma also distributes Metasploit, a product downloadable for free that contains a database of exploits, which hackers can use to take advantage of vulnerabilities in systems or software. Rapid7 markets Metasploit as a defensive tool for testing if computers can be penetrated.
“Why is no one making a fuss about the free malware available through their website which is completely unrestricted and could and does go anywhere?” Muench said in his e-mail. “Can Rapid7 claim that they have never directly or indirectly supplied malwares worldwide?”
Rapid7 said in a statement that it provides the security industry with a way to test their defenses against known exploits that are already being abused, and levels the playing field with malicious attackers. “Metasploit is not malware,” the statement said.
The research published today can be found at: https://citizenlab.org/2012/08/the-s...-who-loved-me- finfisher-goes-mobile.
Spyware Matching FinFisher Can Take Over IPhone and BlackBerry - Bloomberg
- 08-29-12, 09:15 AM #2
So it's a Trojan...these sensationalist articles are getting a bit old. Unless this thing breaks through Apple's sandbox or is able to obtain security rights without "asking" on a Blackberry phone, it's not even worthy of a news headline.
The identified samples contained the following files:
The .cod files are signed by RIM’s RBB, RCR, and RRT keys. RBB stands for “RIM BlackBerry Apps API,” which allows manipulation of BlackBerry apps, RCR stands for “RIM Crypto API,” which allows access to crypto libraries, and RRT stands for “RIM Runtime API,” which allows access to other phone functionality such as sending SMS messages.
The signature process is described in RIM’s documentation [pdf] about the Blackberry Signing Authority. First, a developer registers a public key with the Blackberry Signing Authority. In order to obtain a signed application, the developer submits a signature request (including his identity and a hash of the binary) signed with his private key to the Signing Authority. The Signing Authority verifies that the signer is authorized to make requests, and, if so, replies with a copy of the hash signed with the relevant RIM private key. The developer then appends the signature to his binary.
The .jad file contains the following hashes for the .cod files:
RIM-COD-SHA1-1: 2d 0a a2 b3 54 97 f7 35 fb 40 77 8e e1 ca 7f 8f 3e a0 aa 04
RIM-COD-SHA1: 0f 3b d8 d1 84 da 35 4e 10 94 89 c0 d6 08 70 ad 5e 7a f3 e0
The .jad file also contains a blob of base64 encoded data with the key “RIM-COD-Config.” This data contains the URL of the command & control server, TCP ports, phone numbers to exfiltrate data to via SMS, identifiers for the Trojan and target, active modules, and various other configuration parameters.
Decoding this reveals the following servers and phone numbers:
22.214.171.124 – Indonesia
+6281310781704 – Indonesia
+49456456456 – Germany
Upon installation, the user is presented with the following screen:
As evidenced by the above screenshot, the app is listed as:
TellCOM Systems LTD
Common Communication Update DSCH/USCH V32
Directly after installing, the application requests enhanced permissions:
The following screen pops up showing the requested permissions:
Scrolling down reveals:
After the user accepts these permissions, the sample attempts to connect to both Internet-based and SMS-based command & control servers. Another sample we analyzed appeared to write a debug log to the device’s filesystem. The following information was observed written to the log regarding communication with command & control services.
net.rmi.device.api.fsmbb.phone.PhoneInterface – connecting to http://demo-01.gamma-international.d...eviceside=true failed: net.rim.device.cldc.io.dns.DNSException: DNS error DNS error
net.rmi.device.api.fsmbb.core.com.protocol.Heartbe atProtocolSMS – Heartbeat type 11 (1346097705922)+ core hb content: XXXXX/123456783648138/666666553648138/12e/666/0/0///
net.rmi.device.api.fsmbb.core.com.SMSCommunication – 1346097743 Success: texting to: //+XXXXXXXXXX msg: XXXXX
net.rmi.device.api.fsmbb.core.com.protocol.Heartbe atProtocolSMS – Heartbeat type 11 (1346097705922)+ extended hb content: XXXXX/123456783648138/XXXXX/999/420/B9700 5.0.
net.rmi.device.api.fsmbb.core.com.SMSCommunication – 1346097743 Success: texting to: //+XXXXXXXXXX msg: XXXXX
We decompiled the Blackberry sample. We provide a high-level overview of the more interesting classes that we successfully decompiled:
These appeared to contain a database comprising the following GSM APNs. The significance of this database is that it only includes a small set of countries and providers:
Germany: web.vodafone.de, internet.t-mobile
Indonesia: indosatgprs, AXIS, telkomsel, Sms | Setting Gprs | Bugil | America | Video | Adult Humor | Setingan Trik Nimbuzz at Xlgprs.net, 3gprs
Brazil: claro.com.br, wapgprs.oi.com.br, tim.br
This appears to do the main app installation, as well as uninstallation. Installation includes negotiating for enhanced permissions, base64-decoding the “RIM-COD-Config” configuration, and setting up and installing the Configuration. If the configuration contains a “removal date,” then automatic removal is scheduled for this time. Installation also involves instantiating “listener” modules, as specified below:
This appears to listen for changes to the address book. It implements the net.rim.blackberry.api.pim.PIMListListener interface.
This module logs and manipulates phone events, and appears to enable “remote listening” functionality, where the FinSpy Master can silently call an infected phone to listen to conversation in its vicinity (this is referred to as a SpyCall in the code). The module has a facility to hide incoming calls by manipulating the UI, cancelling buzzer and vibration alerts, and toggling the backlight. Upon instantiation, the module calls “*43#” to enable call waiting. If a remote listening call from the master is active, then legitimate incoming calls will trigger call waiting. The module detects these legitimate incoming calls, and places the SpyCall call on call waiting, presenting the legitimate incoming call to the user.
This appears to record sent and received email messages.
net.rmi.device.api.fsmbb.core.listener.MessengerOb server (Module #68)
This seems to record BBM messages. It appears to do this by periodically checking the path “file:///store/home/user/im/BlackBerry Messenger/”
This module implements:
Contrary to its name, OutboundMessageListener allows listening for both incoming and outgoing SMS messages. This module also checks for incoming SMS commands from the FinSpy Master. These commands can include an “emergency configuration” update, that can include new addresses and phone numbers for the FinSpy Master.
net.rmi.device.api.fsmbb.core.listener.WAObserver (Module #82)
This appears to monitor WhatsApp, the popular proprietary cross-platform messaging application. It locates the WhatsApp process ID by searching for module names that contain the string “WhatsApp.”
At some point, the module calls getForegroundProcessId to see if the WhatsApp process ID is in the foreground. If so, it seems to take a screenshot of the WhatsApp application, via Display.Screenshot. It appears that this screenshot is checked via “.equals” to see if there is any new information on the WhatsApp screen. If there is new information, the screenshot is then JPEG encoded via JPEGEncodedImage.encode.
Appears to contain the mechanics of communication with the command & control server, including the plaintext TLV-based wire protocol.
...end of excerpt...
- 08-29-12, 09:28 AM #4
Very well done with posting the detailed information. As with any BlackBerry application this will require permissions from the user, and BES admins can easily block this from ever installing. Users should not grant applications rights to their device that it doesnt need (always read before hitting allow) and NEVER to applications you do not recognize.
This is not the first of these applications, and surely wont be the last.
- 08-29-12, 10:42 AM #7
- 08-29-12, 10:42 AM #8
Edit: this only applies to end users, obviously not the same for BES admins.
- 08-29-12, 10:51 AM #11
Interestingly, Windows phone is apparently secure. "Redmond, Washington-based Microsoft said its anti-malware software blocks the FinSpy Trojan, and that Windows Phone does not allow for the installation of unknown, third-party software."
- 08-29-12, 10:54 AM #12
- 08-29-12, 10:55 AM #13
- CrackBerry Genius
08-29-12, 11:26 AM #14
- 2,300 Posts
No different that viruses on any computer.... In general terms most virus and torjans require use assitance to infect the device... on computers... there are what are called drive by websites that can actually infect your computer by merely visiting the offending site.... rare but does happen.... as this particular trojan may be Ios and BB the mechanism on all platforms are the same...
- 08-29-12, 12:56 PM #16
- CrackBerry User
08-29-12, 05:04 PM #17
- 44 Posts
Seeing as all BlackBerry Apps are digitally signed, if this application has been signed using RIMS signing key service surely the application if deemed malicious can be revoked? This way it wouldn't run and the developer can't update it. I'm not saying this application doesn't have potential uses, but as a developer I wanted to highlight the precautions already in place to prevent malware on your BlackBerry devices.
- 08-29-12, 05:31 PM #18
I don't see an obvious way for this trojan to hijack the auto-update processes which may be pushed from carriers or software manufacturers. Even these require user confirmation at install time on a BlackBerry device.
- CrackBerry Genius of Geniuses
08-29-12, 10:27 PM #19
- 12,732 Posts
- Optional, but not needed.
Calling male cow. Not happening, unless someone isn't smart enough to make a reasonable decision. Use common sense, like I do. Don't just install everything you see. You wouldn't want to end up with thousands of toolbars in your browser, or have zero bytes of free space on any device from everything you installed without thinking and then wondering "where did all the space go?".