Toronto study shows mobile spyware's long shadow

Sep 01, 2012 by Nancy Owano report
Toronto study shows mobile spyware’s long shadow

(—Spyware sold legally can infect BlackBerrys, iPhones, and other mobile devices, according to a study from two security researchers at the University of Toronto Munk School of Global Affairs' Citizen Lab. Morgan Marquis-Boire and Bill Marczak, in their study "The SmartPhone Who Loved Me: FinFisher Goes Mobile?" focus on spyware that can be used by governments as well as law enforcement to commandeer phones. They analyzed samples that appear to be variants of the FinFisher toolkit. They identified various command and controls servers as well. They sought to follow the marks of spyware surveillance software from Bahrain across several continents.

Earlier this year, researchers had noted how activists in Bahrain were spied on with the software. They suggested that it appeared to be FinSpy, part of the FinFisher commercial surveillance toolkit. The Citizen Lab workers said they now also recovered versions of the spyware that the BlackBerry OS, Windows Mobile, Nokia's Symbian platform, as well as Android, and that it has seen "structurally similar" Android spyware communicating with command-and-control servers in the United Kingdom and the Czech Republic.

As for Apple devices, it appears that FinFisher spyware will run on , 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up.

FinFisher spyware comes from Gamma International in Andover, UK, part of the Gamma Group of companies. The company defines its FinFisher portfolio as "intrusion products" offered to "law enforcement and ." Outsiders are worried that such a tool sold in the marketplace for off the shelf computer surveillance can be not only used by going after , child molesters and criminals but also by repressive governments keeping a lid on all manner of dissent. The two researchers now find that mobile versions of spyware have been customized, regardless of phone brand, for all the major mobile phones.

Earlier this year, the researchers had pointed out that Bahrain dissenters had started getting e-mails with suspicious attachments: An intended target gets an email or text message on the phone, and clicks the included link. The page that loads drops malicious code that pops up a fake system to update a message. If the user clicks on it, the spyware app is installed. What happens after that: the remote system can record from the microphone, track locations, and monitor communications. In a previous report, "From Bahrain with Love: FinFisher's Spy Kit Exposed?" the researchers characterized the malware, and they suggested that it appeared to be FinSpy, part of the FinFisher product line. (Note the question marks used in titles for the two studies.)

Gamma's response, however, was that FinFisher was never sold to Bahrain. According to the company, a copy might have been stolen and re-engineered for some unauthorized use.

Morgan Marquis-Boire is a Technical Advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto. He works as a security engineer at Google. Bill Marczak is a computer science Ph.D student at UC Berkeley and founding member of Bahrain Watch.

Explore further: Fujitsu develops technology to quickly detect latent malware activity in internal networks

More information:

Related Stories

Zone Labs debuts anti-spyware firewall

Oct 19, 2005

American security designer Zone Labs Wednesday launched what it hailed as the world's first spyware solution based on next-generation firewall technology.

Spyware poses identity-theft risk (Update)

Sep 15, 2005

A new study finds that a growing amount of Internet spyware -- programs downloaded to users' computers without their knowledge -- is designed specifically to steal personal information that could be used for identity theft. ...

ElcomSoft undoes Apple's location security fix

May 25, 2011

( -- ElcomSoft, a Russian computer forensics company that first came to the attention of the public in 2002 when it was sued and cleared of violations of the Digital Millennium Copyright Act for ...

Staggering surge in Android gadget viruses: Juniper

Nov 16, 2011

The arsenal of malicious code aimed at Android-powered gadgets has grown exponentially, with criminals hiding viruses in applications people download to devices, according to Juniper Networks.

Recommended for you

Enabling dynamic prioritization of data in the cloud

Apr 14, 2014

IBM inventors have patented a cloud computing invention that can improve quality of service for clients by enabling data to be dynamically modified, prioritized and shared across a cloud environment.

Uber meets local lookalikes in Asia taxi-app wars

Apr 14, 2014

Riding on its startup success and flush with fresh capital, taxi-hailing smartphone app Uber is making a big push into Asia. There's a twist, though: Instead of being the game-changing phenomena it was in ...

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Sep 01, 2012
Yesterday I read another article about global governmental misuse of Finspy and other spyware software packages. It disappeared?! Doesn't that disappearance bring MORE attention to spyware with 'James Bond' capabilities?

I ran web search on 'finspy' and netted many interesting stories. Why remove the Physorg article?
not rated yet Sep 01, 2012

I looked Citizenlab instead...
Here is the page they have posted about this:

Here is the link of the pdf of their paper:

Now what gets me is that people buy devices that always seem to have root access certificates. To me, it wasn't a big deal that 2 root Microsoft certificates were stolen and available years ago. It was the fact that as a consumer I was never told that MS had root access to my machine at anytime they wanted. Same hold true here.
not rated yet Sep 02, 2012
It would be interesting to know the positions various device manufacturers take on this app.
Either admit it's approved, or take steps to ensure its removal.

At first I thought the Gamma Group (or whatever they are calling themselves) probably hate all this publicity. Then, I thought maybe not - this would help ensure a stream of customers for version 2, which might do a better job of cloaking itself.
not rated yet Sep 02, 2012
Did a double-take on the terminal screenshot in the article. Yes, that's Ubuntu-monospace :D
not rated yet Sep 02, 2012
Did a double-take on the terminal screenshot in the article. Yes, that's Ubuntu-monospace :D

Most windows hex viewers are $$ commercial products , or nasty spyware installing freeware. Makes sense to use ubuntu/Linux Desktop for this, since a hex viewer is pretty much built-in.

In fact the only reason to use windows nowadays for most linux users is for editing .docx files , or for custom software.

More news stories

Quantenna promises 10-gigabit Wi-Fi by next year

( —Quantenna Communications has announced that it has plans for releasing a chipset that will be capable of delivering 10Gbps WiFi to/from routers, bridges and computers by sometime next year. ...

Unlocking secrets of new solar material

( —A new solar material that has the same crystal structure as a mineral first found in the Ural Mountains in 1839 is shooting up the efficiency charts faster than almost anything researchers have ...

Floating nuclear plants could ride out tsunamis

When an earthquake and tsunami struck the Fukushima Daiichi nuclear plant complex in 2011, neither the quake nor the inundation caused the ensuing contamination. Rather, it was the aftereffects—specifically, ...

New US-Spanish firm says targets rich mobile ad market

Spanish telecoms firm Telefonica and US investment giant Blackstone launched a mobile telephone advertising venture on Wednesday, challenging internet giants such as Google and Facebook in a multi-billion-dollar ...

Progress in the fight against quantum dissipation

( —Scientists at Yale have confirmed a 50-year-old, previously untested theoretical prediction in physics and improved the energy storage time of a quantum switch by several orders of magnitude. ...