New versions of FinFisher mobile spyware discovered in Myanmar

New and upgraded versions of FinFisher spyware for Android and iOS discovered in 20 countries.

Spyware campaign spreading across Middle East targets Android phones The malware is designed to pillage mobile device data.

CNET

Best Phones for 2019

Our editors hand-picked these products based on our tests and reviews.

Read More

Security researchers from Kaspersky Lab have discovered new and improved versions of the FinFisher spyware.

The new versions, which target Android and iOS phones, have been in use since 2018, and the most recent FinFisher implants have been discovered active as late as last month, in Myanmar, a country in the midst of multiple human rights abuse scandals.

The upgraded FinFisher (FinSpy) versions are now capable of collecting and exfiltrating a wide array of personal data from infected phones, such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, and data from the phone's RAM.

Furthermore, the samples can also record phone calls and dump images and messages from popular instant messaging clients.

FnFisher has always had implants for both desktop and mobile operating systems, but these new versions targeting smartphones put the mobile implants on par with the more advanced desktop versions.

FinFisher mobile implant capabilities

According to a technical analysis of the new samples, the Android and iOS versions have nearly identical capabilities, according to Kaspersky, with a few differences here and there in regards to infection methodology and supported IM clients.

Per the Russian antivirus vendor, the Android IM clients from which FinFisher can dump and steal chats, pictures, videos, and contacts, include Facebook Messenger, Skype, Signal, BlackBerry Messenger, Telegram, Threema, Viber, WhatsApp, Line, and InstaMessage.

On iOS, supported clients are Facebook Messenger, Skype, Threema, Signal, InstaMessage, BlackBerry Messenger, but also WeChat. Furthermore, on iOS, the new FinFisher version can also record VoIP calls made through IM clients, such as WhatsApp, Skype, Line, Viber, WeChat, Signal, BlackBerry Messenger, and KakaoTalk.

As for infection capabilities, the new FinFisher implant for iOS doesn't work with the newer iOS 12.x, but support has been added for future developments, suggesting the company is actively looking to improve its tool.

Clues in the iOS implant's code suggest remote infection vectors such as SMS, email, or WAP Push don't work unless the device has been jailbroken.

If the iPhone has not been jailbroken, Kaspersky says the only infection vector is through physical access to the device -- as the implant contains code that has been fine-tuned to clean traces of publicly available jailbreaking tools and hide the jailbreaking operation from the phone's owner.

Jailbreaking doesn't play a big role on Android smartphones, though. Kaspersky researchers say the FinFisher Android variant will look for tools like SuperSU and Magisk that are installed on the user's phone, or use the DirtyCow exploit, to get root privileges.

FinFisher iOS and Android implants found in 20 countries

Since the detection of these new FinFisher implants for iOS and Android in late-2018, Kaspersky said they've identified infected phones across 20 countries.

While FinFisher mobile versions have existed for years, its desktop implants have been the ones that were usually being found in live infections, and not the mobile implants.

Notorious past incidents include when FinFisher was being deployed across two countries with the help of state-managed internet service providers; when the spyware was linked to the Indonesian government; or when FinFisher samples were found in war-torn Ukraine, presumably deployed by Russian hackers.


Updated July 23 2019: A previous version of this article cited a Gamma Group as the company who created the FinFisher malware. Gamma Group has contacted Kaspersky and ZDNet to note that they have not owned FinFisher since 2013. We have amended this story accordingly.   

Related malware and cybercrime coverage: