New FinSpy tool works on iOS & Android, snoops on Telegram, Signal or Threema

News by Rene Millman

New versions of the advanced malicious surveillance tool FinSpy allow attackers to spy on all device activities and exfiltrate sensitive data such as GPS location, messages, pictures and calls.

FinSpy back again as security researchers warn of new versions
Surveillance tool targets iOS and Android phones
Security researchers have uncovered new versions of the advanced malicious surveillance tool FinSpy. The tools allow attackers to spy on all device activities and exfiltrate sensitive data such as GPS location, messages, pictures, calls and more.
The new version work on both iOS and Android devices, can monitor activity on almost all popular messaging services, including encrypted ones, and hide their traces better than before, according to researchers.
In a blog post, researchers at Kaspersky said that latest known versions of the malware extend the surveillance functionality to additional messaging services, including those considered ‘secure’, such as Telegram, Signal or Threema. They are also more adept at covering their tracks, researchers said.
For instance, the iOS malware, targeting iOS 11 and older versions can now hide signs of jailbreak, while the new version for Android contains an exploit capable of gaining root privileges – almost unlimited, complete access to all files and commands - on an unrooted device.
FinSpy is an extremely effective software tool for targeted surveillance that has been observed stealing information from international NGOs, governments and law enforcement organisations all over the world. Its operators can tailor the behaviour of each malicious FinSpy implant to a specific target or group of targets.
 
The basic functionality of the malware includes almost unlimited monitoring of the device’s activities: such as geolocation, all incoming and outgoing messages, contacts, media stored on the device, and data from popular messaging services like WhatsApp, Facebook messenger or Viber. All the exfiltrated data is transferred to the attacker via SMS messages or the HTTP protocol.
Based on the information available to Kaspersky, in order to successfully infect both Android and iOS-based devices, attackers need either physical access to the phone or an already jailbroken/rooted device. For jailbroken/rooted phones there are at least three possible infection vectors: SMS message, email, or push notifications.
According to Kaspersky telemetry, several dozen mobile devices have been infected over the past year.
"The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes. Moreover, they follow trends and implement functionality to exfiltrate data from applications that are currently popular. We observe victims of the FinSpy implants on a daily basis, so it’s worth keeping an eye on the latest platform updates and install them as soon as they are released. Because, regardless of how secure the apps you use might be, and how protected your data, once the phone is rooted or jailbroken, it is wide open to spying," said Alexey Firsh, security researcher at Kaspersky Lab.
 
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that these kinds of attacks are more likely targeted against high level individuals, such as executives or those with access to sensitive information such as M&A. So probably not the type of attack that would be deployed against a large percentage of a company’s employees. 
 
"iOS appears to be safer for now, with the exploit apparently only being able to run on jailbroken phones," he said. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews