FinFisher

FinFisher, also known as FinSpy, is surveillance software marketed by Gamma International, also known as the Gamma Group, a software firm based in the United Kingdom which markets the spyware through law enforcement channels. Controversy has resulted from it having apparently been marketed to government security officials who were told it could be covertly installed on suspects' computers through exploiting security lapses in the update procedures of non-suspect software. Egyptian dissidents who ransacked the office's of Egypt's secret police following the overthrow of Egyptian President Hosni Mubarak reported they discovered a contract with Gamma International for €287,000 for a license to run the FinFisher software.

Elements of the FinFisher suite
In addition to spyware the FinFisher suite offered by Gamma to the intelligence community includes monitoring of ongoing developments and updating of solutions and techniques which complement those developed by intelligence agencies. The software suite, which the companies calls "The Remote Monitoring and Deployment Solutions" has the ability to take control of target computers and capture even encrypted data and communications. Using "enhanced remote deployment methods" it can install software on target computers. An "IT Intrusion Training Program" is offered which includes training in in methods and techniques and in use of the company supplied software.

The suite is marketed in Arabic, English, German, French, Portuguese, and Russian and offered worldwide at trade shows which offer intelligence support system, ISS, training and products to law enforcement and intelligence agencies.

Method of infection
The surveillance suite is installed after the target accepts installation of a fake update to commonly used software. Code which will install the malware has also been detected in emails. The software, which is designed to evade detection by anti-virus software, has versions which work on mobile phones of all major brands.

A security flaw in Apple's iTunes allowed unauthorized third parties to use iTunes online update procedures to install unauthorized programs. Gamma International offered presentations to government security officials at security software trade shows where they described to security officials how to covertly install the FinFisher spy software on suspect's computers using iTunes' update procedures.

The security flaw in iTunes that FinFisher is reported to have exploited was first described in 2008 by security software commentator Brian Krebs. Apple did not patch the security flaw for more than three years, until November 2011. Apple officials have not offered an explanation as to why the flaw took so long to patch. Promotional videos used by the firm at trade shows which illustrate how to infect a computer with the surveillance suite were released by Wikileaks in December, 2011.

Use by repressive regimes
Its wide use by governments facing political resistance was reported in August, 2012 after emails received by Bahraini activists were passed on by a Bloomberg reporter to computer researchers Bill Marczak, a graduate student, and Morgan Marquis-Boire, a researcher at the University of Toronto in May, 2012. Analysis of the emails revealed code, FinSpy, designed to install the spyware on the recipient's computer. A spokesman for Gamma claims no software was sold to Bahrain and that the software detected by the researchers was not a legitimate copy but perhaps a stolen, reverse engineered, or modified demonstration copy. However, it does have substantial capabilities.

Detection
Bill Marczak said of FinSpy mobile "As we saw with respect to the desktop version of Finfisher, antivirus alone isn't enough, as it bypassed antivirus scans." Sara Yin predicts that antivirus vendors are likely to have updated their signatures to detect FinSpy mobile. ESET have announced detection of the desktop FinFisher as Win32/Belesak.D Trojan, and antivirus vendors have claimed they detect malware they know about regardless of origin or purpose.