FinFisher, also known as FinSpy,[1] is surveillance software marketed by Gamma International, also known as the Gamma Group, a software firm based in the United Kingdom[2] which markets the spyware through law enforcement channels.[1] Controversy has resulted from it having apparently been marketed to government security officials who were told it could be covertly installed on suspects' computers through exploiting security lapses in the update procedures of non-suspect software.[3][4][5] Egyptian dissidents who ransacked the office's of Egypt's secret police following the overthrow of Egyptian President Hosni Mubarak reported they discovered a contract with Gamma International for €287,000 for a license to run the FinFisher software.[6]

Elements of the FinFisher suite[edit | edit source]

In addition to spyware the FinFisher suite offered by Gamma to the intelligence community includes monitoring of ongoing developments and updating of solutions and techniques which complement those developed by intelligence agencies.[7] The software suite, which the companies calls "The Remote Monitoring and Deployment Solutions" has the ability to take control of target computers and capture even encrypted data and communications. Using "enhanced remote deployment methods" it can install software on target computers.[8] An "IT Intrusion Training Program" is offered which includes training in in methods and techniques and in use of the company supplied software.[9]

The suite is marketed in Arabic, English, German, French, Portuguese, and Russian and offered worldwide at trade shows which offer intelligence support system, ISS, training and products to law enforcement and intelligence agencies.[10]

Method of infection[edit | edit source]

The surveillance suite is installed after the target accepts installation of a fake update to commonly used software.[3] Code which will install the malware has also been detected in emails.[11] The software, which is designed to evade detection by anti-virus software, has versions which work on mobile phones of all major brands.[1]

A security flaw in Apple's iTunes allowed unauthorized third parties to use iTunes online update procedures to install unauthorized programs.[4][5] Gamma International offered presentations to government security officials at security software trade shows where they described to security officials how to covertly install the FinFisher spy software on suspect's computers using iTunes' update procedures.

The security flaw in iTunes that FinFisher is reported to have exploited was first described in 2008 by security software commentator Brian Krebs.[4][5][12] Apple did not patch the security flaw for more than three years, until November 2011. Apple officials have not offered an explanation as to why the flaw took so long to patch. Promotional videos used by the firm at trade shows which illustrate how to infect a computer with the surveillance suite were released by Wikileaks in December, 2011.[2]

Use by repressive regimes[edit | edit source]

Its wide use by governments facing political resistance was reported in August, 2012 after emails received by Bahraini activists were passed on by a Bloomberg reporter to computer researchers Bill Marczak, a graduate student, and Morgan Marquis-Boire, a researcher at the University of Toronto in May, 2012. Analysis of the emails revealed code, FinSpy, designed to install the spyware on the recipient's computer.[11][1] A spokesman for Gamma claims no software was sold to Bahrain and that the software detected by the researchers was not a legitimate copy but perhaps a stolen, reverse engineered, or modified demonstration copy. However, it does have substantial capabilities.[13]

Detection[edit | edit source]

Bill Marczak said of FinSpy mobile "As we saw with respect to the desktop version of Finfisher, antivirus alone isn't enough, as it bypassed antivirus scans."[14] Sara Yin predicts that antivirus vendors are likely to have updated their signatures to detect FinSpy mobile.[14] ESET have announced detection of the desktop FinFisher as Win32/Belesak.D Trojan,[15][16] and antivirus vendors have claimed they detect malware they know about regardless of origin or purpose.[17][16]

See also[edit | edit source]

References[edit | edit source]

  1. 1.0 1.1 1.2 1.3 Nicole Perlroth (August 30, 2012). "Software Meant to Fight Crime Is Used to Spy on Dissidents". The New York Times. http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html. Retrieved August 31, 2012. 
  2. 2.0 2.1 Vernon Silver (July 25, 2012). "Cyber Attacks on Activists Traced to FinFisher Spyware of Gamma". Bloomberg. http://www.bloomberg.com/news/2012-07-25/cyber-attacks-on-activists-traced-to-finfisher-spyware-of-gamma.html. Retrieved August 31, 2012. 
  3. 3.0 3.1 Jennifer Valentino-Devries (2011-11-21). "Surveillance Company Says It Sent Fake iTunes, Flash Updates". The Wall Street Journal. http://blogs.wsj.com/digits/2011/11/21/surveillance-company-says-it-sent-fake-itunes-flash-updates-documents-show/. Retrieved 2011-11-28. "Perhaps the most extensive marketing materials came from Gamma’s FinFisher brand, which says it works by “sending fake software updates for popular software,” from Apple, Adobe and others. The FinFisher documentation included brochures in several languages, as well as videos touting the tools." 
  4. 4.0 4.1 4.2 Christopher Williams (2011-11-24). "Apple iTunes flaw 'allowed government spying for 3 years'". The Daily Telegraph. Archived from the original on 2011-11-28. http://www.telegraph.co.uk/technology/apple/8912714/Apple-iTunes-flaw-allowed-government-spying-for-3-years.html. Retrieved 2011-11-28. "A British company called Gamma International marketed hacking software to governments that exploited the vulnerability via a bogus update to iTunes, Apple's media player, which is installed on more than 250 million machines worldwide." 
  5. 5.0 5.1 5.2 Marcel Rosenbach (2011-11-22). "Firm Sought to Install Spyware Via Faked iTunes Updates". Der Spiegel. Archived from the original on 2011-11-28. http://www.spiegel.de/international/germany/0,1518,799259,00.html. Retrieved 2011-11-28. "Apparently, at least according to a video promoting FinFisher, the software uses Apple's popular iTunes in order to load snooping software onto the computers of the intended suspects." 
  6. John Leyden (2011-09-21). "UK firm denies supplying spyware to Mubarak's secret police: RATs nest found in Egyptian spook HQ". The Register. Archived from the original on 2011-11-28. http://www.theregister.co.uk/2011/09/21/egypt_cyber_spy_controversy/. Retrieved 2011-11-28. "Documents uncovered when the country's security service headquarters were ransacked during the Arab Spring uprising suggest that Egypt had purchased a package called FinFisher to spy on dissidents." 
  7. "Portfolio". FinFisher IT Intrusion. Gamma Group. http://www.finfisher.com/FinFisher/en/portfolio.php. Retrieved August 31, 2012. "Gamma addresses ongoing developments in the IT Intrusion field with solutions to enhance the capabilities of our clients. Easy to use high-end solutions and techniques complement the intelligence community’s knowhow enabling it to address relevant Intrusion challenges on a tactical level." 
  8. "Portfolio". FinFisher IT Intrusion. Gamma Group. http://www.finfisher.com/FinFisher/en/portfolio.php. Retrieved August 31, 2012. "The Remote Monitoring and Deployment Solutions are used to access target Systems to give full access to stored information with the ability to take control of target systems' functions to the point of capturing encrypted data and communications. When used in combination with enhanced remote deployment methods, the Government Agencies will have the capability to remotely deploy software on target systems." 
  9. "Portfolio". FinFisher IT Intrusion. Gamma Group. http://www.finfisher.com/FinFisher/en/portfolio.php. Retrieved August 31, 2012. "The IT Intrusion Training Program includes courses on both, products supplied as well as practical IT Intrusion methods and techniques. This program transfers years of knowledge and experience to endusers, thus maximizing their capabilities in this field." 
  10. "News". Gamma Group. http://www.finfisher.com/FinFisher/en/news.php. Retrieved August 31, 2012. 
  11. 11.0 11.1 Nicole Perlroth (August 13, 2012). "Elusive FinSpy Spyware Pops Up in 10 Countries" (blog by reporter). The New York Times. http://bits.blogs.nytimes.com/2012/08/13/elusive-finspy-spyware-pops-up-in-10-countries/. Retrieved August 31, 2012. 
  12. Brian Krebs (2011-11-23). "Apple Took 3+ Years to Fix FinFisher Trojan Hole". Krebs on Security. Archived from the original on 2011-11-28. http://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/. Retrieved 2011-11-28. "I first wrote about this vulnerability for The Washington Post in July 2008, after interviewing Argentinian security researcher Francisco Amato about “Evilgrade,” a devious new penetration testing tool he had developed." 
  13. Vernon Silver (July 27, 2012). "Gamma Says No Spyware Sold to Bahrain; May Be Stolen Copy". Bloomberg News. http://www.bloomberg.com/news/2012-07-27/gamma-says-no-spyware-sold-to-bahrain-may-be-stolen-copy.html. Retrieved August 31, 2012. 
  14. 14.0 14.1 Sara Yin (August 30, 2012). "Lessons Learnt From FinFisher Mobile Spyware". PC Magazine. http://securitywatch.pcmag.com/none/302174-lessons-learnt-from-finfisher-mobile-spyware. Retrieved September 3, 2012. 
  15. Cameron Camp (August 31, 2012). "FinSpy and FinFisher spy on you via your cellphone and PC, for good or evil?". ESET. http://blog.eset.com/2012/08/30/finfisher-helps-people-spy-on-you-via-your-cellphone-for-good-or-evil. Retrieved September 3, 2012. 
  16. 16.0 16.1 David Harley (August 31, 2012). "Finfisher and the Ethics of Detection". ESET. http://blog.eset.com/2012/08/31/finfisher-and-the-ethics-of-detection. Retrieved September 3, 2012. 
  17. Mathew J. Schwartz (August 31, 2012). "FinFisher Mobile Spyware Tracking Political Activists". Information Week. http://www.informationweek.com/tech-center/mobile-security/finfisher-mobile-spyware-tracking-politi/240006620. Retrieved September 3, 2012. 

External links[edit | edit source]

Template:Hacking in the 2010s Template:Malware

Community content is available under CC-BY-SA unless otherwise noted.