Mobile Trojans Rear Their Head, Repressive Governments Go For Their Checkbooks

Between February and March of 2011, at the height of Egypt’s tumultuous revolution, protesters stormed the offices of their feared State Security Investigations Service in Alexandria and Sixth of October city, on the edge of Cairo. It was there, amongst evidence of detentions, torture and surveillance at SSIS’s headquarters, that information first came to light regarding a sales pitch by UK-based Gamma Group to Egypt’s security agency for their FinFisher spyware.

FinFisher, for those who may not be familiar, is a powerful piece of spyware long admired within cybersecurity circles. It’s capable of logging keystrokes, accessing and exporting a compromised computer’s files, and intercepting encrypted data such as Skype calls. That Gamma would have at some point presented their product to Egypt’s government is not truly surprising, considering that many Western nations regularly provided military assistance and technology to the country. Regardless, privacy activists were troubled by the find, as they pointed to the unregulated nature of such security products.

It was months later in early 2012, when samples of FinFisher were discovered on computers belonging to Bahraini human rights activists, that privacy experts’ fears were realized. Bahrain, having become another flashpoint of the Arab Spring that swung across the region, experienced violent acts of repression against its citizens, and the discovery of the spyware was only another indication that any persons of interest were under surveillance. The malware had been transmitted to these individuals via email as trojans, stored within .jpg files that were actually executable programs within .rar files, with such tempting subject lines as “torture report” sent by accounts masquerading as those of real journalists.

With solid evidence of the malware’s existence in the wild, it was at this point that several parties became involved in the investigation of FinFisher, including researchers at Citizen Lab and Rapid7. Evidence from the infected computers in Washington, London, and Manama was gathered, and Rapid7 was able to map out the control structure for the malware’s servers located in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, the U.S., Mongolia, Latvia, and Dubai. The story surfaced in American media when it was revealed that one of the servers included a popular Amazon cloud service in the U.S. Researchers with Rapid7 found that all of the controlling servers shared one common trait: all responded to data pings with the cryptic message “Hallo Steffi.”

Both Bahrain’s government and Gamma denied any inappropriate use of spyware tools, and the examined code did in fact confirm that many instances of the FinFisher/FinSpy malware were branded as “demo,” or trial versions, though the geographical location of a controlling server in Manama, Bahrain’s capital, left many uncomfortable questions unanswered.

__

What’s interesting about malware is that, like a pathogen, there can be more than one way for it to spread, and in the case of FinFisher the latest research produced by Citizen Lab presents evidence that its mobile variant, FinSpy, has made its way onto mobile phones. The latest report points to mobile Trojans built to infect iOS, Android, BlackBerry, Windows Mobile, and even Symbian. According to research, this mobile malware has equally impressive capabilities to its desktop big brother, with the ability to record live voice calls, text and email, track the device via GPS, as well as export contacts, calendars, pictures, and other files stored in device memory.

Since Egypt’s revolution, when it was revealed that telecoms provider Vodafone had provided Mubarak’s government with records which led to the arrest of activists there, privacy experts have kept a close eye on the behavior of repressive regimes and any complicity by telephony companies. Likewise, in the U.S. wireless carriers have been criticized for cooperating with warrantless requests for customer’s data. Yet, the existence of mobile trojans such as FinSpy potentially turn this issue on its head, as there would be a way to circumvent carriers entirely.

Upon examining FinSpy’s behavior, Citizen Lab was also able to locate additional control servers, including two in Brunei, one in Turkmenistan’s Ministry of Communications, one in the Netherlands, another in Indonesia, two in Singapore, and an additional server in Bahrain. As with earlier research on the FinFisher desktop malware, FinSpy’s code contained clear references back to Gamma, and the spyware — and, as with the earlier samples of FinFisher, the samples of the mobile tool included demo versions, as well as those in active use in the wild.

These latest findings also impact anonymity efforts by such groups as the Guardian Project and Whisper Systems, both of which offer tools for users to add an extra layer of security to their mobile functions. In the case of Orbot, which is the mobile variant of the popular Tor project available for desktops, the group states that their tools are most effective in safeguarding users on “hostile” networks, rather than ones infected with malware such as FinSpy:

Through the Tor software it is built upon, Orbot defends against network surveillance and logging by the mobile operators, WiFi hotspot or local network administrators, other users on a public wifi network, and government/state-wide surveillance infrastructure.

However, Orweb browser, our minimalist privacy app that works automatically with Orbot, could help on a FinSpy infected device, because it keeps no local logs of browsing history, and is a separate app from the default web browser. If FinSpy was looking for browsing history in order to get access to logins, passwords, conversations, and other data, it wouldn’t find it with Orweb. This is the same with our secure chat app, Gibberbot, which keeps no logs of past chats, and does not persist buddy lists beyond the current session. The next release will also encrypt all local data, keys, account information, etc related to instant messaging activity.

Of course, the findings presented by Citizen Lab are all recent, so battling malware the likes of Gamma’s FinSpy may yet prove possible. While companies like Gamma International market their products for legitimate crime fighting operations, what these latest findings represent is yet more potential for security tools to be misused by a malicious party. With continued surveillance scenarios in countries with repressive regimes, such as Syria or Belarus, the consequences of this type of spyware is far beyond anecdotal.

In the case of Syria, mobile communication and VoIP services such as Skype has proved essential in documenting violent repression against citizens. While the work of NGOs such as Women Under Siege, which recently produced a crowdsourced map of rape cases in that country, are only complicated by the potential for mobile versions of malware targeting Syrians.

Meanwhile, organizations such as Privacy International are pressuring the British government for greater export controls over surveillance technology, going so far as to threaten legal action. Ultimately, it seems likely that effective controls over powerful mobile malware may rely on a mixture of government action, new preventative products for mobile platforms by companies such as Symantec, as well as greater awareness on the part of individuals to potential hazards.

Author’s note: In researching the potential impact of mobile trojans on anonymity tools, I also contacted Whisper Systems for their take on FinSpy. Information will be updated once it is available. Special thanks to Morgan Marquis-Boire, Lauren Wolfe, Eva Galperin, Katherine Maher, and Nathan Freitas for their time.