University of Toronto researchers say a commercial cyber-espionage program marketed as a way for governments to spy on criminals is being used for broader surveillance and can now take over a range of smartphones and other mobile computing devices.
“People are walking around with tools for surveillance in their pockets,” said researcher John Scott-Railton, a doctoral student at the University of California Los Angeles’ Luskin School of Public Affairs, and the founder of The Voices Feeds, which helped activists get around Internet blockages during the Arab Spring.
“These are the tools that can be used to turn on your microphone and turn your phone into a tracking device,” Scott-Railton added.
A summary of a research project published Wednesday by the Citizen Lab, Munk School of Global Affairs identified “several mobile Trojans for the iOS, Android, BlackBerry, Windows Mobile and Symbian platforms.”
It said the version of a malware used to target Bahraini human rights activists in May appears to be a demonstration copy of FinFisher Mobile spyware made by the U.K.-based Gamma Group.
“This one is really, really bad,” said Dennis Portney, president of Chicago based Security Forensics, Inc.
“The worst part of this story is that it was a legitimate organization that developed this application and the same organization, which is harming the public at large.”
“Now that FinFisher is in the public domain, every government the world over should assume that those who intend to seek and destroy or steal and manipulate will be studying the mechanics of how this application was designed and will undoubtedly develop more of its kind.”
Ron Deibert, director of the Canada Centre for Global Security Studies and the Citizen Lab, said surveillance malware is being sold by a number of private companies profiting from an escalating global cyber spying arms race.
Deibert charged that the industry lacks regulation and transparency and has not fully acknowledged responsibility for the consequences of its products falling into the wrong hands, or being used by governments to suppress dissidence.
The Citizen Lab report contains no information about whether any devices have been infected or whether individuals have been targeted.
But Deibert said the discovery of FinFisher spyware on public control servers across five continents suggests strongly that personal devices of pro-democracy activists are being compromised.
Gamma did not immediately respond to a request for comment but has acknowledged development of a mobile version of the spyware toolkit.
The company in a statement has said that it had not sold the software to Bahrain, but is investigating whether a demonstration copy had been stolen or “reverse engineered” by criminals.
Gamma says no operations or clients have been compromised — adding that it only sells to governments and their agencies and complies with export regulations.
Once downloaded via an email link, the FinFisher Mobile spyware virus can grab images of users’ computer screens, remotely log keystrokes, eavesdrop on Skype calls, and even activate Web cameras and voice recorders and GPS tracking functions. The spyware, which can also steal files from a hard disk, is built to bypass dozens of antivirus systems.
In promotional material, the company says its spyware offers “world-class offensive techniques for information gathering . . . to access target systems, giving full access to stored information with the ability to take control of the target system’s functions to the point of capturing encrypted data and communications.”
The spyware first gained notoriety in March 2011 after protesters in Egypt raided the country’s state security headquarters and found an offer to buy FinFisher for 287,000 euros.
This spring, pro-democracy Bahraini activists forwarded malicious emails to Citizen Lab for an analysis that found they contained FinSpy, part of the FinFisher spyware line. The term “FinSpy” itself appeared in the malware’s code.
Citizen Lab published a report on the findings suggesting that FinFisher technologies were being used for surveillance beyond suspected criminal activity.
A spokeswoman for Public Safety minister Vic Toews said she could not comment on specifics, but said the Conservative government is “taking the steps necessary to protect Canadians by making significant investments in our cyber security strategy.
“This is in addition to the important resources allocated to our security organizations. Our government strongly encourages all Canadians to work with their technology providers to ensure they are protected from any malicious content.”
Xuxian Jiang, an assistant professor and computer science researcher at North Carolina State University, echoed statements from mobile device vendors including Waterloo-based BlackBerry maker Research In Motion Ltd., which advised users to only download apps from trusted sources, and to have updated anti-virus software running.
“Assuming technical analysis in the report is sound and trustworthy, I’d be very concerned on the number of infections out there and the fact that this particular piece of malware can infect multiple types of devices,” he added.
Boston-based cyber security research firm Rapid7 warned in a report that corporate IT staff should monitor systems for signs of communication with command and control servers running FinFisher.
“We think that they are most likely connected to the [FinFisher] infrastructure and are being run by different people across the globe,” the company said. It added that once the spyware is released on the Internet, samples will likely end up in the hands of cybercriminals who could build their own versions.