Kaspersky experts have uncovered new versions of the advanced malicious
surveillance tool FinSpy. The new implants work on both iOS and Android
devices, can monitor activity on almost all popular messaging services,
including encrypted ones, and hide their traces better than before. The tools
allow attackers to spy on all device activities and exfiltrate sensitive data
such as GPS location, messages, pictures, calls and more.
FinSpy is an extremely effective software tool for targeted surveillance
that has been observed stealing information from international NGOs,
governments and law enforcement organisations all over the world. Its operators
can tailor the behaviour of each malicious FinSpy implant to a specific target
or group of targets.
The basic functionality of the malware includes almost unlimited
monitoring of the device’s activities: such as geolocation, all incoming and
outgoing messages, contacts, media stored on the device, and data from popular
messaging services like WhatsApp, Facebook messenger or Viber. All the
exfiltrated data is transferred to the attacker via SMS messages or the HTTP
protocol.
The latest known versions of the malware extend the surveillance
functionality to additional messaging services, including those considered ‘secure’,
such as Telegram, Signal or Threema. They are also more adept at covering their
tracks. For instance, the iOS malware, targeting iOS 11 and older versions can
now hide signs of jailbreak, while the new version for Android contains an
exploit capable of gaining root privileges – almost unlimited, complete access
to all files and commands – on an unrooted device.
Based on the information available to Kaspersky, in order to
successfully infect both Android and iOS-based devices, attackers need either
physical access to the phone or an already jailbroken/rooted device. For
jailbroken/rooted phones there are at least three possible infection vectors:
SMS message, email, or push notifications.
According to Kaspersky telemetry, several dozen mobile devices have been
infected over the past year.
“The developers behind FinSpy constantly monitor security updates for
mobile platforms and tend to quickly change their malicious programmes to avoid
their operation being blocked by fixes. Moreover, they follow trends and
implement functionality to exfiltrate data from applications that are currently
popular. We observe victims of the FinSpy implants on a daily basis, so it’s
worth keeping an eye on the latest platform updates and install them as soon as
they are released. Because, regardless of how secure the apps you use might be,
and how protected your data, once the phone is rooted or jailbroken, it is wide
open to spying,” said Alexey Firsh, security researcher at Kaspersky.
To avoid falling victim to FinSpy, Kaspersky
researchers advise users:
- Do not leave your smartphone or tablet unlocked and always make sure nobody is able to see your pin-code when you enter it
- Do not jailbreak or root your device since it will make an attacker’s job easier
- Only install mobile applications from official app stores, such as Google Play
- Do not follow suspicious links sent to you from unknown numbers
- In your device settings, block the installation of programmes from unknown sources
- Avoid disclosing the password or passcode to your mobile device, even with someone you trust
- Never store unfamiliar files or applications on your device, as they could harm your privacy
- Download a proven security solution for mobile devices, such as Kaspersky Internet Security for Android.
Read the full report on Securelist.com
