The spyware also referred to as FinSpy, allegedly used by many governments across the globe, can turn on a device’s microphone, track the location as well monitor emails, SMS and voice calls made and received through the phone the report claims. The report also claims that the spyware can also go about recording full BlackBerry messenger conversations. FinSpy has caught a lot of attention since about 2 weeks back traces of the spyware popped up in nearly 10 countries.
“Based on our analysis, we found these tools to be consistent in functionality with claims made in the documentation for the FinSpy Mobile product,” the Citizen Lab notes on its website.
The report has outlined extensive analysis of the samples from different apps and packages for mobile devices. In case of iOS devices, the report claims, FinSpy can run on iPhone 4, 4S; iPad 1, 2, 3; and iPod touch 3, 4 and effectively all iOS version above and including 4.0.
From the analysis, it has been revealed that the developer certificate bound with Gamma’s MD, Martin Muench, is being used (as shown in the below screen-shot).
Once installed the spyware appears to be logging calls, enumerating locations, intercepting SMS, and was probably sending out base64 encoded data about the device (including the IMEI, IMSI etc) to a remote cellular number.
In case of Android devices, the spyware is made available in terms of an APK file and installs itself as “Android Services”. The app requests a whole lot of permissions including the likes of accessing coarse location, read SMS, read contacts, write SMS, process outgoing calls, modify phone state, receive MMS, etc.
As shown in the below hexdump, two domain names – demo-de.gamma-international.de and ff-demo.blogdns.org are visible which indicates that this is a pre-production version or a demo version of the FinSpy Mobile tool.
For BlackBerry this particular spyware presents itself as an app from TellCOM Systems LTD. The samples identified in the BlackBerry sample include the following three files: rlc_channel_mode_updater.cod, rlc_channel_mode_updater-1.cod, rlc_channel_mode_updater.jad and on analysis the .jad file contains configuration parameters such as URL of the C&C server, TCP ports, phone numbers, identifiers for the Trojan and target, etc.
Once the user permits the app to carries on with what it is best at doing – spying. The report says that on decompiling the app, below modules were found to be instantiated:
net.rmi.device.api.fsmbb.core.listener.MessengerObserver (Module #68)
The report goes on and explains the results of analysis of Windows Phone and Symbian apps.