FinFisher or FinSpy is a piece of computer spyware designed to allow someone to spy on a computer or mobile phone. FinFisher is government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird.

How do you get infected?

Most commonly, someone tricks you into clicking on a file. The file is FinSpy, but it is hidden inside another kind of file. Like a picture. Or a Word Document. You will see the document you expected, but clicking is enough to infect you silently.

What can be infected?

Windows, Mac, Linux, Android, iPhone, Nokia, Windows Phone, and Blackberry.

What can FinFisher do?

  • Steal passwords for your e-mail and your accounts like Facebook or Gmail
  • Read your chats
  • Listen to your calls on Skype
  • Listen to what is happening in the room secretly using the microphone or camera
  • Steal files from your computer, even files you have deleted

All of this information is sent to another computer (a “command and control server”) that is used by the person spying on you. Then the person can see the stolen information.

Who Makes FinFisher Spyware?

FinFisher is sold by a UK/German company called Gamma International.

Can I detect it with my AntiVirus?

AntiVirus and Anti-Spyware software will not detect FinSpy. It’s very hard to detect.

FinFisher is such a complex piece of malware that, like other researchers, Microsoft had to devise special methods to crack it. They needed to do this to understand the techniques FinFisher uses to compromise and persist on a machine and to validate the effectiveness of Office 365 ATP detonation sandbox, Windows Defender Advanced Threat Protection (Windows Defender ATP) generic detections, and other Microsoft security solutions.

This task proved to be nontrivial. FinFisher is not afraid of using all kinds of tricks, ranging from junk instructions and “spaghetti code” to multiple layers of virtual machines and several known and lesser-known anti-debug and defensive measures. Security analysts are typically equipped with the tools to defeat a good number of similar tricks during malware investigations. However, FinFisher is in a different category of malware for the level of its anti-analysis protection. It’s a complicated puzzle that can be solved by skilled reverse engineers only with a good amount of time, code, automation, and creativity. The intricate anti-analysis methods reveal how much effort the FinFisher authors exerted to keep the malware hidden and difficult to analyze.

FinFisher Spyware Versions

Security researchers from Kaspersky Lab have discovered new and improved versions of the FinFisher spyware.

The new versions, which target Android and iOS phones, have been in use since 2018, and the most recent FinFisher implants have been discovered active as late as last month, in Myanmar, a country amid multiple human rights abuse scandals.

The upgraded FinFisher (FinSpy) versions are now capable of collecting and exfiltrating a wide array of personal data from infected phones, such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, and data from the phone’s RAM.

Furthermore, the samples can also record phone calls and dump images and messages from popular instant messaging clients.

FnFisher has always had implants for both desktop and mobile operating systems, but these new versions targeting smartphones put the mobile implants on par with the more advanced desktop versions.

FinFisher Spyware Mobile Implant Capabilities

According to technical analysis of the new samples, the Android and iOS versions have nearly identical capabilities, according to Kaspersky, with a few differences here and there in regards to infection methodology and supported IM clients.

Per the Russian antivirus vendor, the Android IM clients from which FinFisher can dump and steal chats, pictures, videos, and contacts, include Facebook Messenger, Skype, Signal, BlackBerry Messenger, Telegram, Threema, Viber, WhatsApp, Line, and InstaMessage.

On iOS, supported clients are Facebook Messenger, Skype, Threema, Signal, InstaMessage, BlackBerry Messenger, but also WeChat. Furthermore, on iOS, the new FinFisher version can also record VoIP calls made through IM clients, such as WhatsApp, Skype, Line, Viber, WeChat, Signal, BlackBerry Messenger, and KakaoTalk.

As for infection capabilities, the new FinFisher implant for iOS doesn’t work with the newer iOS 12.x, but support has been added for future developments, suggesting the company is actively looking to improve its tool.

Clues in the iOS implant’s code suggest remote infection vectors such as SMS, email, or WAP Push don’t work unless the device has been jailbroken.

If the iPhone has not been jailbroken, Kaspersky says the only infection vector is through physical access to the device — as the implant contains code that has been fine-tuned to clean traces of publicly available jailbreaking tools and hide the jailbreaking operation from the phone’s owner.

Jailbreaking doesn’t play a big role in Android smartphones, though. Kaspersky researchers say the FinFisher Android variant will look for tools like SuperSU and Magisk that are installed on the user’s phone, or use the DirtyCow exploit, to get root privileges.

FinFisher IOS & Android Implants found in 20 countries

Since the detection of these new FinFisher implants for iOS and Android in late-2018, Kaspersky said they’ve identified infected phones across 20 countries.

While FinFisher mobile versions have existed for years, it’s desktop implants have been the ones that were usually being found in live infections, and not the mobile implants.

Notorious past incidents include when FinFisher was being deployed across two countries with the help of state-managed internet service providers; when the spyware was linked to the Indonesian government; or when FinFisher samples were found in war-torn Ukraine, presumably deployed by Russian hackers.

Where Is FinFisher Found?

Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam.