FinFisher Mobile Spyware Variant Targets BlackBerry
Results 1 to 4 of 4

Thread: FinFisher Mobile Spyware Variant Targets BlackBerry

  1. #1
    ice2921's Avatar
    ice2921 is offline BlackBerryOS Grand Master Follow ice2921 On Twitter
    Join Date
    Sep 2010
    Location
    USA
    Device
    Z10
    OS
    10.0.10.684
    Carrier
    AT&T
    Posts
    2,544
    Liked
    755 times

    FinFisher Mobile Spyware Variant Targets BlackBerry


    It is not too often that we hear about spyware targeting BlackBerry devices, but when we do it is definitely something to keep eye on. In today's world it is becoming more common to see malicious software targeting mobile devices. There are many types of malware out there each designed to work in their own way. Some of the most common types of malware come in the form of whats called a trojan. A trojan masks itself as a legitiment program, but ultimately has intentions of doing harm or controlling whatever device it is released on. In most cases trojans are user initiated either, buy a deceiving link in ones email or online via a website. A great example of a trojan can be seen, in the recent fake BlackBerry ID email that has been circulating around.

    Even the mighty BlackBerry isn't exempt from the occasional malware threat. Researchers at the University of Toronto Munk School of Global Affairs’ Citizen Lab, have found a unique strand of malware called FinFisher that specifically targets mobile devices. The interesting thing about this particular piece of malware is its origination.

    A British company called the Gamma Group that sells surveillance software, has been linked to this threat. Parts of its controversial FinFisher toolkit has been found in the research done by the researchers at the Citizen Lab. "Based on our analysis, we found these tools to be consistent in functionality with claims made in the documentation for the FinSpy Mobile product, a component of the FinFisher toolkit." FinSpy Mobile is the component of this product that specifically targets mobile devices. The Gamma Group markets the product as software to help law enforcement and government agencies catch criminals. However, many are wondering if that is really the case.

    Your phone is a wire tap

    Although its original intentions may have been favorable, FinSpy Mobile has now become a threat to the general public. FinSpy Mobile is more than just your average monitoring application it provides the remote user with:


    • Recording of common communications like Voice Calls, SMS/MMS and Emails
    • Live Surveillance through silent calls
    • File Download (Contacts, Calendar, Pictures, Files)
    • Country Tracing of Target (GPS and Cell ID)
    • Full Recording of all BlackBerry Messenger communications
    • Covert Communications with Headquarters


    Now FinSpy has been found hidden in malware found in the wild. The Citizen Lab found traces in all major mobile operating systems to include BlackBerry. Prematurely sounding the alarm on something this big without proof, would limit it to pure speculation. There is proof and lots of it. Citizen Lab has broken down the malicious code so that the traces of FinSpy are revealed.

    How it works

    The malware that contains FinSpy is a trojan which mean its must be user initiated. The process is simple actually. A mobile device's user becomes infected when they are tricked into clicking on a link which is typically labeled as some sort of system update. Once the user clicks and installs the update they are then infected.

    In the case of the BlackBerry FinSpy has been found hidden in the following files:

    • rlc_channel_mode_updater.cod
    • rlc_channel_mode_updater-1.cod
    • rlc_channel_mode_updater.jad


    All of these files are legitimately signed by RIM's BlackBerry Apps API, (RBB), RIM Crypto API (RCR), and RIM runtime API (RRT). This means that the files now have full access to all the major functions of the phone. Further analysis of the .jab file by the Citizen Lab showed FinSpy Control server url's and phone numbers.

    Within the samples that Citizen Lab was given the user would be prompted with the following screen prompt to install the "update":



    The application then requests for advanced permissions that asks for allow on all categories. After requesting permissions the application immediately attempts to connect to remote command and control servers to begin recording user information as shown in the following log files also discovered by the researchers at Citizen Lab:

    • net.rmi.device.api.fsmbb.phone.PhoneInterface – connecting to http://demo-01.gamma-international.d...eviceside=true failed: net.rim.device.cldc.io.dns.DNSException: DNS error DNS error
    • net.rmi.device.api.fsmbb.core.com.protocol.Heartbe atProtocolSMS – Heartbeat type 11 (1346097705922)+ core hb content: XXXXX/123456783648138/666666553648138/12e/666/0/0///
    • net.rmi.device.api.fsmbb.core.com.SMSCommunication – 1346097743 Success: texting to: //+XXXXXXXXXX msg: XXXXX
    • net.rmi.device.api.fsmbb.core.com.protocol.Heartbe atProtocolSMS – Heartbeat type 11 (1346097705922)+ extended hb content: XXXXX/123456783648138/XXXXX/999/420/B9700 5.0.
    • net.rmi.device.api.fsmbb.core.com.SMSCommunication – 1346097743 Success: texting to: //+XXXXXXXXXX msg: XXXXX


    The sophistication of this trojan is pretty clear, and clever. Now that the attacker has the application installed on the device, they can now site back and monitor the users every move.

    Click happy users beware

    As mentioned previously this type of malware is a Trojan and must be user initiated. It must be allowed by the end user. Although, this particular malware does not spread like a virus, it is still very effective, because many users will click just about anything. It seems as though most people's natural instinct is to just click on anything that comes their way. To prevent against something like this always double check the source of the link that you are clicking.

    RIM issued this statement, "BlackBerry smartphones give customers control over what can be installed on the device in addition to prompting users to grant permissions to third-party applications. We recommend customers only download applications from trusted sources to help protect against potentially malicious software."




  2. #2
    Joe Jerde's Avatar
    Joe Jerde is offline Owner | President Follow Joe Jerde On Twitter Add Joe Jerde on Facebook Add Joe Jerde on Google+ Add Joe Jerde on Linkedin Visit Joe Jerde's Youtube Channel
    Join Date
    Feb 2009
    Location
    Phoenix, AZ
    Device
    BlackBerry Z10
    OS
    10.0.9.2743
    Carrier
    Verizon
    Posts
    7,841
    Liked
    1503 times
    There are so many users out there that will just click on anything that moves. Good article.

    Click the button in the bottom right of a post to say thanks!
    Downloads Center | Rules and Guidelines l BlackBerry 10 Zone

  3. #3
    Zeldafan1993's Avatar
    Zeldafan1993 is offline BlackBerryOS Friend
    Join Date
    Sep 2012
    Location
    Canada
    Device
    Curve 9360/PB
    OS
    7.1.0.523/2.1.0.1023
    Carrier
    Bell/WiFi PB
    Posts
    22
    Liked
    8 times
    Is there anyway to tell or detect if your phone has this??

  4. #4
    ice2921's Avatar
    ice2921 is offline BlackBerryOS Grand Master Follow ice2921 On Twitter
    Join Date
    Sep 2010
    Location
    USA
    Device
    Z10
    OS
    10.0.10.684
    Carrier
    AT&T
    Posts
    2,544
    Liked
    755 times
    The only way this type of malware could enter your phone would be if you told it to install. The main thing with these types of malware is to be careful what you are installing.

Similar Threads

  1. RIM's New Marketing Campaign Targets Singapore's Military Men
    By ice2921 in forum BlackBerry News and Rumors
    Replies: 1
    Last Post: 06-18-2012, 01:42 PM
  2. Veracodes spyware monkey steals the berries
    By breiti in forum BlackBerry News and Rumors
    Replies: 25
    Last Post: 02-09-2010, 10:26 PM
  3. UAE Etisalat update was in fact, spyware!
    By Brett Wyman in forum BlackBerry News and Rumors
    Replies: 0
    Last Post: 07-21-2009, 05:42 PM
  4. Patch For Etisalat SpyWare Released
    By ausch in forum Off Topic Discussion
    Replies: 2
    Last Post: 07-15-2009, 05:40 PM
  5. Energy Earth Hour now on Blackberry, targets billion participants
    By BlackberryOS News in forum BlackBerry News and Rumors
    Replies: 3
    Last Post: 03-28-2009, 03:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •