BlackBerryOS.com - FinFisher Mobile Spyware Variant Targets BlackBerry
  • FinFisher Mobile Spyware Variant Targets BlackBerry


    It is not too often that we hear about spyware targeting BlackBerry devices, but when we do it is definitely something to keep eye on. In today's world it is becoming more common to see malicious software targeting mobile devices. There are many types of malware out there each designed to work in their own way. Some of the most common types of malware come in the form of whats called a trojan. A trojan masks itself as a legitiment program, but ultimately has intentions of doing harm or controlling whatever device it is released on. In most cases trojans are user initiated either, buy a deceiving link in ones email or online via a website. A great example of a trojan can be seen, in the recent fake BlackBerry ID email that has been circulating around.

    Even the mighty BlackBerry isn't exempt from the occasional malware threat. Researchers at the University of Toronto Munk School of Global Affairs’ Citizen Lab, have found a unique strand of malware called FinFisher that specifically targets mobile devices. The interesting thing about this particular piece of malware is its origination.

    A British company called the Gamma Group that sells surveillance software, has been linked to this threat. Parts of its controversial FinFisher toolkit has been found in the research done by the researchers at the Citizen Lab. "Based on our analysis, we found these tools to be consistent in functionality with claims made in the documentation for the FinSpy Mobile product, a component of the FinFisher toolkit." FinSpy Mobile is the component of this product that specifically targets mobile devices. The Gamma Group markets the product as software to help law enforcement and government agencies catch criminals. However, many are wondering if that is really the case.

    Your phone is a wire tap

    Although its original intentions may have been favorable, FinSpy Mobile has now become a threat to the general public. FinSpy Mobile is more than just your average monitoring application it provides the remote user with:


    • Recording of common communications like Voice Calls, SMS/MMS and Emails
    • Live Surveillance through silent calls
    • File Download (Contacts, Calendar, Pictures, Files)
    • Country Tracing of Target (GPS and Cell ID)
    • Full Recording of all BlackBerry Messenger communications
    • Covert Communications with Headquarters


    Now FinSpy has been found hidden in malware found in the wild. The Citizen Lab found traces in all major mobile operating systems to include BlackBerry. Prematurely sounding the alarm on something this big without proof, would limit it to pure speculation. There is proof and lots of it. Citizen Lab has broken down the malicious code so that the traces of FinSpy are revealed.

    How it works

    The malware that contains FinSpy is a trojan which mean its must be user initiated. The process is simple actually. A mobile device's user becomes infected when they are tricked into clicking on a link which is typically labeled as some sort of system update. Once the user clicks and installs the update they are then infected.

    In the case of the BlackBerry FinSpy has been found hidden in the following files:

    • rlc_channel_mode_updater.cod
    • rlc_channel_mode_updater-1.cod
    • rlc_channel_mode_updater.jad


    All of these files are legitimately signed by RIM's BlackBerry Apps API, (RBB), RIM Crypto API (RCR), and RIM runtime API (RRT). This means that the files now have full access to all the major functions of the phone. Further analysis of the .jab file by the Citizen Lab showed FinSpy Control server url's and phone numbers.

    Within the samples that Citizen Lab was given the user would be prompted with the following screen prompt to install the "update":



    The application then requests for advanced permissions that asks for allow on all categories. After requesting permissions the application immediately attempts to connect to remote command and control servers to begin recording user information as shown in the following log files also discovered by the researchers at Citizen Lab:

    • net.rmi.device.api.fsmbb.phone.PhoneInterface – connecting to http://demo-01.gamma-international.d...eviceside=true failed: net.rim.device.cldc.io.dns.DNSException: DNS error DNS error
    • net.rmi.device.api.fsmbb.core.com.protocol.Heartbe atProtocolSMS – Heartbeat type 11 (1346097705922)+ core hb content: XXXXX/123456783648138/666666553648138/12e/666/0/0///
    • net.rmi.device.api.fsmbb.core.com.SMSCommunication – 1346097743 Success: texting to: //+XXXXXXXXXX msg: XXXXX
    • net.rmi.device.api.fsmbb.core.com.protocol.Heartbe atProtocolSMS – Heartbeat type 11 (1346097705922)+ extended hb content: XXXXX/123456783648138/XXXXX/999/420/B9700 5.0.
    • net.rmi.device.api.fsmbb.core.com.SMSCommunication – 1346097743 Success: texting to: //+XXXXXXXXXX msg: XXXXX


    The sophistication of this trojan is pretty clear, and clever. Now that the attacker has the application installed on the device, they can now site back and monitor the users every move.

    Click happy users beware

    As mentioned previously this type of malware is a Trojan and must be user initiated. It must be allowed by the end user. Although, this particular malware does not spread like a virus, it is still very effective, because many users will click just about anything. It seems as though most people's natural instinct is to just click on anything that comes their way. To prevent against something like this always double check the source of the link that you are clicking.

    RIM issued this statement, "BlackBerry smartphones give customers control over what can be installed on the device in addition to prompting users to grant permissions to third-party applications. We recommend customers only download applications from trusted sources to help protect against potentially malicious software."


    This article was originally published in forum thread: FinFisher Mobile Spyware Variant Targets BlackBerry started by ice2921 View original post


    comments powered by Disqus
  • Sponsored Ad

  • Recent Comments

  • Most Commented

    The most commented articles on BlackBerryOS over the past 24 hours.
  • Recent Forum Posts

    suni40

    Mohsin

    pecifically, app store optimization includes the process of ranking highly in an app store's

    suni40 09-20-2014, 12:11 AM Go to last post
    lnwpen88

    AOL IM Sound

    I cant find it royal1688 anywhere. Anyone know where this can be gclub found?

    lnwpen88 09-18-2014, 11:45 PM Go to last post
    BXavier52

    Batterie pour Z10

    Bonjour, la batterie MPJ de 5000mAh fonctionne-t-elle correctement ? vous avez un Z10-LTE compatible 4G ou la version Z10 compatible 3G ? Sur leur site,

    BXavier52 09-18-2014, 11:57 AM Go to last post
    Smiley88

    Toysoft Productivity Tools Fire Sale

    BlackBerry World is running a promotion for Indosat, EMEA and LATAM countries and I'm opening it up to the rest of the world. The promotion will start

    Smiley88 09-18-2014, 08:25 AM Go to last post
    serversurfer

    Wallpaper for Passport available?

    You will find the links to my host (complete sets, regulary extended) in german blogs (my native soil):

    Starter Kit Passport Wallpaper

    serversurfer 09-18-2014, 02:53 AM Go to last post
  • Sponsored Ad