• FinFisher Mobile Spyware Variant Targets BlackBerry

    It is not too often that we hear about spyware targeting BlackBerry devices, but when we do it is definitely something to keep eye on. In today's world it is becoming more common to see malicious software targeting mobile devices. There are many types of malware out there each designed to work in their own way. Some of the most common types of malware come in the form of whats called a trojan. A trojan masks itself as a legitiment program, but ultimately has intentions of doing harm or controlling whatever device it is released on. In most cases trojans are user initiated either, buy a deceiving link in ones email or online via a website. A great example of a trojan can be seen, in the recent fake BlackBerry ID email that has been circulating around.

    Even the mighty BlackBerry isn't exempt from the occasional malware threat. Researchers at the University of Toronto Munk School of Global Affairs’ Citizen Lab, have found a unique strand of malware called FinFisher that specifically targets mobile devices. The interesting thing about this particular piece of malware is its origination.

    A British company called the Gamma Group that sells surveillance software, has been linked to this threat. Parts of its controversial FinFisher toolkit has been found in the research done by the researchers at the Citizen Lab. "Based on our analysis, we found these tools to be consistent in functionality with claims made in the documentation for the FinSpy Mobile product, a component of the FinFisher toolkit." FinSpy Mobile is the component of this product that specifically targets mobile devices. The Gamma Group markets the product as software to help law enforcement and government agencies catch criminals. However, many are wondering if that is really the case.

    Your phone is a wire tap

    Although its original intentions may have been favorable, FinSpy Mobile has now become a threat to the general public. FinSpy Mobile is more than just your average monitoring application it provides the remote user with:

    • Recording of common communications like Voice Calls, SMS/MMS and Emails
    • Live Surveillance through silent calls
    • File Download (Contacts, Calendar, Pictures, Files)
    • Country Tracing of Target (GPS and Cell ID)
    • Full Recording of all BlackBerry Messenger communications
    • Covert Communications with Headquarters

    Now FinSpy has been found hidden in malware found in the wild. The Citizen Lab found traces in all major mobile operating systems to include BlackBerry. Prematurely sounding the alarm on something this big without proof, would limit it to pure speculation. There is proof and lots of it. Citizen Lab has broken down the malicious code so that the traces of FinSpy are revealed.

    How it works

    The malware that contains FinSpy is a trojan which mean its must be user initiated. The process is simple actually. A mobile device's user becomes infected when they are tricked into clicking on a link which is typically labeled as some sort of system update. Once the user clicks and installs the update they are then infected.

    In the case of the BlackBerry FinSpy has been found hidden in the following files:

    • rlc_channel_mode_updater.cod
    • rlc_channel_mode_updater-1.cod
    • rlc_channel_mode_updater.jad

    All of these files are legitimately signed by RIM's BlackBerry Apps API, (RBB), RIM Crypto API (RCR), and RIM runtime API (RRT). This means that the files now have full access to all the major functions of the phone. Further analysis of the .jab file by the Citizen Lab showed FinSpy Control server url's and phone numbers.

    Within the samples that Citizen Lab was given the user would be prompted with the following screen prompt to install the "update":

    The application then requests for advanced permissions that asks for allow on all categories. After requesting permissions the application immediately attempts to connect to remote command and control servers to begin recording user information as shown in the following log files also discovered by the researchers at Citizen Lab:

    • net.rmi.device.api.fsmbb.phone.PhoneInterface – connecting to http://demo-01.gamma-international.d...eviceside=true failed: net.rim.device.cldc.io.dns.DNSException: DNS error DNS error
    • net.rmi.device.api.fsmbb.core.com.protocol.Heartbe atProtocolSMS – Heartbeat type 11 (1346097705922)+ core hb content: XXXXX/123456783648138/666666553648138/12e/666/0/0///
    • net.rmi.device.api.fsmbb.core.com.SMSCommunication – 1346097743 Success: texting to: //+XXXXXXXXXX msg: XXXXX
    • net.rmi.device.api.fsmbb.core.com.protocol.Heartbe atProtocolSMS – Heartbeat type 11 (1346097705922)+ extended hb content: XXXXX/123456783648138/XXXXX/999/420/B9700 5.0.
    • net.rmi.device.api.fsmbb.core.com.SMSCommunication – 1346097743 Success: texting to: //+XXXXXXXXXX msg: XXXXX

    The sophistication of this trojan is pretty clear, and clever. Now that the attacker has the application installed on the device, they can now site back and monitor the users every move.

    Click happy users beware

    As mentioned previously this type of malware is a Trojan and must be user initiated. It must be allowed by the end user. Although, this particular malware does not spread like a virus, it is still very effective, because many users will click just about anything. It seems as though most people's natural instinct is to just click on anything that comes their way. To prevent against something like this always double check the source of the link that you are clicking.

    RIM issued this statement, "BlackBerry smartphones give customers control over what can be installed on the device in addition to prompting users to grant permissions to third-party applications. We recommend customers only download applications from trusted sources to help protect against potentially malicious software."

    This article was originally published in forum thread: FinFisher Mobile Spyware Variant Targets BlackBerry started by ice2921 View original post

    comments powered by Disqus
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.