University of Toronto researchers say a commercial cyber-espionage program marketed as a way for governments to spy on criminals is being used for broader surveillance and can now take over a range of smart phones and other mobile computing devices.
“People are walking around with tools for surveillance in their pockets,” said researcher John Scott-Railton, a doctoral student at the University of California Los Angeles’ Luskin School of Public Affairs, and the founder The Voices Feeds, which helped activists get around Internet blockages during the Arab Spring.
A summary of a research project published Wednesday by the Citizen Lab, Munk School of Global Affairs identified “several mobile Trojans for the iOS, Android, BlackBerry, Windows Mobile and Symbian platforms.”
“Now that FinFisher is in the public domain, every government the world over should assume that those who intend to seek and destroy or steal and manipulate will be studying the mechanics of how this application was designed and will undoubtedly develop more of its kind.”
Ron Deibert, director of the Canada Centre for Global Security Studies and the Citizen Lab, said surveillance malware is being sold by a number of private companies profiting from an escalating global cyber spying arms race.
Deibert charged that the industry lacks regulation and transparency and has not fully aknlowledged responsibility for the consequences of its products falling into the wrong hands, or being used by governments to suppress dissidence.
Gamma did not immediately respond to a request for comment but has acknowledged development of a mobile version of the spyware toolkit.
Once downloaded via an email link, the FinFisher Mobile spyware virus can grab images of users’ computer screens, remotely log keystrokes, eavesdrop on Skype calls, and even activate Web cameras and voice recorders and GPS tracking functions. The spyware, which can also steal files from a hard disk, is built to bypass dozens of antivirus systems.
In promotional material, the company says its spyware offers “world-class offensive techniques for information gathering . . . to access target systems, giving full access to stored information with the ability to take control of the target system’s functions to the point of capturing encrypted data and communications.”
This spring, pro-democracy Bahraini activists forwarded malicious emails to Citizen Lab for an analysis that found they contained FinSpy, part of the FinFisher spyware line. The term “FinSpy” itself appeared in the malware’s code.
A spokeswoman for Public Safety minister Vic Toews said she could not comment on specifics, but said the Conservative government is “taking the steps necessary to protect Canadians by making significant investments in our cyber security strategy.
“This is in addition to the important resources allocated to our security organizations. Our government strongly encourages all Canadians to work with their technology providers to ensure they are protected from any malicious content.”
Xuxian Jiang, an assistant professor and computer science researcher at North Carolina State University, echoed statements from mobile device vendors including Waterloo-based BlackBerry maker Research In Motion Ltd., which advised users to only download apps from trusted sources, and to have updated anti-virus software running.
“Assuming technical analysis in the report is sound and trustworthy, I’d be very concerned on the number of infections out there and the fact that this particular piece of malware can infect multiple types of devices,” he added.
“We think that they are most likely connected to the [FinFisher] infrastructure and are being run by different people across the globe,” the company said. It added that once the spyware is released on the Internet, samples will likely end up in the hands of cybercriminals who could build their own versions.