Latest FinSpy Modules Lift Data from Secure Messaging Apps

The latest iOS and Android versions of the FinSpy espionage malware have been deployed in the wild, and are capable of collecting a raft of personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data – even from the most popular “secure” messaging platforms.

FinSpy is a targeted tool sold by European firm Gamma Group to governments and law-enforcement organizations; it’s been around since 2011, but recently Kaspersky researchers have seen new instances of it within the firm’s telemetry, including activity recorded in Myanmar last month. According to Kaspersky, several dozen unique mobile devices have been infected over the past year, using revamped implants.

“FinSpy…is able to monitor almost all device activities, including recording VoIP calls via external apps such as Skype or WhatsApp,” researchers said in a blog post on Wednesday, adding that targeted applications also include secure messaging platforms such as Threema, Signal and Telegram. “After the deployment process, the implant provides the attacker with almost unlimited monitoring of the device’s activities.”

There’s a catch though for operators going after iOS users: The implant can only be installed on jailbroken devices; and, an attacker would need physical access to the device in order to jailbreak it. If a device is already jailbroken, remote infection vectors include malicious SMS messages or emails, and WAP push messaging, which can be sent from the FinSpy Agent operator’s terminal.

Also, the latest iPhone/iPad version is compatible with iOS 11 and below, but newer versions of the Apple operating system are not confirmed as susceptible; also, implants for iOS 12 have not been observed.

The Android version meanwhile can be installed manually if the attacker simply has physical access to the device, or remotely using the same three remote infection vectors as the iOS version.

Main Functionality

The core implant module for the latest iOS version of FinSpy (“FilePrep”) contains 7,828 functions. It controls all the other modules, and takes care of HTTP and SMS heartbeats and other service functions. Communication between components is implemented using CPDistributedMessagingCenter (a wrapper over the existing messaging facilities in the operating system, which provides server-client communication between different processes using simple messages and dictionaries). It also uses a local HTTP server to receive data requests.

Click to Expand

Of particular note is a module called “.hdutils,” which is designed to configure the processing of all incoming SMS messages. It parses the text looking for specific content and will hide message notifications from the user. Then it sends relevant texts to the core module.

The module “.chext” meanwhile targets messenger applications and hooks their functions to exfiltrate almost all accessible data: message content, photos, geolocation, contacts, group names and so on. Targeted platforms include BlackBerry Messenger, Facebook Messenger, InMessage, Signal, Skype, Threema and Wechat. The collected data is submitted to the local server deployed by the main module.

The “keys” module has multiple hooks that intercept every typed symbol; and, Kaspersky said that there are several hooks to intercept passwords during login and the “change password” process.

A module dubbed “MediaEnhancer” records calls. “The module starts a local HTTP server instance on port 8889 upon initialization, implementing VoIPHTTPConnection as a custom connection class,” researchers explained. “This class contains a handler for requests to localhost/voip.html that could be made by other components.”

And finally, the module “.vpext” implements more than 50 hooks used for VoIP calls processed by external messaging apps, including BlackBerry Messenger, KakaoTalk, LINE, Signal, Skype, Viber, WeChat and WhatsApp.

“These hooks modify functions that process VoIP calls in order to record them,” according to Kaspersky. “To achieve this, they send a post request with the call’s meta information to the HTTP server previously deployed by the MediaEnhancer component that starts recording.”

The Android implant provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, pictures, files in memory and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS messages or via the internet (the C2 server location is stored in the configuration file).

“Personal data, including contacts, messages, audios and videos, can be exfiltrated from most popular messengers,” according to Kaspersky. “Each of the targeted messengers has its own unified handling module, which makes it easy to add new handlers if needed.”

The Android version adds an additional capability to the above features: Gaining root privileges on an unrooted device by abusing the Dirty Cow exploit, which is contained in the malware.

“After successful installation, the implant tries to gain root privileges by checking for the presence of known rooting modules SuperSU and Magisk and running them,” researchers explained. “If no utilities are present, the implant decrypts and executes the Dirty Cow exploit, which is located inside the malware; and if it successfully manages to get root access, the implant registers a custom SELinux policy to get full access to the device and maintain root access. If it used SuperSU, the implant modifies SuperSU preferences in order to silence it, disables its expiry and configures it to autorun during boot. It also deletes all possible logs including SuperSU logs.”

FinSpy Activity Grows

Overall, during Kaspersky’s research, up-to-date versions of the implants used in the wild were detected in almost 20 countries – and given the size of Gamma’s customer base, it’s “likely that the real number of victims is much higher,” the analysts said. They also said that it was clear that FinSpy operators go after carefully selected targets, tailoring the behavior of each implant for a particular victim.

Kaspersky researchers also said that FinSpy’s developers are constantly working on the updates for their malware; and in fact, Kaspersky researchers have found yet another version of the threat and working now to analyze it.

“Since [a source code] leak in 2014, Gamma Group has recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market,” according to Kaspersky.

_Don’t miss our free live _Threatpost webinar, “****_Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _Register and Learn More