Despite repeated warnings from security experts, mobile devices have been the victims of relatively few malware attacks so far. That could be about to change, though, thanks to spyware designed by Gamma Group, and boy, is it scary.
According to Bloomberg, Gamma Group is marketing FinSpy Mobile, part of their larger FinFisher product line, towards law enforcement, but it reveals some serious security flaws in our smartphones. FinSpy can essentially take all of the power your smartphone has to offer and turn it against you, recording everything from your emails and phone calls to your photos and audio clips. It can even record video and audio without the user even knowing it.
Mobile malware can be even more dangerous than the infections you’ve seen on your PC, since it makes it possible for criminals (or your local dictator) to track your every move. FinSpy Mobile seems to offer a lot of the same features as its bigger brother, FinFisher, which essentially offers all of your favorite spyware functions in one convenient package, including keylogging and recording Skype and webcam conversations. As bad as watching you enjoy pr0n through your webcam sounds, it’s got nothing on this stuff.
For their part, Gamma is mum on the subject. “I can confirm that Gamma supplies a piece of mobile intrusion software – FinSpy Mobile,” Managing Director Martin J. Muench told Bloomberg. “I certainly don’t intend to discuss how or on what platforms it works. I do not wish to inform criminals of how any of our detection systems are used against them.
That’s all well and good so long as it’s only being used for legitimate purposes, but we already know that it doesn’t work that way – Bahrain has been using black market versions of the software against anti-government activists. We somehow doubt that they’re the only ones capable of using it for less savory purposes.
What’s really disturbing is that FinSpy Mobile is being deployed on just about every mobile platform in use today. Security experts have determined, in part thanks to a brochure released by WikiLeaks, that it can target Windows Mobile (we assume that this means Windows Phone), iOS, BlackBerry, Symbian, and Android. All it takes to install FinSpy is clicking on a link that might appear via text message, encouraging the user to download an update.
Microsoft responded to Bloomberg’s concerns about FinSpy with this statement:
We strongly encourage Windows Mobile owners to avoid clicking on or otherwise downloading software or links from unknown sources, including text messages.
That’s pretty standard stuff, but since we already know that SMS in particular is susceptible to spoofing, it’s good to keep it in mind. Nokia’s statement, on the other hand, raises another question; how does FinSpy get around the usual restrictions on app installations on Windows Phone and other platforms?
Nokia said that since a user would have to actively accept the installation, it shouldn’t be a problem. We’re not sure how exactly FinSpy is able to get around a walled garden like the iPhones, if it indeed works as well as is claimed. Unsurprisingly, Apple didn’t offer a comment.
In the meantime, be a little more careful next time you think about opening a link someone sends you, and use common sense. Your smartphone is still a computer, and no matter how secure it might be, it’s not beyond the reach of hackers, legitimate or otherwise.