Experts at Kaspersky have discovered a new improved variant of the FinFisher spyware used to spy on both iOS and Android users in 20 countries.
According to the experts, the new versions have been active at least since 2018, one of the samples analyzed by Kaspersky was used last month in Myanmar, where local government is accused of violating human rights.
“According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019.” reads the report published by Kaspersky. “Late in 2018, experts at Kaspersky looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018.”
The new variants of FinFisher implement a broad range of feature to collect data from infected mobile phones, including SMS/MMS messages, emails, calendars, GPS location, photos, and data from the RAM memory of the device.
Of course, the samples can also record phone calls and record VoIP calls via popular apps, including Skype or WhatsApp.
The implant analyzed by the experts contained binary files for ARMv7 and ARM64 CPU architectures. This is very important if we consider that iOS 11 is the first iOS OS version that does not support ARMv7 any more.
Experts pointed out that the new FinFisher implant for iOS doesn’t support the latest iOS 12.x.
Android and iOS versions use different infection techniques, for example, FinSpy for iOS does not provide infection exploits for its customers. An attacker could jailbreak the device if it has physical access to it. For jailbroken devices, the attackers could use SMS message, email, and WAP Push as an infection vector.
The Android version of the implant is also capable of gaining root privileges on an unrooted device by exploiting the DirtyCow exploit.
Both versions can spy on communications through Facebook Messenger, Skype, Signal, BlackBerry Messenger, Telegram, Threema, Viber, WhatsApp, Line, InstaMessage, and more.
“FinSpy developers are constatly working on the updates for their malware. At the time of publication, Kaspersky researchers have found another version of the threat and are currently investigating this case.” concludes the analysis.
“A full set of IOCs, including YARA rules, is available to customers of the Kaspersky Intelligence Reporting service. For more information, contact firstname.lastname@example.org“