Security alert: New version of known surveillance malware now able to extract sensitive data even if its encrypted

Cybersecurity company, Kaspersky, have uncovered new versions of the advanced malicious surveillance tool FinSpy. The updated version of the malware work on both iOS and Android devices. Once installed the software can monitor activity on almost all popular messaging services, including encrypted ones, and hide their traces better than before.

The malware allow attackers to spy on all device activities and exfiltrate sensitive data such as GPS location, messages, pictures, calls and more.

“The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes,” said Alexey Firsh, security researcher at Kaspersky Lab.

“Moreover, they follow trends and implement functionality to exfiltrate data from applications that are currently popular. We observe victims of the FinSpy implants on a daily basis, so it’s worth keeping an eye on the latest platform updates and install them as soon as they are released. Because, regardless of how secure the apps you use might be, and how protected your data, once the phone is rooted or jailbroken, it is wide open to spying,” he added.

Extracting information from NGOs to governments and law enforcement

FinSpy is an extremely effective software tool for targeted surveillance and its been known to steal sensitive information from international NGOs, governments and law enforcement organizations all over the world.

The malware is so potent that it allows hackers to tailor the behavior of each malicious FinSpy implant to a specific target or group of targets.

Even encrypted data is not safe

The basic functionality of the malware includes almost unlimited monitoring of the device’s activities: such as geolocation, all incoming and outgoing messages, contacts, media stored on the device, and data from popular messaging services like WhatsApp, Facebook messenger or Viber. All the exfiltrated data is transferred to the attacker via SMS messages or via the web, all without detection.

The latest known versions of the malware extend the surveillance functionality to additional messaging services, including those considered ‘secure’, such as Telegram, Signal or Threema.

They are also more adept at covering their tracks. For instance, the iOS malware, targeting iOS 11 and older versions can now hide signs of jailbreak, while the new version for Android contains an exploit capable of gaining root privileges – almost unlimited, complete access to all files and commands – on an unrooted device.

How are devices infected

Based on the information available to Kaspersky, in order to successfully infect both Android and iOS-based devices, attackers need either physical access to the phone or an already jailbroken/rooted device. For jailbroken/rooted phones there are at least three possible ways to infect the device: via SMS message, email, or push notifications.

According to Kaspersky telemetry, several dozen mobile devices have been infected over the past year.

To avoid falling victim to FinSpy, Kaspersky researchers advise users:

• Do not leave your smartphone or tablet unlocked and always make sure nobody is able to see your pin-code when you enter it
• Do not jailbreak or root your device since it will make an attacker’s job easier
• Only install mobile applications from official app stores, such as Google Play
• Do not follow suspicious links sent to you from unknown numbers
• In your device settings, block the installation of programs from unknown sources
• Avoid disclosing the password or passcode to your mobile device, even with someone you trust
• Never store unfamiliar files or applications on your device, as they could harm your privacy
• Download a proven security solution for mobile devices, such as Kaspersky Internet Security for Android.

Read Kaspersky’s full report on the malware here.