Posted on September 22, 2017 at 8:43 AM
An invasive new spy malware has been found packaged with several popular downloads like Skype and WhatsApp.
Cybersecurity researchers have recently found that legitimate downloads of popular software and apps such as WhatsApp, Skype, and VLC Player are being hacked by internet service providers (ISPs) for advanced surveillance purposes. The surveillance software currently goes by the name of “FinFisher.”
FinFisher is sold and used by several governments worldwide in order to spy on webcam activity, microphone input, online activity, and keystrokes. A document recently published by WikiLeaks has linked a tool name “FinFly ISP” to FinFisher.
An international firm, Gamma Group, is believed to be responsible at least for selling the software, and the software has so far been sold to mostly restrictive governmental regimes, including Bahrain, Egypt, and the United Arab Emirates (UAE).
Gamma Group attended a security conference in the UK, earlier this year.
Cybersecurity experts from Eset, have recently traced several variants of the FinFisher software in seven different countries. Two of the seven countries included suffered particularly from so-called “man in the middle” attacks, which also happened at an ISP level. These countries experienced spyware being packaged with legitimate downloads.
The apps targeted include WhatsApp, Skype, Avast, VLC Player, and WinRAR, however, more compromised software is likely to emerge, as any application invulnerable to have this threatening code included.
When a targeted user would download software, they would automatically be redirected to a version containing the FinFisher software. The download would proceed typically, with no reason to cause alarm, but the target’s machine would then contain spyware.
The spyware would manage to bypass any detection from the user.
Eset has not yet named affected countries for security purposes. WhatsApp and VLC Player are yet to respond to this threat.
According to a Microsoft spokesperson, Microsoft Defender antivirus is capable of automatically detecting and removing threats of any kind.
Avast has responded by saying that hackers always aim for the most prominent targets.
Packaging malware with trusted software is not a revolutionary technique in any way, but the worrying aspect of this attack is that it’s happening at an ISP level.
Experts are currently researching whether the ISPs in question are cooperating with those responsible for the malware, of whether the ISP’s system has been compromised.
According to Eset, the latest version of FinFisher included several tactical improvements. These updates were particularly aimed at compromising popular end-to-end encryption employed in messaging apps including WhatsApp and Threema.
Considering where the FinFisher variants have been located, the MitM attack is most likely operating at an ISP level.
According to Filip Kafka, a malware researcher at Eset, the biggest implication of this latest malware attack, is the fact that attacks have used a highly effective method of infection, that is remarkably easy to implement, form a technical standpoint.
Consider the growing amount of infected devices, FinFisher is quickly becoming the most effective and used method of a government spying on its citizens.
Bypassing encryption methods has become a huge point of interest among governments worldwide including those who collect communications from their citizens. Many politicians have argued that encrypted messaging platforms like WhatsApp make it convenient for terrorists while placing a burden on governmental terror probes.
The document on WikiLeaks regarding FinFly ISP boasted the software’s ability to spy on targets at an ISP level. The malware’s brochure proclaimed that it is able to attach patches to the target’s software downloads, or is able to send fake software downloads, in the place of the popular software being downloaded.
The brochure adds that the malware can be installed on an ISP network, and continues to list an example of where this was utilized by an unnamed intelligence agency.
According to Eset, all affected targets within a country used the same ISP.
This is the first time that the utilizing of an ISP-level MitM attack method has been revealed.
FinFisher has the possibility to become one of the most sophisticated and effective surveillance methods. Something that is completely unprecedented both in its method of operating as well as the implications it poses.
No one yet knows who is responsible for this attack, although it is entirely created for the use of governmental agencies.
Gamma Group has not responded to comment.
The Gamma Group firm has offices in Europe and has previously been linked to questionable business practices. In 2013, they received a cease and desisted letter from Mozilla, after Gamma’s software was caught pretending to be a version of its Firefox browser.
Mozilla stated in a blog post that they would not tolerate a company using their name and reputation as a manner to install spyware on their users’ machines. Mozilla condemned this practice as a violation of human rights and online privacy.
In 2013, Reporters without Borders identified Gamma Group as a corporate enemy of the internet. This was after it was found that their hugely invasive spy malware can also be installed using malicious emails.
In 2011, Gamma Group was found selling a malware Trojan posing as an update for iTunes media player. According to security journalist, Brian Krebs, Gamma Group was able to exploit this successfully for three years, before being caught.