A recent FBI warning on Android malware includes the mobile version of spyware that was sold to law enforcement and governments, demonstrating how such commercial applications can pose a threat to private companies and consumers.
The FBI's Internet Crime Complaint Center said this week that FinFisher was among the latest malware brought to its attention, along with a Trojan called Loozfon. To infect phones, criminals were sending text messages with links leading to a malicious web site.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
[ See also from Antone Gonsalves: Virtual analysis misses a third of malware ]
FinFisher has been used for some time in compromising personal computers. The commercial version was originally sold to law enforcement and governments as spyware in almost a dozen countries. "FinFisher is a prime example of what is so risky about government agencies using software tools that can be abused for malicious purposes," Stephen Cobb, security evangelist for ESET, said by email. "There is massive irony in an FBI warning that a piece of software developed for law enforcement purposes is now a threat to our Android phones."
The Android version of FinFisher enables cybercriminals to take control of a device and monitor its use to steal personal information, such as user IDs and passwords to online banking sites. Loozfon steals contacts lists and the infected phone's number. Criminals use such information to create more convincing text messages to lure more people to malicious websites.
Both malware take advantage of vulnerabilities within WebKit, an open source layout engine used in Apple Safari and Google Chrome browsers, Daniel Ford, chief security officer for mobile security firm Fixmo, said. In that respect, FinFisher and Loozfon are similar to other data-stealing Android malware.
FinFisher, developed by the U.K.-based Gamma Group, was first discovered in July in Bahrain, where it was used to spy on activists within the Persian Gulf kingdom. Gamma denied selling the software to Bahrain. In August, security vendor Rapid7 found command and control servers in 10 other countries: the U.S., Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.
Marcus Carey, security researcher for Rapid7, said he has not seen any evidence that FinFisher is being widely used in the mobile market. "We don't know if FinFisher is in the wild or out of control," Carey said. "Some of the reports I've seen make it sound like FinFisher is everywhere."
LoozFon is the bigger danger, said Rapid7. Discovered a couple of months ago, criminals are sending link-carrying texts that promise high-paying work-at-home jobs. "That kind of malware is very prevalent in the Android market," Carey said.