March 13, 2013, 10:10 PM — New research suggests a controversial spyware suite called FinFisher is being used to track activists in more countries than previously thought, including Vietnam and Ethiopia.
FinFisher, made by a subsidiary of U.K-based Gamma Group, is a set of remote intrusion and interception tools intended for use by law enforcement and intelligence agencies. But critics say the software is also used by repressive regimes to target activists, and they consider it malicious software.
Despite being known for several years, researchers say FinFisher's use is widening and that technical modifications are being made to help it evade detection.
The latest research was published Wednesday by the Munk School of Global Affairs, part of the University of Toronto. Researchers there found more command-and-control servers used by FinFisher to control the software and collect captured information.
One sample of FinFisher, which the researchers dubbed FinSpy, appears to have been used to target an opposition group in Ethiopia called Ginbot 7, which was designated as a terrorist group by the country in 2011, wrote Morgan Marquis-Boire, a security researcher and technical advisor at the Munk School and a security engineer at Google.
FinSpy presented itself as an image file of Ginbot 7 in an attempt to get victims to open it, he wrote. It communicates with a command-and-control server, which is still operational, hosted on an IP address belonging to Ethiopia's state-owned telecommunications company, Ethio Telecom. The sample is similar to one that was sent to Bahraini activists in 2012.
"The existence of a FinSpy sample that contains Ethiopia-specific imagery and that communicates with a still-active command and control server in Ethiopia strongly suggests that the Ethiopian Government is using FinSpy," Marquis-Boire wrote.
A FinFisher product for Android mobile devices was also analyzed that communicated with a command-and-control server in Vietnam.
The software, called FinSpy Mobile for Android, sends a person's text messages to a Vietnamese phone number, Marquis-Boire wrote. The FinFisher suite of products includes similar software designed for iOS, Android, Windows Mobile and BlackBerry, including functions such as the ability to send GPS coordinates and snoop on conversations near where a phone is used.
"Both the command and control server IP and the phone number used for text-message exfiltration are in Vietnam, which indicates a domestic campaign," Marquis-Boire wrote. "This apparent FinSpy deployment in Vietnam is troubling in the context of recent threats against online free expression and activism."