FBI warns commercial spyware has made jump to Android

A recent FBI warning on Android malware includes the mobile version of spyware that was sold to law enforcement and governments, demonstrating how such commercial applications can pose a threat to private companies and consumers.

The FBI's Internet Crime Complaint Center said this week that FinFisher was among the latest malware brought to its attention, along with a Trojan called Loozfon. To infect phones, criminals were sending text messages with links leading to a malicious web site.

FinFisher has been used for sometime in compromising personal computers. The commercial version was originally sold to law enforcement and governments as spyware in almost a dozen countries.

"FinFisher is a prime example of what is so risky about government agencies using software tools that can be abused for malicious purposes," Stephen Cobb, security evangelist for ESET, said by email. "There is massive irony in an FBI warning that a piece of software developed for law enforcement purposes is now a threat to our Android phones."

[See also from Antone Gonsalves: Virtual analysis misses a third of malware]

The Android version of FinFisher enables cybercriminals to take control of a device and monitor its use to steal personal information, such as user IDs and passwords to online banking sites. Loozfon steals contacts lists and the infected phone's number. Criminals use such information to create more convincing text messages to lure more people to malicious websites.

Both malware take advantage of vulnerabilities within WebKit, an open source layout engine used in Apple Safari and Google Chrome browsers, Daniel Ford, chief security officer for mobile security firm Fixmo, said. In that respect, FinFisher and Loozfon are similar to other data-stealing Android malware.

FinFisher, developed by the U.K.-based Gamma Group, was first discovered in July in Bahrain, where it was used to spy on activists within the Persian Gulf kingdom. Gamma denied selling the software to Bahrain. In August, security vendor Rapid7 found command and control servers in 10 other countries: the U.S., Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.

Marcus Carey, security researcher for Rapid7, said he has not seen any evidence that FinFisher is being widely used in the mobile market.

"We don't know if FinFisher is in the wild or out of control," Carey said. "Some of the reports I've seen make it sound like FinFisher is everywhere."

LoozFon is the bigger danger, said Rapid7. Discovered a couple of months ago, criminals are sending link-carrying texts that promise high-paying work-at-home jobs.

"That kind of malware is very prevalent in the Android market," Carey said.

Rapid7 did not know how many phones might have been compromised with LoozFon, said Giri Sreenivas, vice president and general manager of the company. The Trojan is likely being used extensively in counterfeit mobile apps found in unsavory online marketplaces outside the U.S. The vast majority of phone infections occur by downloading bogus apps from Android markets, particularly from China and Russia, said McAfee.

The malware risk on Android phones is a growing concern. A study released this year by Symantec found that 67% of large companies were worried about malware spreading from mobile devices to Internal networks.

McAfee reported finding in the first three months of the year 7,000 malware targeting the Android platform versus 1,000 for other mobile operating systems. By comparison, the total number of malware discovered in the middle of 2011 was in the hundreds, McAfee said. Part of the increase was due to improvements in detection.

Despite the growing threat, wireless carriers and Android device makers continue to do a poor job at patching the software, recent studies show.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags android malwareLoozfonapplicationsAndroidsoftwareData Protection | Wirelessfbidata protectionconsumer electronicssecuritymobile securitysmartphonesFinFisher

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place