ACG-CYBER SECURITY BULLETIN NO. 109 UNDERSTANDING FINFISHER SPYWARE
The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).
The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
“FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels. FinFisher can be covertly installed on targets’ computers by exploiting security lapses in the update procedures of non-suspect software”1 The spyware has extensive spying capabilities on infected computers, including secretly live surveillance by turning ON its webcams and microphones, recording everything the victims type with a keylogger, intercepting Skype calls, and exfiltration of files.
FinFisher can be installed in various ways to include fake software updates, emails with fake attachments and security flaws in some software. Also, it can infect through various mechanisms, to include spearphising, manual installations with physical access to devices, 0-day exploits, and watering hole attacks by poisoning websites the targets are expected to visit. The surveillance suite is installed after accepting the installation of fake updates. It was designed to evade detection by antivirus software and has versions which work on mobile phones of all major brands.
The attack often starts with user searching for one of the affected applications of legitimate websites. When the user clicks on the download link, the browser is served with a modified link, redirecting to a trojanized installation package hosted on the attacker’s server. The whole redirection process occurs without the knowledge of the user and it is invisible to the naked eye. When the download is finished and executed, it installs not only the intended legitimate application but also the FinFisher spyware bundled with it.
PNP personnel and the public are advised to follow the tips to avoid being compromised with FinFisher spyware:
- Avoid clicking or downloading software or links from unknown resources.
- Do not install apps from untrusted sources
- Do not give your device to untrusted people who might secretly install the malware on your device.
- Password-protect your phone.
- Keep your OS and apps updated and patched.
- For Android owners, activate the built-in encryption which requires a password to decrypt every time you turn on your device.
For additional information, please refer to the following websites:
POINT OF CONTACT