One day in 2011, Moosa opened the Facebook Messenger app on his iPhone. What he saw was chilling: someone else typing under his name to an activist friend of his in Bahrain…
Facebook was only the beginning. Unbeknownst to him, Moosa’s phone and computer had been infected with a highly sophisticated piece of spyware, built and sold in secret.
It was a sign of a more sophisticated author at work. The implant used a technique called process-hollowing — injecting its own code into a program that’s still running in order to use the legitimate program as cover. […] “I thought, Finspy, that rings some bells,” Marquis-Boire recalls. “Holy shit, I think this is FinFisher!”
FinFisher had become a kind of bogeyman in the security community since brochures advertising the software’s capabilities popped up in a Wikileaks drop in December of 2011. FinFisher could purportedly empower its owner with the kinds of advanced intrusion techniques usually reserved for the NSA. “There was a certain amount of interest just because no one had seen it,” Marquis-Boire says. “All we had were these leaked documents.”
FinFisher was created and sold by Gamma International, an international surveillance company with offices in London and Frankfurt. The Gamma brochures promised remote monitoring and keylogging — they even said they could listen in on a target’s Skype calls in real time.
But now Marquis-Boire had caught a FinFisher sample in the wild, and thanks to the leaked brochures, he had a roadmap of everything the implant could do.
Marquis-Boire enlisted the aid of Claudio Guarnieri, a researcher at security firm Rapid7, to further explore the software. The two uncovered a mobile version of the implant, which came in different versions for iOS, Android, and even Symbian, like a hot startup trying to cover as much of the market as possible. […] Once the implant was installed, your phone effectively became an enemy agent. “I’d be working at my computer and start squinting at my phone, thinking, maybe I should turn that off,” Marquis-Boire says. “It produced this weird dissonance between me and this device that I carry around all the time.”
Instead of a few outposts, they found an army. FinFisher’s agents were everywhere: Japan, Germany, India, Serbia, Mongolia — there were even servers in the US. It was an atlas of personal invasions. All told, 25 countries hosted a server of some kind, each hired out to a different regime and pointing the x-ray at a different enemy of the state.
Marquis-Boire published the work in a series of three landmark papers from July 2012 to March of 2013, each titled with a cheeky Bond pun like
”The Smartphone Who Loved Me” or “You Only Click Twice.” The papers laid out everything he knew about FinFisher’s network, revealing a global surveillance network that was being hired out to some of the world’s most repressive governments. Targeted exploits weren’t just for the NSA anymore. They were available to anyone who could pay for them.
Once the papers were published, FinFisher went back underground. The coders behind the program began to change its routines and filenames enough to let it slip by unnoticed.
Their primary concern stems not from what effect FinFisher could have on their activism, but from the specter of having their personal lives invaded — the same fundamental privacy concern behind much of the NSA surveillance controversies in the US.
“They actually have a system that the government buys, and they get the whole package,” Marczak says. “It’s not just the code itself, it’s the administration, the analysis, the support — the whole framework is provided.”
That turns the same surveillance conducted by the NSA or GCHQ into a market product, available to the highest bidder with no questions asked. “The value proposition is essentially: ‘Activists in your country are giving you trouble? Well here’s a product that will allow you to turn their cellphone or computer into basically a wiretap, a surveillance tool, and you can spy on everything they do,’” Marczak says. “And I think governments are very attracted to that.”