New versions of FinFisher mobile spyware discovered in Myanmar

[silversurfer]

Content source

https://www.zdnet.com/article/new-versions-of-finfisher-mobile-spyware-discovered-in-myanmar/

Security researchers from Kaspersky Lab have discovered new and improved versions of the FinFisher spyware.

The new versions, which target Android and iOS phones, have been in use since 2018, and the most recent FinFisher implants have been discovered active as late as last month, in Myanmar, a country in the midst of multiple human rights abuse scandals.

The upgraded FinFisher (FinSpy) versions are now capable of collecting and exfiltrating a wide array of personal data from infected phones, such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, and data from the phone's RAM. Furthermore, the samples can also record phone calls and dump images and messages from popular instant messaging clients.

FnFisher has always had implants for both desktop and mobile operating systems, but these new versions targeting smartphones put the mobile implants on par with the more advanced desktop versions.

According to a technical analysis of the new samples, the Android and iOS versions have nearly identical capabilities, according to Kaspersky, with a few differences here and there in regards to infection methodology and supported IM clients.

Per the Russian antivirus vendor, the Android IM clients from which FinFisher can dump and steal chats, pictures, videos, and contacts, include Facebook Messenger, Skype, Signal, BlackBerry Messenger, Telegram, Threema, Viber, WhatsApp, Line, and InstaMessage.

On iOS, supported clients are Facebook Messenger, Skype, Threema, Signal, InstaMessage, BlackBerry Messenger, but also WeChat. Furthermore, on iOS, the new FinFisher version can also record VoIP calls made through IM clients, such as WhatsApp, Skype, Line, Viber, WeChat, Signal, BlackBerry Messenger, and KakaoTalk.

 

[436880927]

If you go over to the Google's Chrome Web Store right now and search for "Kaspersky" then you'll immediately find a rogue extension claiming to be a free version of Kaspersky Anti-Virus. According to the Chrome Web Store, this rogue extension has almost 500 users.

The manifest.json file for the rogue browser extension is below.

The manifest tells us that the rogue browser extension will override Google Chrome's default new page with a document packaged with the browser extension named newpage.html. Furthermore, the manifest tells us that the rogue browser extension has the ability to access the browser's tabs and that a script (background.js, packaged with the rogue browser extension) will be ran in the background.

This rogue browser extension looks really appetizing... who doesn't like new tabs being spammed, unsolicited advertisements and a bunch of nonsense every-time they try and use their web browser? Don't forget the pushed links to online downloads from an external third-party website.

The moral of the story is that years later, Google still hasn't been able to implement an effective vetting system which can prevent rogue browser extensions masquerading as well-known corporations like Kaspersky. If only Google spent more time focusing on their own problems than exposing other people's.

Congratulations, Google.