FBI warns commercial spyware has made jump to Android

A recent FBI warning on Android malware includes the mobile version of spyware that was sold to law enforcement and governments, demonstrating how such commercial applications can pose a threat to private companies and consumers.

The FBI's Internet Crime Complaint Center said this week that FinFisher was among the latest malware brought to its attention, along with a Trojan called Loozfon. To infect phones, criminals were sending text messages with links leading to a malicious web site.

FinFisher has been used for sometime in compromising personal computers. The commercial version was originally sold to law enforcement and governments as spyware in almost a dozen countries.

"FinFisher is a prime example of what is so risky about government agencies using software tools that can be abused for malicious purposes," Stephen Cobb, security evangelist for ESET, said by email. "There is massive irony in an FBI warning that a piece of software developed for law enforcement purposes is now a threat to our Android phones."

[See also from Antone Gonsalves: Virtual analysis misses a third of malware]

The Android version of FinFisher enables cybercriminals to take control of a device and monitor its use to steal personal information, such as user IDs and passwords to online banking sites. Loozfon steals contacts lists and the infected phone's number. Criminals use such information to create more convincing text messages to lure more people to malicious websites.

Both malware take advantage of vulnerabilities within WebKit, an open source layout engine used in Apple Safari and Google Chrome browsers, Daniel Ford, chief security officer for mobile security firm Fixmo, said. In that respect, FinFisher and Loozfon are similar to other data-stealing Android malware.

FinFisher, developed by the U.K.-based Gamma Group, was first discovered in July in Bahrain, where it was used to spy on activists within the Persian Gulf kingdom. Gamma denied selling the software to Bahrain. In August, security vendor Rapid7 found command and control servers in 10 other countries: the U.S., Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.

Marcus Carey, security researcher for Rapid7, said he has not seen any evidence that FinFisher is being widely used in the mobile market.

"We don't know if FinFisher is in the wild or out of control," Carey said. "Some of the reports I've seen make it sound like FinFisher is everywhere."

LoozFon is the bigger danger, said Rapid7. Discovered a couple of months ago, criminals are sending link-carrying texts that promise high-paying work-at-home jobs.

"That kind of malware is very prevalent in the Android market," Carey said.

Rapid7 did not know how many phones might have been compromised with LoozFon, said Giri Sreenivas, vice president and general manager of the company. The Trojan is likely being used extensively in counterfeit mobile apps found in unsavory online marketplaces outside the U.S. The vast majority of phone infections occur by downloading bogus apps from Android markets, particularly from China and Russia, said McAfee.

The malware risk on Android phones is a growing concern. A study released this year by Symantec found that 67% of large companies were worried about malware spreading from mobile devices to Internal networks.

McAfee reported finding in the first three months of the year 7,000 malware targeting the Android platform versus 1,000 for other mobile operating systems. By comparison, the total number of malware discovered in the middle of 2011 was in the hundreds, McAfee said. Part of the increase was due to improvements in detection.

Despite the growing threat, wireless carriers and Android device makers continue to do a poor job at patching the software, recent studies show.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.