Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Crooks Compromise Cops’ Communications. FBI Says Software Sold to Law Enforcement Contains Malware That Infects Androids.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

The FBI warned that a mobile version of spyware sold to law enforcement and governments in almost a dozen countries contains malware that infects Androids. The FBI’s Internet Crime Complaint Center said FinFisher, a surveillance software marketed by the U.K.’s Gamma Group to law enforcement agencies, and the Loozfon Trojan, were able to infect Androids when cybercriminals sent Android users text messages with links to malicious Websites. In the past, FinFisher had been used to compromise PCs.

In a story, security expert Stephen Cobb said, “FinFisher is a prime example of what is so risky about government agencies using software tools that can be abused for malicious purposes. There is massive irony in an FBI warning that a piece of software developed for law enforcement purposes is now a threat to our Android phones.”

The article goes on to say that, “The Android version of FinFisher enables cybercriminals to take control of a device and monitor its use to steal personal information, such as user IDs and passwords to online banking sites. Loozfon steals the contact list and infected phone’s number. Criminals use such information to create more convincing text messages to lure more people to malicious websites.”

Another security expert, Daniel Ford, pointed out that both FinFisher and the Loozfon Trojan take advantage of vulnerabilities in WebKit, an open source layout engine used in Apple Safari and Google Chrome browsers.

FinFisher was first discovered in July 2012 in Bahrain – The Gamma Group denied having sold it to that country – where it was used to spy on government dissidents. In August, command and control servers were found in ten other countries: the United States, Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia and Dubai.

Security researcher Marcus Carey said, “We don’t know if FinFisher is in the wild or out of control. Some of the reports I’ve seen make it sound like FinFisher is everywhere.” Carey added that the Loozfon Trojan, which cybercriminals are using to send link-carrying texts that promise high-paying work-at-home jobs, actually presented the bigger danger. “That kind of malware is very prevalent in the Android market.”

The Trojan is used extensively in counterfeit mobile apps found in online sites outside the U.S. and, according to McAfee, the vast majority of phone infections occur by downloading bogus apps coming from China and Russia.

A Symantec study found that 67% of large companies were worried about malware spreading from mobile devices to Internal networks while McAfee reported finding that in the first three months of 2012, there were 7,000 pieces of malware targeting the Android platform versus 1,000 for other mobile operating systems. By comparison, the total number of pieces of malware discovered in the middle of 2011 was in the hundreds.

The article comments, “Despite the growing threat, wireless carriers and Android device makers continue to do a poor job at patching the software, recent studies show.”

By ThreatMetrix Posted