Google engineer Morgan Marquis-Boire and Ph.D. computer science student Bill Marczak introduced New York Times readers today to FinSpy, one of the scariest spyware packages you’ve probably never heard of. Mr. Marquis-Boire and Mr. Marczak have been on FinSpy’s trail, mapping all its nasty flavors, since earlier this year. The software suite is available to law enforcement for legitimate investigative use, but the researchers have found it is also being used by oppressive governments to track the communications, activities and personal connections of political dissidents.
In a report linked by the Times, Mr. Marquis-Boire and Mr. Marczak detail how they first learned of the spyware as a Trojan payload attached to emails sent to Bahraini human rights activists, then began peeling apart its other, much creepier uses–tracking everything a target does with a smart phone. Pretty much any smart phone. The researchers’ list of what FinSpy Mobile can do is chilling:
- Recording of common communications like Voice Calls, SMS/MMS and Emails
- Live Surveillance through silent calls
- File Download (Contacts, Calendar, Pictures, Files)
- Country Tracing of Target (GPS and Cell ID)
- Full Recording of all BlackBerry Messenger communications
- Covert Communications with Headquarters
The list of governments likely using this creepy software includes Bahrain and Turkmenistan, with command and control servers traced to Singapore, Indonesia, Mongolia and Brunei.
As the Times notes, servers in those countries were already offline by Thursday afternoon.
Really, it’s not like the more oppressive governments even need FinSpy–as Yahoo proved when it aided the Chinese in jailing Wang Xiaoning a decade ago.
Watch the Next Media-style video below for a simple breakdown of just how creepy FinSpy Mobile truly is.
Update: A commenter noted on an earlier version of this post that another command and control server was hosted by Amazon, which is pretty distressing–however Mr. Marquis-Boire and Mr. Marczak told the Times they believe the Amazon server was a proxy used to conceal the true host.