mobile OSMobilityRegulationSecuritySurveillance-ITWorkspace

British Spy Firm Rejects US Claim It Makes Android Malware

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

US agency says Gamma International’s software is being used by criminals – but the British firm begs to differ

Gamma International, the British company behind what critics have labelled “espionage malware”, has disputed claims from the US government that its kit is dangerous Android software.

Last Friday, the Internet Crime Complaint Centre (IC3), a multi-agency taskforce set up in coordination with the FBI, put out a warning about two pieces of Android malware, known as Loozfon and FinFisher.

The latter is the name of Gamma’s core line of software, which the Andover-based firm claims is designed to catch criminals. The company primarily targets the public sector.

Yet IC3 described FinFisher as “spyware capable of taking over the components of a mobile device”, in particular Android devices, allowing the malware’s overlords to remotely control the phone no matter where the “target” was.

“FinFisher can be easily transmitted to a smartphone when the user visits a specific web link or opens a text message masquerading as a system update,” IC3 said.

FinFisher products have been seen infecting a variety of mobile platforms, including Apple’s iOS and BlackBerry.

Android malware or paedophile catcher?

Others believe Gamma’s gear is sold to repressive regimes too. Reports indicated the FinFisher kit, which includes what some believe to be a Trojan called FinSpy, fell into the hands of the Hosni Mubarak government of Egypt. Earlier this year, research from US-based CitizenLab suggested the Bahraini regime was using FinFisher kit. In both cases it was believed activists in those nations were targeted by FinFisher.

Privacy International went so far as to threaten the UK government with court action if it did not tighten export controls on the kinds of surveillance gear sold by the likes of Gamma, which it subsequently did.

Now Gamma has bitten back, against those critics and against the claims from IC3. The company refuses to say who its customers are or where they come from.

In a lengthy emailed statement sent to TechWeekEurope, Martin J Muench, managing director of the firm, said he believed the US organisation was just speculating and that its software was not in the hands of criminals.

“The IC3 article states: ‘The Loozfon and FinFisher are just two examples of malware used by criminals to lure users into compromising their devices.’ We have absolutely no evidence of this and have asked IC3 to supply us with details of any criminals using FinFisher ‘to lure users into compromising their devices’,” Muench said.

“Until we have such evidence we believe this statement to be speculation.

“FinFisher products are designed to provide the evidence to help governments and law enforcement agencies combat terrorism, human trafficking and paedophiles.

“We respect the right to privacy but we do not believe it takes precedence over the right to life. We have never sold to private organisations and/or individuals.”

Muench made some bold claims about what governments are doing in the offensive space, indicating that most were involved in using malware widely used by criminals.

“During discussions with governmental agencies at conferences, it became clear that most of them used publicly available IT intrusion tools for their daily operations which included Trojan-horse technology,” he added.

“Typical examples of these intrusion tools are: ZeuS, SpyEye, Metasploit and Xtreme RAT which all come with functionalities like: keylogger, screen-recorder, webcam access, file access and many more.”

At the end of last month, Gamma admitted to this publication it had been hacked, but said only a server used to demo FinSpy had been compromised. At the time, Gamma said it was “not a real problem”.

Like Internet anonymity? Try our Anonymous quiz!