According to a new report published by Citizen Lab, experts have identified a total of 36 command and control servers utilized for FinFisher, the controversial legal surveillance software developed by Gamma International GmbH and marketed by UK-based Gamma Group.
The FinSpy backdoor servers – FinSpy being a component of the FinFisher monitoring solution – are located in 19 different countries. Compared to previous scans, Citizen Lab has been able to identify some new countries: Canada, Bangladesh, India, Malaysia, Mexico, Serbia and Vietnam.
On the other hand, in Brunei, the UAE, Latvia and Mongolia, the servers have apparently disappeared.
While Gamma keeps stating that the product is sold only to law enforcement agencies and it’s only used to track down bad guys, the campaigns from Ethiopia and Vietnam analyzed by researchers indicate otherwise.
For instance, in Ethiopia, emails containing pictures of an opposition group called Ginbot 7 are used to trick users into installing a piece of malware identified as FinSpy. The malware communicates with a server hosted by Ethiopia’s state-owned telecoms company.
“Controversially, Ginbot 7 was designated a terrorist group by the Ethiopian Government in 2011. The Committee to Protect Journalists (CPJ) and Human Rights watch have both criticized this action, CPJ has pointed out that it is having a chilling effect on legitimate political reporting about the group and its leadership,” experts noted.
“The existence of a FinSpy sample that contains Ethiopia-specific imagery, and that communicates with a still-active command & control server in Ethiopia strongly suggests that the Ethiopian Government is using FinSpy.”
In Vietnam, researchers have identified a mobile version of FinSpy. The malicious mobile app steals text messages and sends them to a local number.
The command and control server is also located in Vietnam. These facts indicate that FinSpy is being used for a domestic monitoring campaign.