Posted October 2, 2020
Researchers at Amnesty International have just announced the discovery of FinSpy spyware variants aimed at macOS and Linux users. In this article, we’ll tell you what they found, share some technical details uncovered by Amnesty’s malware analysts, and explain what it means for security and privacy.
What is FinSpy?
FinSpy is commercial spyware, produced by a private company and sold to police and intelligence agencies around the world. There is (no doubt) legitimate use of such surveillance software, for example in criminal and anti-terrorism investigations; However, FinSpy’s producers have come under fire for selling their product to oppressive and anti-democratic regimes that use the software to monitor human rights activists, journalists, dissidents and even opposition political parties. FinSpy has been used in this way in Bahrain, Ethiopia, Uganda and Egypt.
What can FinSpy do?
FinSpy is designed to provide full spectrum monitoring on a compromised machine. According to the Amnesty International report, modern versions of FinSpy can monitor email and communications, log keystrokes, record audio and video, gather information about network activity, and provide detailed access to system files. In addition, it contains spyware modules designed to allow attackers to remotely control it and execute commands on the infected system.
How does the macOS variant of FinSpy work?
Back in 201
The MacOS version of FinSpy comes in the form of a Trojanized app installer that contains encrypted files. If launched, spyware will first check if it is running inside a virtual machine (VM). If not, FinSpy will decrypt and extract a zip archive containing an installer and several tools designed to obtain elevated (administrative) system privileges. Elevated privileges are required for FinSpy to install the actual spyware modules and gain endurance on the target Mac. The privilege escalation tools rely on public and long patched (2013 and 2015) public exploits, so if malware fails to gain elevated privileges by using the exploits, it will by default be a common trick used by many different Mac malicious variants and quite single ask the user for administrator permissions! Unfortunately, this tactic succeeds far more often than it should.
Once the spyware modules are installed, FinSpy will contact a command and control server (C&C) using an encrypted communication protocol. This allows the spyware to receive commands from the administrators – and give them access to the data it steals.
What can we do with FinSpy?
FinSpy is powerful commercial spyware that has been used maliciously by several government actors around the world. The “good news” for most everyday Mac users is that they are far less likely to encounter FinSpy than, for example, human rights activists or political dissidents. In addition, the latest versions of macOS (Catalina and Big Sur) make it harder for users to open unsigned or unvoted apps, making it harder for bad actors to trick victims into running malicious software.
However, even with the more modern operating systems, “difficult” is not the same as “impossible”, and users of older macOS versions may still be at significant risk from FinSpy and other forms of spyware. In addition, even if “average” Mac users are not personally exposed, they may still feel concerned about the threat that FinSpy poses to others, and especially to vulnerable groups and individuals living in oppressive regimes.
Here are four things you can do to keep yourself and others safe, both from FinSpy and from other spyware threats:
Refresh, Refresh, Refresh
As Amnesty International’s analysis shows, spyware can rely on exploits that already have security updates. Users of older operating systems should always update the software as much as possible. Because many forms of malware (not just FinSpy) try to use unpatched vulnerabilities to compromise their targets, all users should enable automatic updates. To do this on newer versions of macOS, go to System Preferences> Software Update and select Keep my Mac updated automatically. Under Advanced Settings, you will find an option to automatically update all the App Store apps on your system, which is also recommended.
Do not open suspicious apps
If you are using a newer version of macOS, be aware of all these warnings and pop-ups! If macOS tells you that an app is unsigned, or can not be checked for malicious content, do not open it – and do not search for a solution that allows you to bypass Mac’s built-in protection. You should only run apps from the Mac App Store, or signed apps downloaded directly from developers you know and trust.
The sale of commercial spyware to despotic regimes has become a political issue. A prominent UN expert has recommended a global moratorium on the sale of spyware until security measures designed to curb abuse of technology can be put in place. In addition, citizens of democratic countries have pressured their own legislators to stop local companies from selling to autocratic authorities abroad. In the EU, for example, politicians are currently discussing new rules to limit the export of surveillance technology to nations that violate human rights. The Electronic Frontier Foundation (EFF) and Amnesty International Amnesty Tech both provide reliable information – as well as opportunities for action – on this type of issue.
Use malware detection
FinSpy and other types of spyware rely on covert tactics to work, and thus do everything to hide from their targets. For this reason, it is extremely difficult for a daily Mac user to detect a spyware infection alone. You should always run a reputable, regularly updated malware detection and removal tool on your Mac. MacScan 3 detects and eliminates spyware infections, and has been updated to include definitions for the newly discovered macOS variants of FinSpy.