{ "id": "d0cda119-a193-4ca1-a7f7-58c6b4b51a4f", "created_at": "2026-04-06T02:10:48.931051Z", "updated_at": "2026-04-10T03:35:29.208432Z", "deleted_at": null, "sha1_hash": "553473b8385f9fdda55dee3913d62741c6afb049", "title": "New FinSpy iOS and Android implants revealed ITW", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 884318, "plain_text": "New FinSpy iOS and Android implants revealed ITW\r\nBy GReAT\r\nPublished: 2019-07-10 · Archived: 2026-04-06 01:38:08 UTC\r\nUpdated: 23.07.2019\r\nAfter publication of this article, we received a letter from a representative of Gamma Group International Ltd.\r\nstating that they disposed of all interests in FinFisher (FinSpy) in 2013. This article has been corrected in\r\naccordance with this new information.\r\nAccording to information on its official website, FinFisher, among other tools and services, provides a “strategic\r\nwide-scale interception and monitoring solution”. This software (also known as FinSpy) is used to collect a\r\nvariety of private user information on various platforms. Its implants for desktop devices were first described in\r\n2011 by Wikileaks and mobile implants were discovered in 2012. Since then Kaspersky has continuously\r\nmonitored the development of this malware and the emergence of new versions in the wild. According to our\r\ntelemetry, several dozen unique mobile devices have been infected over the past year, with recent activity\r\nrecorded in Myanmar in June 2019. Late in 2018, experts at Kaspersky looked at the functionally latest versions\r\nof FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the\r\nsame functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages,\r\nemails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular\r\nmessengers.\r\nMalware features\r\niOS\r\nFinSpy for iOS is able to monitor almost all device activities, including record VoIP calls via external apps such as\r\nSkype or WhatsApp. The targeted applications include secure messengers such as Threema, Signal and Telegram.\r\nHowever, functionality is achieved by leveraging Cydia Substrate’s hooking functionality, so this implant can only\r\nbe installed on jailbroken devices (iPhone or iPad; iPod has not been confirmed) compatible with iOS 11 and\r\nbelow (newer versions are not confirmed as at the time of the research and implants for iOS 12 has not been\r\nobserved yet). After the deployment process, the implant provides the attacker with almost unlimited monitoring\r\nof the device’s activities.\r\nThe analyzed implant contained binary files for two different CPU architectures: ARMv7 and ARM64. Taking\r\ninto account that iOS 11 is the first iOS version that does not support ARMv7 any more, we presumed that the 64-\r\nbit version was made to support iOS 11+ targets.\r\nIt looks like FinSpy for iOS does not provide infection exploits for its customers, because it seems to be fine-tuned to clean traces of publicly available jailbreaking tools. Therefore, an attacker using the main infection vector\r\nwill need physical access in order to jailbreak it. For jailbroken devices, there are at least three possible infection\r\nvectors:\r\nhttps://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nPage 1 of 8\n\nSMS message\r\nEmail\r\nWAP Push\r\nAny of those can be sent from the FinSpy Agent operator’s terminal.\r\nThe installation process involves several steps. First, a shell script checks the OS version and executes the\r\ncorresponding Mach-O binary: “install64” (64-bit version) is used for iOS 11+, otherwise “install7” (32-bit\r\nversion) is used. When started, the installer binary performs environmental checks, including a Cydia Subtrate\r\navailability check; and if it isn’t available, the installer downloads the required packages from the Cydia\r\nrepository and installs them using the “dpkg” tool. After that the installer does some path preparations and\r\npackage unpacking, randomly selects names for the framework and the app from a hardcoded list, deploys\r\ncomponents on the target system and sets the necessary permissions. After the deployment process is done, the\r\ndaemon is started and all temporary installation files are deleted.\r\nThe persistence of the implant is achieved by adding “plist” with starting instructions to the\r\n/Library/LaunchDaemons path.\r\nAll sensitive parameters of the configuration (such as C2 server address, C2 telephone numbers and so on) are\r\nstored in the file “84C.dat” or in “PkgConf”, located in a bundle path of the main module. They can be rewritten\r\nusing operator commands. This filename was used in previous FinSpy versions for different platforms, including\r\nAndroid.\r\nThe following list describes all the modules of the analyzed FinSpy version:\r\nName Format Functionality\r\nnetwd app Framework, launcher of the core module – FilePrep\r\nFilePrep app Core module\r\nMediaEnhancer dylib Audio recordings\r\n.vpext dylib VoIP calls hooking\r\n.hdutils dylib Hiding utilities\r\nkeys dylib Keylogger\r\nSBUtils dylib SpringBoardHooker utilities\r\n.chext dylib Messenger tracking\r\nhdjm unknown\r\nNot observed in detected versions, possibly some type of module for hiding\r\ntraces of a jailbreak\r\nAll the internal strings in the modules, including the installer, are encrypted with a simple xor-based algorithm\r\nusing the following strings as keys: “NSString”, “NSArray”, “NSDictionary”, “ExtAudioFileRef”.\r\nhttps://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nPage 2 of 8\n\nThe core implant module (“FilePrep”) contains 7,828 functions. It controls all the others modules, takes care of\r\nHTTP and SMS heartbeats and other service functions. Communication between components is implemented in\r\ntwo ways. The first uses the system’s CPDistributedMessagingCenter, the second is a local HTTP server that\r\nreceives data requests.\r\nThe module “.hdutils” is designed to cover up the tracks of the implant activities on the device. First of all, it\r\nconfigures the processing of all incoming SMS messages. It parses the text looking for specific content and will\r\nhide notifications for such messages. Then it sends them to the core module via CPDistributedMessagingCenter (a\r\nwrapper over the existing messaging facilities in the operating system, which provides server-client\r\ncommunication between different processes using simple messages and dictionaries). Another hiding feature is to\r\nhook the “CLCopyAppsUsingLocation” function in order to remove the core implant module from the displayed\r\nlist of applications used in Settings geolocation services.\r\nThe module “.chext” targets messenger applications and hooks their functions to exfiltrate almost all accessible\r\ndata: message content, photos, geolocation, contacts, group names and so on. The following messenger\r\napplications are targeted:\r\nhttps://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nPage 3 of 8\n\nFacebook Messenger (com.facebook.Messenger);\r\nWechat (com.tencent.xin);\r\nSkype (com.skype.skype/com.skype.SkypeForiPad);\r\nThreema (ch.threema.iapp / ch.threema.iapp.ThreemaShareExtension);\r\nInMessage (com.futurebits.instamessage.free);\r\nBlackBerry Messenger (com.blackberry.bbm1);\r\nSignal (org.whispersystems.signal).\r\nThe collected data is submitted to the local server deployed by the main module.\r\nThe “keys” module focuses on a different kind of keylogging activity, with multiple hooks that intercept every\r\ntyped symbol. There are several hooks to intercept the typed unlock password as well as during the change\r\npassword process. The intercepted password is submitted to the “keys.html” page on the local server, similar to the\r\n“.chext” module.\r\nThe module “MediaEnhancer” is designed to hook system functions in the “mediaserverd” daemon related to call\r\nprocessing, in order to record calls. The module starts a local HTTP server instance on port 8889 upon\r\ninitialization, implementing VoIPHTTPConnection as a custom connection class. This class contains a handler for\r\nrequests to localhost/voip.html that could be made by other components.\r\nThe module “.vpext” implements more than 50 hooks used for VoIP calls processed by external messaging apps\r\nincluding:\r\nWhatsApp;\r\nLINE;\r\nSkype (that includes independent Skype for iPad version);\r\nViber;\r\nWeChat;\r\nKakaoTalk;\r\nBlackBerry Messenger;\r\nSignal.\r\nThese hooks modify functions that process VoIP calls in order to record them. To achieve this, they send a post\r\nrequest with the call’s meta information to the HTTP server previously deployed by the MediaEnhancer\r\ncomponent that starts recording.\r\nAndroid\r\nThe Android implant has similar functionality to the iOS version, but it is also capable of gaining root privileges\r\non an unrooted device by abusing the DirtyCow exploit, which is contained in the malware. FinSpy Android\r\nsamples have been known for a few years now. Based on the certificate data of the last version found, the sample\r\nwas deployed in June 2018.\r\nhttps://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nPage 4 of 8\n\nThe Android implant’s functionality is unlikely to change much, based on the fact that most of the configuration\r\nparameters are the same in the old and new versions. The variety of available settings makes it possible to tailor\r\nthe behavior of the implant for every victim. For example, operators can choose the preferred communication\r\nchannels or automatically disable data transfers while the victim is in roaming mode. All the configuration data for\r\nan infected Android device (including the location of the control server) is embedded in the implant and used\r\nafterwards, but some of the parameters can be changed remotely by the operator. The configuration data is stored\r\nin compressed format, split into a set of files in the assets directory of the implant apk. After extracting all pieces\r\nof data and building the configuration file, it’s possible to get all the configuration values. Each value in the\r\nconfiguration file is stored after the little-endian value of its size, and the setting type is stored as a hash.\r\nFor example, the following interesting settings found in the configuration file of the developer build of the implant\r\ncan be marked: mobile target ID, proxy ip-address, proxy port, phone number for remote SMS control, unique\r\nidentifier of the installed implant.\r\nAs in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access\r\nto the device, and by remote infection vectors: SMS messages, emails and WAP Push. After successful\r\ninstallation, the implant tries to gain root privileges by checking for the presence of known rooting modules\r\nSuperSU and Magisk and running them. If no utilities are present, the implant decrypts and executes the DirtyCow\r\nexploit, which is located inside the malware; and if it successfully manages to get root access, the implant\r\nregisters a custom SELinux policy to get full access to the device and maintain root access. If it used SuperSU, the\r\nhttps://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nPage 5 of 8\n\nimplant modifies SuperSU preferences in order to silence it, disables its expiry and configures it to autorun during\r\nboot. It also deletes all possible logs including SuperSU logs.\r\nThe implant provides access to information such as contacts, SMS/MMS messages, calendars, GPS location,\r\npictures, files in memory and phone call recordings. All the exfiltrated data is transferred to the attacker via SMS\r\nmessages or via the internet (the C2 server location is stored in the configuration file). Personal data, including\r\ncontacts, messages, audios and videos, can be exfiltrated from most popular messengers. Each of the targeted\r\nmessengers has its own unified handling module, which makes it easy to add new handlers if needed.\r\nThe full hardcoded list of supported messengers is shown below:\r\nPackage name Application name\r\ncom.bbm BBM (BlackBerry Messenger)\r\ncom.facebook.orca Facebook Messenger\r\ncom.futurebits.instamesssage.free InstaMessage\r\njp.naver.line.android Line Messenger\r\norg.thoughtcrime.securesms Signal\r\ncom.skype.raider Skype\r\norg.telegram.messenger Telegram\r\nch.threema.app Threema\r\ncom.viber.voip Viber\r\ncom.whatsapp WhatsApp\r\nAt first, the implant checks that the targeted messenger is installed on the device (using a hardcoded package\r\nname) and that root access is granted. After that, the messenger database is prepared for data exfiltration. If\r\nnecessary, it can be decrypted with the private key stored in its private directory, and any required information can\r\nbe simply queried:\r\nhttps://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nPage 6 of 8\n\nAll media files and information about the user are exfiltrated as well.\r\nInfrastructure\r\nhttps://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nPage 7 of 8\n\nFinSpy implants are controlled by the FinSpy Agent (operator terminal). By default, all implants are connected to\r\nFinSpy anonymizing proxies (also referred to as FinSpy Relays) provided by the spyware vendor. This is done to\r\nhide the real location of the FinSpy Master. As soon as the infected target system appears online, it sends a\r\nheartbeat to the FinSpy Proxy. The FinSpy Proxy forwards connections between targets and a master server. The\r\nFinSpy Master server manages all targets and agents and stores the data. Based on decrypted configuration files,\r\nour experts were able to find the different relays used by the victims and their geographical location. Most of the\r\nrelays we found are concentrated in Europe, with some in South East Asia and the USA.\r\nConclusion\r\nFinSpy mobile implants are advanced malicious spy tools with diverse functionality. Various configuration\r\ncapabilities provided by the spyware vendor in their product enable the FinSpy terminal (FinSpy Agent) operators\r\nto tailor the behavior of each implant for a particular victim and effectively conduct surveillance, exfiltrating\r\nsensitive data such as GPS location, contacts, calls and other data from various instant messengers and the device\r\nitself.\r\nThe Android implant has functionality to gain root privileges on an unrooted device by abusing known\r\nvulnerabilities. As for the iOS version, it seems that this spyware solution doesn’t provide infection exploits for its\r\ncustomers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. That\r\nmight imply physical access to the victim in cases where devices are not already jailbroken. At the same time,\r\nmultiple features that we haven’t observed before in malware designed for this platform are implemented.\r\nSince the leak in 2014, the FinSpy developers has recreated significant parts of its implants, extended supported\r\nfunctionality (for example, the list of supported instant messengers has been significantly expanded) and at the\r\nsame time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it\r\npossible to retain its position in the market.\r\nOverall, during the research, up-to-date versions of these implants used in the wild were detected in almost 20\r\ncountries, although the total number could be higher.\r\nFinSpy developers are constatly working on the updates for their malware. At the time of publication, Kaspersky\r\nresearchers have found another version of the threat and are currently investigating this case.\r\nA full set of IOCs, including YARA rules, is available to customers of the Kaspersky Intelligence Reporting\r\nservice. For more information, contact intelreports@kaspersky.com\r\nSource: https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nhttps://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/" ], "report_names": [ "91685" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441448, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/553473b8385f9fdda55dee3913d62741c6afb049.pdf", "text": "https://archive.orkl.eu/553473b8385f9fdda55dee3913d62741c6afb049.txt", "img": "https://archive.orkl.eu/553473b8385f9fdda55dee3913d62741c6afb049.jpg" } }