FinSpy spyware for macOS discovered

Researchers at Amnesty International have just announced the discovery of FinSpy spyware variants that target macOS and Linux users. In this article, we’ll tell you what they found, share some technical details uncovered by Amnesty’s malware analysts, and explain what it means for security and privacy.

What is FinSpy?

FinSpy is commercial spyware, produced by a private company and sold to law enforcement and intelligence agencies around the world. There are (arguably) legitimate uses of such monitoring software, for example in criminal and anti-terrorism investigations; however, FinSpy’s manufacturers have come under fire for selling their product to repressive and anti-democratic regimes that use the software to surveil human rights activists, journalists, dissidents, and even opposition political parties. FinSpy has been used in this manner in Bahrain, Ethiopia, Uganda, and Egypt. 

What can FinSpy do?

FinSpy is designed to provide full-spectrum surveillance on a compromised machine. According to the Amnesty International report, modern versions of FinSpy can monitor emails and communications, log keystrokes, record audio and video, gather information about network activity, and provide detailed access to system files. In addition, the spyware contains modules designed to allow attackers to control it remotely and execute commands on the infected system.

How does the macOS variant of FinSpy work?

Back in 2019, Amnesty International was investigating a coordinated phishing campaign that was targeting human rights advocates in Egypt. The attacks were attributed to the NilePhish attacker group and were believed to be state sponsored. In the course of their subsequent research, they also discovered macOS and Linux FinSpy variants — although these appeared to be the work of a different attacker altogether. A few days ago, Amnesty International publicly disclosed these new variants in an effort to help the security community as well as human rights advocates.  

The macOS version of FinSpy comes in the form of a Trojanized app installer containing encrypted files. If launched, the spyware will first check to see if it is running inside a virtual machine (VM). If it isn’t, FinSpy will decrypt and unpack a Zip archive containing an installer and several tools designed to obtain elevated (administrative) system privileges. Elevated privileges are required in order for FinSpy to install its actual spyware modules and achieve persistence on the target Mac. The privilege escalation tools rely on old and long-patched (2013 and 2015) public exploits, so if the malware is unable to gain elevated privileges by using the exploits, it will default to a common trick employed by many different Mac malware variants and simply ask the user for admin permissions! Unfortunately, this tactic succeeds far more often than it should.

Once the spyware modules are installed, FinSpy will contact a command and control (C&C) server using an encrypted communications protocol. This allows the spyware to receive commands from its administrators — and give them access to the data that it steals.

What can we do about FinSpy? 

FinSpy is powerful commercial spyware that has been used maliciously by multiple state actors around the world. The “good news” for most everyday Mac users is that they are far less likely to encounter FinSpy than, for example, human rights activists or political dissidents. In addition, recent versions of macOS (Catalina and Big Sur) make it harder for users to open unsigned or unvetted apps, which makes it more difficult for bad actors to trick their victims into running malicious software.

However, even with the more modern operating systems, “difficult” is not the same as “impossible”, and users of older macOS versions may still be at substantial risk from FinSpy and other forms of spyware. In addition, although “average” Mac users may not be personally at risk, they may nonetheless feel concerned about the threat that FinSpy poses to others, and especially to vulnerable groups and individuals living in oppressive regimes.

Here are four things you can do to keep yourself and others safe, both from FinSpy and from other spyware threats: 

1. 1

   Update, Update, Update

   As Amnesty International’s analysis demonstrates, spyware may rely on exploits that already have security patches. Users of older operating systems should always update their software to the fullest extent possible. Because many forms of malware (not just FinSpy) attempt to use unpatched vulnerabilities to compromise their targets, all users should enable automatic updates. To do this on more recent versions of macOS, go to System Preferences > Software Update and select Automatically keep my Mac up to date. Under the Advanced settings, you will find an option to automatically update all App Store apps on your system, which is also recommended.

2. 2

   Don’t Open Suspicious Apps

   If you’re using a newer version of macOS, pay attention to all of those warnings and pop-ups! If macOS tells you that an app is unsigned, or can’t be checked for malicious content, don’t open it — and don’t go searching for some workaround that will allow you to circumvent your Mac’s built-in protections. You should only run apps from the Mac App Store, or signed apps that have been downloaded directly from developers who you know and trust.

3. 3

   Speak Up

   The sale of commercial spyware to despotic regimes has become a political issue. One prominent U.N. expert has recommended a global moratorium on spyware sales until safeguards designed to curb abuses of the technology can be put in place. In addition, citizens in democratic countries have been pressuring their own lawmakers to stop local companies from selling to autocratic governments abroad. In the European Union, for example, politicians are currently discussing new rules to limit the export of surveillance technologies to nations that violate human rights. Electronic Frontier Foundation (EFF) and Amnesty International’s Amnesty Tech both provide reliable information — as well as opportunities for action — on these types of issues.

4. 4

   Use Malware Detection

   FinSpy and other types of spyware rely on stealth tactics in order to function, and thus do everything possible to conceal themselves from their targets. For this reason, it is extremely difficult for an everyday Mac user to detect a spyware infection on their own. You should always run a reputable, regularly updated malware detection and removal tool on your Mac. MacScan 3 detects and eliminates spyware infections, and has been updated to include definitions for the newly discovered macOS variants of FinSpy.