You Only Click Twice: FinFisher’s Global Proliferation *March 13, 2013* Download PDF version<https://citizenlab.org/wp-content/uploads/2013/04/15-2013-youonlyclicktwice.pdf> *Authors:* Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton. *This post describes the results of a comprehensive global Internet scan for the command and control servers of FinFisher’s surveillance software. It also details the discovery of a campaign using FinFisher in Ethiopia used to target individuals linked to an opposition group. Additionally, it provides examination of a FinSpy Mobile sample found in the wild, which appears to have been used in Vietnam.* Summary of Key Findings - We have found command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution,” in a total of 25 countries: Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam. - A FinSpy campaign in Ethiopia uses pictures of Ginbot 7, an Ethiopian opposition group, as bait to infect users. This continues the theme of FinSpy deployments with strong indications of politically-motivated targeting. - There is strong evidence of a Vietnamese FinSpy Mobile Campaign. We found an Android FinSpy Mobile sample in the wild with a command & control server in Vietnam that also exfiltrates text messages to a local phone number. - These findings call into question claims by Gamma International that previously reported servers were *not* part of their product line, and that previously discovered copies of their software were either stolen or demo copies. https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-prolif... http://surveillance.rsf.org/en/gamma-international/ http://en.wikipedia.org/wiki/FinFisher https://www.f-secure.com/weblog/archives/00002114.html http://www.f-secure.com/weblog/archives/finfisher.pdf (in arabic)