FinSpy¶
FinSpy (also sold as FinFisher) was a commercial surveillance suite developed by Munich-based FinFisher GmbH and marketed to law enforcement and intelligence agencies worldwide. Active from approximately 2012 through 2022, it stood out for its extraordinary obfuscation: multiple protection layers, a custom virtual machine, anti-analysis checks, and ISP-level delivery mechanisms. The company collapsed in 2022 after German prosecutors investigated the unauthorized export of surveillance software to Turkey. FinSpy's obfuscation complexity became a benchmark in the malware analysis community, with researchers from ESET, Kaspersky, and Amnesty International investing months to produce public analyses.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2012 (mobile variants), earlier on desktop |
| Last Seen | 2022 (company bankruptcy) |
| Status | FinFisher GmbH dissolved, no new development expected |
| Type | Commercial spyware (law enforcement/intelligence) |
| Attribution | FinFisher GmbH (Munich, Germany), subsidiary of Gamma Group (UK) |
| Aliases | FinFisher, FinSpy Mobile, FinSpy PC, Wingbird (Microsoft) |
| Platforms | Android, iOS, Windows, macOS, Linux |
Origin and Lineage¶
FinFisher GmbH operated as a subsidiary of Gamma Group International, a UK-based company. The product line included desktop and mobile implants marketed at trade shows like ISS World (the "Wiretappers' Ball") alongside a full suite of network injection tools for ISP-level deployment.
Citizen Lab first documented FinFisher's mobile capabilities in August 2012 in their report "The SmartPhone Who Loved Me," identifying FinSpy samples for Android, iOS, BlackBerry, Windows Mobile, and Symbian. A 2014 breach of Gamma Group's servers by the hacktivist "Phineas Fisher" leaked 40GB of internal data, including FinFisher source code, client lists, and pricing documents. The leak confirmed sales to governments with poor human rights records including Bahrain, Ethiopia, and Turkmenistan.
Citizen Lab mapped FinFisher's proliferation across dozens of countries in their 2015 report "Pay No Attention to the Server Behind the Proxy," identifying C2 servers in more countries than any previous scan despite the 2014 leak.
In 2022, FinFisher GmbH filed for insolvency and was dissolved following a criminal investigation by the Munich Public Prosecutor's Office. The investigation, triggered by a criminal complaint from GFF, Reporters Without Borders, netzpolitik.org, and ECCHR, focused on the unauthorized export of surveillance software to Turkey. In May 2023, German prosecutors charged four former executives of the corporate group.
Distribution¶
FinFisher used multiple delivery mechanisms, with ISP-level injection being the most distinctive.
| Vector | Details |
|---|---|
| ISP-level man-in-the-middle | Network injection appliances deployed at ISPs intercept download requests and replace legitimate software with trojanized versions. ESET documented this in 2017, identifying ISP-level MITM in Turkey (Turk Telekom) and Egypt where downloads of legitimate software (Avast, CCleaner, Opera, 7-Zip, WinRAR) were silently replaced with FinSpy-bundled installers. |
| Spear-phishing | Emails with malicious attachments or links tailored to specific targets |
| Physical access | Direct installation when agents have physical possession of the device |
| Trojanized apps | APKs disguised as legitimate applications distributed through links or alternative app stores |
The ISP-level injection is particularly relevant because it requires cooperation (willing or coerced) from the target's internet service provider, meaning the deploying government has domestic authority over telecommunications infrastructure.
Capabilities¶
Android Implant¶
The Android variant provides comprehensive surveillance. Kaspersky documented updated iOS and Android implants in July 2019, noting activity in nearly 20 countries:
| Capability | Implementation |
|---|---|
| Call recording | Record voice calls, VoIP calls (Skype, WhatsApp, Viber, etc.) |
| Messaging | Intercept SMS, MMS, and messages from Signal, Telegram, WhatsApp, Threema, Facebook Messenger |
| Camera | Silent activation of front and rear cameras for photo and video |
| Microphone | Ambient audio recording, room monitoring |
| Location | GPS tracking, cell tower positioning |
| Keylogging | Capture keystrokes across all applications via accessibility |
| Contacts and calendar | Full exfiltration |
| File access | Browse and exfiltrate device storage |
| Screen capture | Periodic screenshots |
| Root exploitation | Abuse known vulnerabilities to gain root privileges |
Desktop Variants¶
While this wiki focuses on Android, FinSpy's desktop capabilities are worth noting for context: Kaspersky's 2021 analysis revealed a UEFI bootkit that infects the Windows Boot Manager for persistence below the OS level, and Amnesty International documented Linux and macOS variants targeting Egyptian civil society organizations.
Technical Details¶
Obfuscation: The Defining Feature¶
FinSpy's obfuscation is what separates it from every other commercial spyware family. Multiple research teams have documented its layered protection:
Four-layer obfuscation system (Kaspersky, 2021):
| Layer | Technique |
|---|---|
| Layer 1 | FinSpy Mutator: instruction-level code transformation |
| Layer 2 | OLLVM-style obfuscation: control flow flattening, bogus control flow, instruction substitution |
| Layer 3 | Custom virtual machine: bytecode interpreter that executes protected functions in a proprietary VM ISA |
| Layer 4 | Anti-analysis shellcodes: environment fingerprinting that terminates execution in sandboxes and VMs |
Custom Virtual Machine (ESET, January 2018):
ESET researcher Filip Kafka published "ESET's guide to deobfuscating and devirtualizing FinFisher", the definitive public reference for analyzing FinFisher's VM. The VM translates native x86 instructions into custom bytecode at build time. At runtime, a bytecode interpreter executes these instructions, meaning static analysis tools like IDA Pro see only the interpreter loop rather than the actual logic. ESET also released IDA Python scripts on GitHub to assist with devirtualization.
Android-Specific Obfuscation¶
The Android variant uses its own protection scheme. Defensive Lab Agency analyzed FinSpy for Android (designated DexDen in their analysis), finding:
- Configuration data encrypted and hidden within the APK
- Heavy use of JNI (Java Native Interface) calls to move logic into native code where Dalvik-level analysis tools cannot follow
- Anti-emulator checks targeting common analysis environments
- String encryption with runtime decryption
Persistence¶
On Android, FinSpy registers as a device administrator and uses accessibility services to prevent removal. On rooted devices, it installs system-level components. The desktop variant achieves persistence through a UEFI bootkit (Kaspersky) that operates below the operating system, surviving OS reinstallation.
C2 Communication¶
FinSpy communicates with its C2 over HTTPS with custom encryption. Citizen Lab's scanning research identified that FinFisher uses anonymizing proxy servers to obscure the true location of master C2 servers, though their 2015 research devised techniques to unmask these proxies.
Known Deployments and Targets¶
Citizen Lab's cumulative research identified FinFisher deployments or suspected use in over 30 countries:
| Region | Countries |
|---|---|
| Middle East & North Africa | Bahrain, Egypt, Jordan, Lebanon, Morocco, Oman, Saudi Arabia, Turkey, UAE |
| Sub-Saharan Africa | Angola, Ethiopia, Gabon, Kenya, Nigeria, South Africa |
| Europe | Austria, Belgium, Czech Republic, Estonia, Germany, Hungary, Italy, Netherlands, Serbia, Slovenia, Spain |
| Asia | Bangladesh, Indonesia, Malaysia, Mongolia, Pakistan, Singapore, Vietnam |
| Americas | Mexico, Paraguay, Venezuela |
Confirmed targets include Bahraini activists and dissidents, Ethiopian opposition journalists, Turkish political targets (the export that triggered the criminal investigation), and Egyptian civil society organizations.
Notable Campaigns and Discoveries¶
August 2012: Citizen Lab publishes "The SmartPhone Who Loved Me", the first documentation of FinFisher mobile implants across Android, iOS, BlackBerry, Windows Mobile, and Symbian.
August 2014: The hacktivist "Phineas Fisher" breaches Gamma Group servers, leaking 40GB of FinFisher data including source code, client lists, and deployment documentation. The leak confirms sales to governments in Bahrain, Ethiopia, and Turkmenistan.
October 2015: Citizen Lab publishes "Pay No Attention to the Server Behind the Proxy", mapping FinFisher to operations in 32+ countries despite the 2014 breach.
September 2017: ESET documents ISP-level MITM campaigns in Turkey and Egypt, where downloads of legitimate software were intercepted and replaced with FinSpy-bundled versions at the ISP level.
January 2018: ESET publishes their whitepaper on deobfuscating and devirtualizing FinFisher, providing the first public methodology for defeating FinFisher's custom VM protection.
July 2019: Kaspersky discovers updated FinSpy mobile implants active in nearly 20 countries, including new features and improved obfuscation for both iOS and Android.
September 2020: Amnesty International and Defensive Lab Agency document new FinSpy variants targeting Egyptian civil society, including previously unknown Linux and macOS versions.
September 2021: Kaspersky publishes "FinSpy: unseen findings", revealing the four-layer obfuscation system, the UEFI bootkit, and advanced anti-analysis measures. This represents the most comprehensive technical teardown of FinFisher's protection layers.
March 2022: FinFisher GmbH files for insolvency and is dissolved after German authorities seize company accounts. The Chaos Computer Club declares a "stage win" against the surveillance industry.
May 2023: Munich prosecutors charge four former FinFisher executives for illegally exporting surveillance software to Turkey without the required export license.