Let's Talk About FlexiSpy

Introduction: I started this blog post to explain the context of FlexiSpy leaks and show some information I have found during my analysis. This information is incomplete and there is still plenty analysis of source code or binaries to be done. I have uploaded the source code and binaries on github so that everyone can help with it. I will try to report in this articles the publications I have seen on it, but feel free to ping me on Twitter if you see new information or have any question.

FlexiWho?#

FlexiSpy is one of these companies selling surveillance software to people who want to spy on their wife/husband/partner (a.k.a. StalkerWare). You think that it is creepy? Well, it is likely worse than you imagine. First, there are dozens of companies like FlexiSpy, selling software allowing to remotely track everything the other person is doing : emails, calls, chat apps, calendar… The market is so developed that you can even find websites ranking them:

Screenshot

And the impact is really awful : a 2015 women’s aid survey showed that 29% of women experiencing domestic abuse had a spyware or GPS locator installed on their phone.

FlexiSpy is not even the bigger StalkerWare seller (Mspy seems to have more than one million customers) but they have something specific : in February a Forbes article showed that FlexiSpy is sharing part of its code with a tool called FinFisher, done by a UK-German company called Gamma International.

Screenshot of FinFisher website...

FinFisher is also a tool to spy on computers and smartphones but specifically for Law Enforcement and Intelligence agencies, and although their website pretends that it is used against crime, we have seen consistent utilization of this spyware against activists or political opponents:

  • In March 2011, Egyptian protesters who broke into the headquarters of the Egyptian intelligence service found contracts between Gamma Group and the Egyptian government
  • Since 2012, it was used several times against Bahrain political activists. Gamma denied selling FinFisher to the Bahrain government and stated that their software could have been stolen but leaked Gamma documents later showed that not only Gamma sold their product to the Bahraini government but also that they knew that their tool was used to target journalists and political dissidents
  • In 2013, Citizen Lab researchers identified FinFisher samples used against political groups in Ethiopia, in Vietnam and in 25 other countries. An Ethiopian political dissident in exile in London, Tadesse Kersmo, discovered with this report that he was targeted and that his computer was successfully compromised with FinFisher.
  • In 2015, Privacy International researchers confirmed the use of FinFisher against political opponents in Uganda

In 2015, Citizen Lab researchers scanned the Internet for FinFisher server and identified 33 countries using the product:

Map of government suspected to use FinFisher (CitizenLab - 2015)

So What?#

Last week, we learned something interesting : two persons decided that the StalkerWare business was not ethically acceptable and went after FlexiSpy and another company called Retina-X. They found vulnerabilities in their systems, successfully hacked them, stole all their information and wiped the disks. They finally shared some of their files with Motherboard journalists through their SecureDrop instance.

We learned some interesting facts from the first article published by Motherboard but also in the interview they gave and in the last Motherboard article about FlexiSpy:

  • FlexiSpy started from a small Thai company called Vervata in 2004, developing software until they started a first spying tool for Symbian in 2006. They later started a company called “Digital Endpoint” selling products to monitor employees.
  • They started a sister company called “RaySoft” selling to Law Enforcement agencies, and then a partnership with Gamma in 2011 on this market
  • Around 130 000 people had an account on Retina-X or Flexispy platforms
  • The hack was apparently quite easy and exploited a bug in the API
  • The hacker called Leopard Boy (a reference to the classic 1995 Hacker Movie) is apparently gonna continue targeting companies doing this business : “It’s the beginning of a reign of terror across this entire industry. I’m going to burn them to the ground, and leave absolutely nowhere for any of them to hide.”

Map of compromised smartphones with FlexiSpy (motherboard - 2017)

But more interesting, the Leopard Boy hacker started yesterday to publish documents and code on his Twitter account @fleximinx. I have uploaded the source code and binaries on a github repository and I will go through the interesting information I got from them during the past days.

What did we get?#

So what did we get in these leaks:

  • Documents about the FlexiSpy and sisters companies
  • Source code of Flexispy Android App v1.00.1 and 1.00.4
  • Source code of Blackberry spyware v.1.03.2 (from Jan 2012)
  • Source code of iPhone spyware version 4.9.1
  • Binaries of FlexiSpy malware for all platforms:

A View Of FlexiSpy Market Strategy#

One document named Flexi - Battleplan gives an interesting view of FlexiSpy market strategy (the document is from June 2009):

So their strategy focus mainly on buying Adwords, and bid more on Adwords used by their competitors on which they did an advanced analysis:

Then they define different Adwords campaigns including a creepy one:

We also learn that they created a website reviewing spy software (which is not online anymore but I bet FlexiSpy had good reviews):

They Don’t Like Taxes#

Two documents give also an interesting view on their off-shore strategy, first with the link between their companies:

But also with a copy of their contract with the notorious Mossack Fonseca laywer firm in the Seychelles (Monssack Fonseca was the company at the center of the Panama Papers):

Installing Cyclops#

Cyclops is the name a surveillance tool used by Gamma and FlexiSpy (I don’t know exactly what is the difference with FinFisher, it may be FlexiSpy internal name), and the install documentation (from 2011) leaked clearly confirms the collaboration between FlexiSpy and Gamma :

Introduction of the Install Guide

List of Deliverables

This documents seems to indicate that FlexiSpy was actually developing Cyclops while Gamma was reselling it and maintaining it without involvement in the development of the tool. But as @Josephfcox pointed out on Twitter, it is possible that it was a proposal for a customer that never happened (I doubt it though).

And Then Atlantis Arrived#

Atlantis is an enterprise product to monitor employees mobile devices. It seems to be a FlexiSpy product in this documentation, but it may be the product which later led to the creation of the Digital Endpoint company:

These documents also gives an idea of the price (in 2012):

Android Source Code#

The Android source code leaked is for the version 1.00.1 while the Android APKs are in version 2.24.3 and 2.25.1m so it seems to be pretty old code.

Nevertheless, we can quickly get the IP addresses and domains used by the application (here, here, here or here):

  • 192.168.2.60 and 192.168.2.116 are used as a dev IP
  • 58.137.119.227
    • hxxp://58.137.119.227:880/RainbowCore/gateway/unstructured
    • hxxp://58.137.119.227:880/RainbowCore/gateway
  • 58.137.119.229:
    • hxxp://58.137.119.229/RainbowCore
    • hxxp://58.137.119.229/RainbowCore/gateway
  • 58.137.119.230
    • hxxp://58.137.119.230/Core/gateway
  • hxxp://www.vervata.com
  • hxxp://www.flexispy.com
  • trkps[.]com
    • hxxp://trkps.com/m.php?lat=%f&long=%f&t=%s&i=%s&z=5

Please note that all the URLs in the code are in HTTP and not HTTPs :D :

$ find . -iname "*.java" -exec fgrep -iHn "https://" {} \; | wc -l
0

@ben_ra started an analysis of the Android source code and binaries here : Part 1 and Part 2.

According to @PaulWebSec, they achieve persistence by mounting /system as read/write and installing the spyware in the system folder (code is here):

Binaries#

The following binaries were leaked :

  • d46af65cb7bd12ce77b4d88bbdd4a005 5000_1.1.4.sisx VirusTotal
  • 39be87178c84d4afd07a80323a1d4b91 5002_2.24.3_green.APK VirusTotal
  • a5b589f4edac1aea9952d3faff261817 5002_-2.25.1_green.APK VirusTotal
  • 306adab7cfcb0d9a13956ca9e9dbd59a 5003_1.4.2.jad VirusTotal
  • eb295fe2e40f12014cdb05de07edcae2 5006_-1.0.12.exe VirusTotal
  • 8f6a42defdc8632c1baf961d7d9c3e5b 5006_1.0.13.exe VirusTotal
  • fa26d3c6fe253a354ed95e5dbb5067c6 5006_1.0.13.ZIP VirusTotal
  • 4efd37a38a56c650906d2ed76ceaaa6a 5007_1.1.1.pkg VirusTotal

Gamma Certificates#

Among the files leaked, we find two certificates used by the Gamma group to sign Symbian software. Both certificates are signed by a company called “Cyan Engineering Services SAL” :

Issuer: C=GB, ST=London, L=Southwark, O=Symbian Software Limited, CN=Symbian Developer Certificate CA 280205A/emailAddress=developercertificates@symbian.com
Validity
    Not Before: May 25 04:07:05 2011 GMT
    Not After : May 25 04:07:05 2014 GMT
Subject: C=LB, L=Beirut, O=Cyan Engineering Services SAL (offshore), CN=Cyan Engineering Services SAL (offshore), OU=Symbian Signed PublisherID, ST=Beirut

Links between this company and Gamma Group was already identified by Citizen Lab in their analysis of Symbian malware in 2012.

That’s all for now, folks. Ping me on Twitter if you have any question.