Hacking FinSpy - a Case Study about how to Analyse and Defeat an Android Law-enforcement Spying App presented at Troopers 2015

by Attila Marosi,

Summary : Most possibly there is no need to make a long introduction when speaking about the famous FinSpy application, a product of the company FinFisher from Gamma Group. In this case study I will present how I reverse engineered this law-enforcement tool and I also will share the results of the analysis in detail (configuration and installation process, cryptography solutions, control mechanism). Because it is a case study I will present which techniques and tools I used during the analysis. How to analyze an Android application quickly to get a basic view from it and after then how to analyze it deeply, how to patch it, and how to defeat obfuscations and the self-checks. Walking on this way I had some successes and mistakes as well, both are good to share to learn from it. The result of this analysis was quite disappointing because this tool has several serious weaknesses on multiple part of it, which is unacceptable from a law-enforcement spying tool. A test/analysis without proof-of-concept codes are nothing so at the end of the lecture I will present my scripts to demonstrate how to hijack the control of the application perfectly and to show how to loot the collected data from the phone (call logs, SMS, contacts, every what the app has collected on the device).