The UK firm Gamma Group has created malware that can turn a cell phone into a tracking device. A new report revealed that the Bahraini government used it to spy on dissidents, while the firm says the software was stolen.
Husain Abdulla, a naturalized US citizen and director of Americans for Democracy and Human Rights in Bahrain (ADHRB), received an e-mail in May from a Bahraini opposition leader with an attachment entitled "Existence of a new dialogue." Luckily for him, it wouldn't open on his BlackBerry.
"I couldn't open the attachment, but took it to one of the people investigating malware," he told DW. "They said it if you open it, it's going to be able to spy on any kind of activity you do on your computer or laptop."
Abdulla said he is aware of at least seven people who received the same e-mail - "but I know it's more than that." The malware investigators were researchers at the University of Toronto Munk School of Global Affairs' Citizen Lab, who traced the e-mail to an IP address controlled by the Bahraini government, who, they suspect, intercepted the e-mail and added the attachment.
The Citizen Lab last week released a report on spyware being used against political opposition members and pro-democracy activists around the world, which linked the viruses to UK based company Gamma Group.
The 'IT intrusion field'
"Gamma addresses ongoing developments in the IT intrusion field with solutions to enhance the capabilities of our clients," announces the FinFisher website, presenting its range of spyware products as the cutting edge of law enforcement.
The software, named FinSpy, functions like a computer virus, and can be used to secretly monitor computers, grab images from computer screens, intercept and record Skype calls, turn on web cameras and microphones, and record keystrokes. It can do all this while avoiding any antivirus software the target computer may have installed.
There is also a mobile version, which effectively turns cell phones into tracking devices. It is capable of hacking into a variety of operating systems, including Microsoft Windows Mobile, Apple iPhone's iOS, as well as Android systems.
"When FinSpy Mobile is installed on a mobile phone it can be remotely controlled and monitored no matter where in the world the Target is located," promised a FinSpy brochure recently published by WikiLeaks.
The Citizen Lab researchers trawled the Internet using malware samples to find out who is using Gamma's cyber arsenal. They ended up linking FinSpy to servers in over a dozen countries, including Bahrain, Brunei and Turkmenistan, the latter once described by Human Rights Watch as one of the "world's most repressive countries."
On the same day that the report was released, last Wednesday (29.08.12), Gamma International released a statement claiming that information relating to its "sales demonstration server" had been stolen.
"As soon as it was realized that the information concerning the demonstration server had been stolen, the server was shut down," Gamma International Managing Director Martin J. Muench said in the statement. "It's been suggested that the information was stolen on behalf of a pressure group to disrupt our business but I have no evidence yet to support that claim."
Guarding the guards
Though Muench, based in Munich, would not speculate on who was behind the apparent theft, he said the investigation was ongoing. "We are investigating various issues concerning the above at the moment and when we have reached our conclusions we will advise you," he told DW.
Muench added that the company is bound by international standards on how it chooses its clients. "We use the Export Controls Authorities (ECA) in the UK, Germany and USA to determine to whom we can sell our products. They in effect act as our 'moral compass,'" he said.
"Once our product has been supplied to our client it becomes their responsibility to uphold their national laws and get the relevant court orders," Muench continued. "Given that a can of fizzy drink or a car battery can be abused and used as an implement of torture, it is of no surprise to anyone if our products can be abused too. … We can only do our best to ensure that they don't end up in the wrong hands and to that extent we rely on the ECAs."
Big Brother Inc.
But human rights organizations are skeptical. Eric King, head of research at UK organization Privacy International, where he runs the Big Brother Incorporated project, said he doesn't believe Gamma's malware was stolen.
"Gamma Group is one of the scariest surveillance companies that exists," he told DW. "They have no internal guidelines on who and where they sell their equipment to, beyond laws that are currently in place. Which sounds like a reasonable defense, apart from the fact that there are none. There are no laws at all that govern the export or sale of surveillance technology anywhere in the world.
"The first time that their product was discovered in Egypt, Gamma insisted that it was simply a trial, and the second time, over in Bahrain, they said all of a sudden that their technology had been stolen," King said. "It's getting more and more farcical."
King said it is impossible to verify whether Gamma is lying about the theft because ECAs do not keep records of surveillance software.
"Questions have been asked in the Houses of Parliament, and the British government is saying we don't know anything," he said. "Uncovering the contractual details between a highly secretive organization and what is effectively a foreign intelligence service usually ends up being a mammoth task. That's why Gamma Group is quite happily dismissing things and pointing people in the other direction."
For that reason, groups like Privacy International are lobbying for tighter regulation on surveillance technology. But in the meantime, King said, "Gamma Group, like a number of other companies that are currently peddling their wares to dictators, need to start talking honestly about their customers and coming clean about their business practices."
To the Bahrain activist Abdulla, FinSpy represents a new front in the struggle against the Bahraini government. "I was expecting some kind of attack," said Abdulla. "A friend of mine in Bahrain had secret cameras installed in his home when he was out. But I did not expect a cyber-attack. I was expecting the government to spread misinformation on my organization or my activities. I did not believe they would sink so low as to try and get information and then use it to ruin people's lives.
"Nothing surprises me when it comes to this government, but now it's gotten sophisticated and they use the latest technology to attack activists," Abdulla said. "They're using new ways to come after people who expose their policies and human rights violations. And activists are not used to it."