Most possibly there is no need to make a long introduction when speaking about the famous FinSpy application, a product of the company FinFisher from Gamma Group. In this case study I will present how I reverse engineered this law-enforcement tool and I also will share the results of the analysis in detail (configuration and installation process, cryptography solutions, control mechanism). Because it is a case study I will present which techniques and tools I used during the analysis. How to analyze an Android application quickly to get a basic view from it and after then how to analyze it deeply, how to patch it, and how to defeat obfuscations and the self-checks. Walking on this way I had some successes and mistakes as well, both are good to share to learn from it. The result of this analysis was quite disappointing because this tool has several serious weaknesses on multiple part of it, which is unacceptable from a law-enforcement spying tool. A test/analysis without proof-of-concept codes are nothing so at the end of the lecture I will present my scripts to demonstrate how to hijack the control of the application perfectly and to show how to loot the collected data from the phone (call logs, SMS, contacts, every what the app has collected on the device).
Attila Marosi has always been working in information security field since he started in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT- Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher in the Emerging Thread Team to provid novel solution for the newest threats. Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading lections and does some teaching on different levels; on the top of them for white hat hackers. He presented on many security conferences including hack.lu, DeepSEC, AusCERT, Hacktivity, Troopers, HackerHalted and NullCon.