Intrusion and surveillance software FinSpy has been found to be in use in 25 countries, including many with dubious human rights records. Researchers from The Citizen Lab found command and control servers for FinSpy — also known as FinFisher — across the globe after beginning analysis on a suspicious email targeting Bahraini activists. The software can capture information such as passwords and audio from Skype calls, which it then sends back to a server.

The FinSpy software is made by Gamma Group International in Munich, Germany, but is sold through a subsidiary in the United Kingdom. The surveillance tool is marketed for law enforcement, but has been used to target opposition groups and activists, something that has drawn concern over the software's distribution to select governments. As the report notes, an unregulated market for selling surveillance software globally presents significant risks to cyber attack, as US Director of National Intelligence James Clapper discussed yesterday.

Gamma Group claims that what the researchers discovered is not part of its software line, but that one specific instance was in fact a stolen copy of an old version of the product. However, The Citizen Lab calls into question Gamma Group's claims because of strong links between strains of the software and known FinSpy servers.

The software presents significant risks for cyber attack

The servers identified by the organization were located in Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United Kingdom, the United States, and Vietnam. Though a server location doesn't explicitly mean that the corresponding country is using FinSpy, Gamma Group does only sell its product to governments.

FinSpy has been found to affect computers through fake software update prompts, and by hiding in what appears to be an image file that is relevant to the person being phished. With the sale of software like FinSpy largely unregulated, the possibility of its use as a spying tool for means outside of law enforcement is a continued risk.