Yesterday (11 July), multinational cybersecurity and anti-virus provider Kaspersky said in a press released that their experts have uncovered new versions of the advance malicious surveillance tool ‘FinSpy’.

The new version implants function on both iOS and Android devices, monitoring activity on almost all popular messaging services including encrypted ones like WhatsApp and Telegram. Kaspersky noted that the malware is also better than hiding their traces than ever before.

FinSpy enables the almost unlimited monitoring of activities on a device from geolocation to incoming and outgoing messages, contacts, media, and data from popular communication applications such as WhatsApp, Facebook Messenger and Viber. The latest version of this malware extends the surveillance functionality to include even services that are considered ‘secure’ such as Telegram, Signal or Threema.

The basic functionality of the malware includes almost unlimited monitoring of the device’s activities: such as geolocation, all incoming and outgoing messages, contacts, media stored on the device, and data from popular messaging services like WhatsApp, Facebook messenger or Viber. All the exfiltrated data is transferred to the attacker via SMS messages or the HTTP protocol.

FinSpy is a product by German company FinFisher which, according to a WikiLeaks, “produces and sells computer intrusion systems, software exploits and remote monitoring systems that are capable of intercepting communications and data from OS X, Windows and Linux computers as well as Android, iOS, BlackBerry, Symbian and Windows Mobile devices.”

Singapore company with ties to the government has purchased FinTech spyware

Back in September 2014, a Wikileaks media release noted that a Singapore company was one of several which have allegedly purchased “weaponised German surveillance malware” for use. The company in question is PCS Security Pte Ltd (PCS) which was incorporated in 1998 and headed by Singaporeans.

According to Wikileaks, PCS had apparently spent some €3,166,560 (approximately S$5.1 million at the time) in 2012 on the licences for the malware products. Some of the products they purchased include FinSpy, FinIntrusion, and FinUSB Suite.

Based on the licenses that PCS purchased in 2012, up to 500 devices can be monitored using the system, enabling them to record online activities and logging usernames and passwords. The FinIntrusion product even records all accounts logged into public wi-fi networks.

PCS declares on its website that it prides itself “in delivering value-added systems with our domain expertise and experience in Homeland Security and Infocomm Security.”

“We have the expertise and capability to deliver cutting-edge technology solutions for our Customers in the Government, trade and the commercial sector,” it said.

According to official records, PCS itself is fully owned by another outfit – the Phoenix Co-operative Society but not much is known about the co-operative. In 2010, Phoenix Co-operative Society was one of four co-operatives which were given an exemption under Section 97 of the Co-operative Societies Act. In effect, the chairman, secretary and treasurer of exempted co-operatives do not have to be elected by members of the management committee or members of the society.

The other three exempted co-operatives are the Singapore Police Co-operative Society Limited, Singapore Prison Service Multi-Purpose Co-operative Society Limited and Industrial and Services Co-operative Society Limited – all three are under the purview of the Ministry of Home Affairs.

We also note that former Internal Security Department (ISD) officer, Sim Poh Heng was a director at Phoenix in the early days of the PCS and that it is likely it was named after the Phoenix Park Complex where the ISD used to be located.

Not only that, based on leaked customer request forms we can see that PCS was actively using the spyware program.

When TOC reported on PCS being named by WikiLeaks back in 2014, we reached out to the police, Attorney General’s Chambers, the Ministry of Communications and Information, and several ministers – Mr Yaacob Ibrahim, Mr Zaqy Mohammad and Mr Baey Yam Keng – on the government’s knowledge of the purchase.

The only replies we received were from the police and the Attorney’s General Office suggesting that we seek advice from a legal counsel instead and referred us to Legal Aid. No one else responded to our queries.

The important questions that remain today:

1) Is PCS Security still in possession of the spyware

2) Did they use the spyware in any way and

3) is there any legal oversight on the usage of such software given that a private limited company in Singapore is in possession of it? Given that there is no exemption by law for a private contractor to hold onto illegal software as in the case of firearms.