The fully decompiled code and assets of 421and.apk can be found here: FinSpyMobileAndroid-decompiled.zip (no password).
This particular APK, although not the latest, is not obfuscated and easily reveals most capabilities of the malware:
- Location tracker
- Information stealer (calendar, contact list, text messages, Whatsapp databases, etc.)
- Remotely controlled through encrypted communication over SMS and data
A great recap of the full story can be read on Netzpolitik. Real time updates are on Twitter.
Maintenance release 1.5.201408040 introduces support for Java Archive (Jar) plugins. Unlike Java scripts/plugins, running JEB using a JDK is not required, as the Jar plugin already contains compiled code.
Jar plugins allow for complex, multi-class plugins, and referencing external libraries is easy via Manifest entries.
The plugins/ sub-directory of your JEB installation directory contains a sample JAR plugin (SamplePluginJar.jar) as well as the associated source code (SamplePluginJar-src.zip). You can use this plugin’s source code as a template for your own Jar plugins. The build.xml file is a simple Apache Ant build file used to compile source files (located in src/) and package the generated *.class files into a single Jar, with appropriate JEB-specific Manifest entries set up.
About JEB-specific Manifest entries: unlike single source (Python, Java source) plugins, that define plugin metadata with a special comment line (#? for Python, //? for Java), Jar plugins use Manifest entries prefixed by JebPlugin- to define those entries:
- JebPlugin-entryclass: (mandatory) set to the class that contains the plugin entry-point
- JebPlugin-name: (optional) plugin name (as it will appear in “Action / Custom Actions…” menu)
- Jeb-Plugin-shortcut: (optional) keyboard shortcut
- JebPlugin-help: (optional) help information
- JebPlugin-author: (optional) plugin’s author information
The above values can be set up by customizing the build.xml Ant file. Also, just like stand-alone Jar files loaded by the Java VM executable, the Manifest entry Class-Path can be set to reference external Jar files or repository of *.class files. Those entries will be added to the class path when JEB loads the plugin.
Please let us know on the forum if you have any question.