The Munk School has been monitoring FinFisher command-and-control servers since last year, but found in October that their methods for identifying those servers, called "fingerprinting," were no longer working, indicating FinFisher had been modified.
"We believe that Gamma either independently changed the FinSpy protocol or was able to determine key elements of our fingerprint, although it has never been publicly revealed," Marquis-Boire wrote.
Gamma Group and the subsidiary that makes the software, Gamma International, did not immediately respond to an email seeking comment.
Marquis-Boire wrote that the proliferation of FinFisher points to a larger issue with software and tools that are intended for legal surveillance but are abused by countries with poor human rights records. "This is indicative of a global trend towards the acquisition of offensive cyber capabilities by non-democratic regimes from commercial Western companies," he wrote.
On Tuesday, Reporters Without Borders named Gamma International as one of five companies whose products are believed to be used for spying on journalists and dissidents. It called on countries to implement stronger export controls around surveillance tools.
Sign up for CIO Asia eNewsletters.