The Increasing Use of Mobile Spyware Apps

Never in human history has there been a platform for tracking, eavesdropping, reconnaissance, and surveillance like the smartphone.  With the right malware or phone store app, a marketing company, suspicious spouse, parent, nation-state cyber-spy, or your own government or law enforcement agency can easily spy on anyone carrying a smartphone.  Mobile devices often provide a bridge between a target’s personal life and professional life, allowing an attacker a way into secured business, government, and military networks.

Of course we are all painfully familiar with the many uses that marketing companies such as Amazon and Google (and so many others) use to track our spending habits and feed us targeted advertising

There are “legitimate” smartphone apps that can be found in the Apple and Google stores that can be installed by anyone with access to the phone that will permit phone surveillance.  These apps are often installed by parents on the phones of their children.  Not so bad.  But they can also be installed by a jealous or possessive spouse, or by people getting a divorce who use the apps to collect evidence against their spouse or ex.  Or by a stalker or other total stranger.

Recently, the FTC settled a case with phone app developer Retina-X, sellers of “stalker-ware” apps MobileSpy, PhoneSheriff and TeenShield. According to the FTC, Retina-X did not ensure purchasers were using the apps for legitimate purposes. To install the apps, purchasers often had to weaken the security protections on the smartphone by jailbreaking or rooting the phone. Once installed, they could remove the app icon to prevent the target from knowing they were being monitored. Even for legitimate uses Retina-X failed to keep data confidential and secured, even the information of children.

The capabilities of the smartphone applications and malicious applications include:

  • audio surveillance through the microphone,
  • video surveillance through the camera,
  • reading emails and text messages,
  • hijacking your email accounts,
  • collecting files and pictures,
  • using location information to track the phone owner,
  • collect browser search history and website usage,
  • take screen shots of the phone screen,
  • keylogging for user and password information,
  • reading your social network feeds,
  • hijacking social network accounts,
  • hijacking online shopping accounts,
  • read even encrypted communications, and more.

Many repressive governments and regimes are using smartphone exploits to track political opposition and suppress free speech, manipulate the outcome of elections, and locate, arrest, and imprison dissenters.

Nation-state cyber operators have become an even greater threat.  Zero-click exploits favored by governmental attackers can cost $2.5 million.  Users of these exploits in the United States include the DHS, NSA, FBI, CIA, and the US Cyber Command.  More worrisome (perhaps) are the many ways countries such as the Russian Federation, China, North Korean, Vietnam, Iran are using smartphone exploits to set up advanced persistent threats.  Targets of these cyber-operations include Mongolia, Pakistan, Bangladesh, Japan, Europe, and of course the United States.  The industrial sectors targeted by these actors include critical infrastructure, electric, oil, and gas companies and utilities, chemical companies, manufacturers, governmental agencies, and military units.

There was an interesting case involving Hamas and the Israeli Defence Force that was reported in this blog previously.  Using an online dating app, Hamas was able to install tracking and surveillance malware into the phones of Israeli soldiers and use the phones to track troop deployment and eavesdrop on conversations.

What can you do about all this spying?  Unfortunately, the answer may be not enough.  But US-CERT (CISA) has provided the following tips to limit surveillance apps on your smartphone or other mobile device:

  • Avoid installing potentially harmful apps in the first place.
  • Do some online research on an app before you load it on your phone,
  • Review app permissions that may include access to your contacts, camera, microphone, storage, and location.
  • Limit location permission
  • Keep your phone firmware, operating system, and apps up to date.
  • Delete apps that you don’t need or no longer use.
  • To detect apps that may not be displaying an icon, check the installed applications in the device settings.
  • Avoid using social network accounts like Facebook to sign into an app.
  • Avoid using public Wi-Fi with your phone.
  • Charge with caution, there are charger cords that can provide an attacker access.  Chargers at public charging stations could be sponsored by a malicious attacker.  Chargers that are plugged into the USB port of device that is not yours may be compromised.
  • Protect your device from theft or unauthorized access.  An attacker only needs to possess your phone for a few minutes to install stalkerware.
  • Protect your data if the phone is stolen.  Make sure data on the phone is encrypted, and be sure to set up any remote wiping features.

These are scary and interesting times we live in.  None of us can conceive of living without our smartphone, yet they are such a dangerous tool that can be subverted against us.  Smartphones probably require MORE security controls than a typical desktop computer because of the power, mobility, and portability of these devices.  Make sure you do something to protect yours.

More information:

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.