In recent years, our digital selves are now an established part of our identity. The emails we send, the conversations we have over social media both private and public as well as the photos we share, the videos we watch, the apps we download, and the websites we visit all contribute to our digital personas. There are ways to prevent a government agency, country, or cybercriminal from peeking into our digital lives. Virtual private networks (VPNs), end-to-end encryption, and using browsers that do not track user activity are all common methods. Governments, government agencies, and law enforcement agencies are now taking advantage of sophisticated spyware developed by companies like NSO. When implanted on a device, it can be extremely difficult to detect or remove.
The following briefing will run through different forms of malicious software on your iOS or Android handset, what the warning signs of infection are, and how to remove such pestilence from your mobile devices if it is possible to do so. To put an end to any electronic spying activity, consider buying some stationary, envelopes, a roll of postage stamps, and a couple of ink pens. You will be able to communicate, but response time may become a factor.[1]
Nuisanceware, which often comes in software bundles together with legitimate, free programs. Also known as Potentially Unwanted Programs (PUP), this sort of software may interrupt your web browsing with pop-ups, change your homepage settings by force, and may also gather your browsing data in order to sell it off to advertising agencies and networks. Sometimes, nuisanceware packages are bundled with legitimate apps (at no additional charge).
Although considered Malvertising, Nuisanceware is generally not dangerous or a threat to your core security although it may collect some of your personal data. Antivirus solutions and app scans will normally pick PUP up and wipe it from your handset without too much fuss.
Spyware and Stalkerware are types of software often unethical and sometimes dangerous that can result in the theft of data including images, video, call logs, contact lists, and more. These types of software are sometimes found on desktop systems, but they are now most commonly implanted in mobile handsets across all operating systems.
Operators, whether fully-fledged cybercriminals, government agents, or your family or friends may be able to use the software to monitor emails, SMS, and MMS sent and received, to intercept live calls for the purpose of eavesdropping across standard telephone lines or Voice over IP (VoIP) applications, to covertly record environmental noise or take photos; to track GPS locations, and to compromise commonly-used social media apps including Facebook and WhatsApp.
Stalkerware is considered the next step up from generic spyware. The difference between them is that Spyware is usually more generic in purpose; stealing OS and clipboard data, anything of potential value, such as cryptocurrency wallet data or account credentials. Stalkerware is downloaded to spy on someone as an individual, usually in cases of domestic abuse. Spyware and Stalkerware are found less commonly in the enterprise, although some software solutions are marketed for companies to keep track of employee mobile devices and their activities.
The legal lines here can be crossed, but if a mobile device belongs to a company and is used by a staff member in the full knowledge that it is tracked or monitored, then this may be considered accepted as part of a workspace. In these cases, employees should keep their private lives, social media, and emails on their own smartphone or tablet and off company property.
Spyware and Stalkerware Apps in use:
- SpyPhone Android Rec Pro: This spyware claims to offer "full control" over a smartphone's functions, including listening in on the background noise of calls and recording them in their entirety; intercepting and sending copies of SMS and MMS messages sent from the victim's phone; sending activity reports to the user's email address; and more.
- FlexiSpy: One of the most well-known forms of stalkerware, FlexiSpy markets itself using the slogan: "Know Everything that Happens on a Computer or Smartphone, No Matter Where You Are." FlexiSpy is able to monitor both Android smartphones and PCs and is willing to deliver a device with the malware pre-installed to users. The spyware is able to listen in on calls, spy on apps including Facebook, Viber, and WhatsApp, turn on the infected device's microphone covertly, record Android VoIP calls; exfiltrate content such as photos, and intercept both SMS messages and emails. At the time of writing, marketing seems to be geared -- at least, publicly to parents and business owners.
- PhoneSpector: Designed for both Android and iOS handsets, PhoneSpector claims to offer a means to "get texts, call history, GPS location, and more without having the phone in your possession."
Mobile Tracker, FoneMonitor, Spyera, SpyBubble, Android Spy, and Mobistealth are a few more examples of spyware and stalkerware which offer similar features.
Highly advanced spyware, known as Pegasus, is offered by NSO Group, an Israel-based company that markets itself as a provider of solutions to "help government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe." In July 2021, reports claimed that Pegasus is being used to target government officials (including those in Poland), civil rights activists, lawyers, and journalists worldwide. NSO Group has denied these accusations, but this ha not stopped the US Department of Commerce from sanctioning the company along with Candiru, Positive Technologies, and Computer Security Initiative Consultancy (COSEINC) for selling spyware used to attack individuals and businesses.
Apple has also launched a lawsuit against the company, seeking a permanent injunction to prevent NSO from using Apple software, services, or devices in the future. In other words, the court case is intended to stop NSO from being able to develop or sell iOS-based spyware.
If you receive odd or unusual social media messages or emails, this may be a warning sign. You should delete them without clicking on any links or downloading any files. The same goes for SMS content, which may contain links to lure you into unwittingly downloading spyware.
Cyber threat actors in an effort to catch victims unaware, these messages known as phishing attempts will attempt to lure you into clicking a link or executing software that hosts a Spyware/Stalkerware payload. Should criminals try this tactic, they need their victims to respond. In order to ensure this, messages may contain content designed to induce panic, such as a demand for payment or a failed delivery notice. Messages could potentially use spoofed addresses from a contact you trust as well. In the case for Stalkerware, initial infection messages may be more personal and tailored to the victim. Physical access or the accidental installation of spyware by the victim is required. Infections can take less than a minute to install some variants of spyware and stalkerware.
If your mobile phone is missing and reappears with different settings or changes that you do not recognize or it has been confiscated for a period of time, this may be an indicator of tampering.
Surveillance software is becoming more sophisticated and can be difficult to detect. Not all Spyware and Stalkerware apps are invisible and it is possible to find out if you are being monitored.
Am I already being monitored? Android: this is easy on an Android device, as there is a setting that allows apps to be downloaded and installed outside of the official Google Play Store. If enabled, this may indicate tampering and jailbreaking without consent. Not every form of Spyware and Stalkerware requires a break-in attempt.
This setting is found in modern Android builds in Settings > Security > Allow unknown sources. (This varies depending on device and vendor.) You can also check Apps > Menu > Special Access > Install unknown apps to see if anything appears that you do not recognize, but there is no guarantee that Spyware will show up on the list.
Some forms of spyware will use generic names and icons to avoid detection. If a process or app comes up on the list you are not familiar with, a quick search online may help you ascertain whether it is legitimate.
iOS: iOS devices that are not jailbroken are generally harder to install with malware unless a zero-day exploit is used. The presence of an app called Cydia, which is a package manager that enables users to install software packages on a jailbroken device, may indicate tampering (unless you knowingly downloaded the software yourself).
You may experience unexpected handset battery drain and overheating, as well as unexpected or strange behavior from the device operating system or apps. But in the latter case, many Spyware operators will be hard to detect as the software is developed to be as silent as possible. An open-source project developed by Amnesty International, MVT (Mobile Verification Toolkit), is a cyber forensics package able to scan for advanced spyware on mobile devices. However, this is most suited to investigators.
By design, Spyware and Stalkerware are hard to detect and can be equally hard to remove. It is not impossible in most cases, but it may take some complicated steps on the user’s part. When it comes to highly advanced spyware suites the only option may be to abandon your device. Remember to buy the stationery and postage stamps.
When removed, in the case of Stalkerware, some operators will receive an alert warning them that the victim's device has been cleaned up. In addition, should the flow of information suddenly cease, this is a clear indicator that the malicious software has been eradicated.
Some removal options:
- Run a malware scan: There are many mobile antivirus solutions available that may be able to detect and remove basic forms of spyware. This is the easiest solution available, but it may not prove effective in every case. Cybersecurity vendors including Malwarebytes, Avast, and Kaspersky all offer spyware-scanning tools. You can try downloading them and performing a scan to wipe out infections.
- Change all of your passwords: If you suspect account compromise, change every password on every important account you have. Many of us have one or two central accounts, such as an email address, which will act as a hub for other accounts and password recovery. Begin there. It might also be a good idea to remove access to any "hub" services you use from a device you think has been compromised.
- Enable two-factor authentication (2FA): When account activity and logins require further consent from a mobile device, this can also help protect individual accounts. However, spyware may intercept the codes sent during 2FA protocols.
- Consider creating a new email address: Known only to you, the new email becomes tethered to your main accounts.
- Update your OS: It may seem obvious, but when an operating system releases a new version, which often comes with security patches and upgrades, this can if you are lucky cause conflict and problems with spyware. In the same way as antivirus solutions, keep this updated.
- Protect your device physically: A PIN code, pattern, or enabling biometrics can protect your mobile device from future tampering. However, it will not help if a device has already been compromised.
- If all else fails, factory reset... or junk it: Performing a factory reset and clean install on the device you believe is compromised may help eradicate some forms of Spyware and Stalkerware. Ensure you remember to back up important content first. On Android platforms, this is usually found under Settings > General Management > Reset > Factory Data Reset. On iOS, go to Settings > General > Reset.
Some Stalkerware services may survive factory resets, consider restoring to factory levels first and then consider disposing of your device.
Advanced versions of Spyware - government-grade spyware can be more difficult to detect. Included in a guide on Pegasus published by cybersecurity firm Kaspersky, there are some actions you can take to mitigate the risk of being subject to such surveillance, based on current research and findings.
- Reboots: Rebooting your device daily to prevent persistence from taking hold. The majority of infections have appeared to be based on zero-day exploits, with little persistence, and so rebooting can hamper attackers.
- "We analyzed one case in which a mobile device was targeted through a zero-click exploit (likely FORCED ENTRY)," Kaspersky says. "The device owner rebooted their device regularly and did so in the next 24 hours following the attack. The attackers tried to target them a few more times but eventually gave up after getting kicked a few times through reboots."
- Disable iMessage and Facetime (iOS): The researchers say that as features enabled by default, iMessage and Facetime are attractive avenues for exploitation. A number of new Safari and iMessage exploits have been developed in recent years.
- Consider using a browser other than Safari, default Chrome. Kaspersky says that some exploits do not work "as well" on alternatives such as Firefox Focus.
- Use a trusted, paid VPN service, and install an app that warns when your device has been jailbroken. Some AV apps will perform this check.
The researchers also recommend that you make iTunes and sysdiags backups (iOS) if you suspect an infection, as they will help researchers diagnose a device properly.
It is also recommended that individuals who suspect a Pegasus infection make use of a secondary device, preferably running GrapheneOS, for secure communication.
"Use a prepaid card in it, or, only connect by Wi-Fi and TOR while in airplane mode," the researchers say. "Avoid messengers where you need to provide your contacts with your phone number."
Both Google and Apple are generally quick to notice if spyware or other forms of malicious apps manage to circumvent the privacy and security barriers imposed for applications hosted in their respective official app stores. In July 2019, Google removed seven apps from the same Russian developer from the Play Store. While marketed as employee and child trackers, the tech giant took a dim view of their overreaching functions including GPS device tracking, access to SMS messages, the theft of contact lists, and potentially the exposure of communication taking place in messaging applications.
When it comes to Apple, the iPad and iPhone maker began a crackdown on parental control apps several years ago, citing privacy-invading functions as the reason for some iOS apps to be removed from the App Store. In some cases, Apple requested developers to remove functions, whereas, in others, the apps were simply removed. The company offers its own parental device control service called Screen Time for parents who want to limit their child's device usage.
Surveillance without consent is unethical. In domestic situations, it causes a severe imbalance in power. If your sixth sense says something is wrong, investigate. An easy to replace mobile phone is not worth sacrificing your privacy and personal security.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.zdnet.com/article/how-to-find-and-remove-spyware-from-your-phone/
Comments