Spyware Vendors Find New Ways to Deliver Mobile Apps

With mobile devices an essential part of our lives and privacy, we must protect that privacy against a form of mobile “spyware” that is openly sold and distributed and that threatens our privacy by secretly monitoring all of our activities on smartphones.

dnakajim-phonespy-1

In this context, spyware does not refer to Trojan malware that poses as legitimate games and tools while secretly stealing our private information. This type of spyware is usually called spy or monitoring apps to watch over our spouses, kids, or employees. Buyers of this kind of spyware will install it on their subjects’ mobile devices to monitor their activities and location. Most of these products claim that their software will remain undetected by those who are monitored. Yet how can we, or the developers, justify installing spyware without users’ knowledge and monitor all their private activities on smartphones?

dnakajim-phonespy-2

In September, we read reports that a seller of the spyware StealthGenie was indicted in the United States. The seller was criticized for supplying an app that could threaten a victim’s life and could be used, for example, by stalkers and domestic abusers. But similar kinds of spyware are still being distributed in markets and will continue to threaten our privacy.

Most spyware has the following features to remotely monitor and collect data about the target user’s private actions:

  • Recorded phone calls and call logs
  • Sent and received SMS messages
  • Contact information
  • Web browsing history and bookmarks
  • Photograph, video, and other documents
  • Current location
  • Account names for various services, including email addresses

Worse still, for devices that are “rooted” for Android or “jailbroken” for iOS, some spyware claims that they can monitor contacts and conversation data of SMS and messaging apps such as WhatsApp, Facebook, LINE, Skype, Viber, Kik, and so on.

It is rare to find these kinds of spyware apps on official markets for mobile apps. Some apps with similar functionality for antitheft or parental control are offered on official stores, and these can be used as spyware depending on circumstances. But spyware apps whose main use is to invade the target’s privacy are not published on official sites, probably because doing so would violate the official app markets’ policies.

Nonetheless, McAfee Labs has recently confirmed that spyware vendors are cleverly offering their products for Android devices via the official store. These vendors or their affiliates publish many free apps that download the spyware products or lead users to their product websites. Those who want to find spyware can get such products directly from the developers sites, but it seems that spyware vendors are seeking more sales opportunities by using popular app stores.

dnakajim-phonespy-3

Some of these apps simply redirect users to the sales site of the spyware product; others directly download the spyware and prompt users to install and register. In this manner, spyware vendors let users download and install their spyware products from external sites by publishing apparently harmless landing apps on the official store. Spyware installed from external sites are not listed in the My Apps list, so it is less likely that a target user will notice the installation if the initial landing apps were uninstalled by the monitoring person to hide their traces.

dnakajim-phonespy-4

Some of the installed spyware remove their application icons from home screen and app list to not be noticed by the target. And they start monitoring the target’s activities and sending the collected information to a remote server in the background. Other spyware also requires the DeviceAdmin privilege just after launch to make it difficult for victims to uninstall the app even if they notice suspicious behavior.

dnakajim-phonespy-5

Because much spyware is sold outside of the official store, they will not usually be installed unless the user enables installation from unknown sources. And even if these apps are installed, McAfee Mobile Security and other security software will detect them and alert users. However, although these countermeasures are effective when the device user accidentally installs malware, these defenses might not work as expected when another person with access to the device wants to monitor the user secretly and installs the app. The monitoring person could change the device’s security settings and even disable detection by security software.

Thus in addition to the usual defenses against malware, we should also observe the following:

  • Harden the device’s physical security. Never let anybody else use it. Make sure the device is locked with password, etc. to prevent someone else from changing the settings and installing any apps.
  • Carefully check changes made by someone else, no matter the reasons. Check whether any settings are changed or apps are installed. Most spyware hides from the target user by removing their icons from the home screen. Make sure to check the apps list from [Settings] – [Apps], or from apps list displayed by security software such as McAfee Mobile Security.
  • Carefully check the settings and apps on the device if it has been in someone else’s hands. Make sure that default settings are applied and look for any additional apps. It is desirable to factory reset the device and do initial settings yourself. Be careful also when buying a phone from any untrusted used-phone shop; shop staff might install apps for “free.”

There might be cases in which you want to use this kind of spyware as a monitoring tool to really protect someone you care about. First, get his or her consent. And you should be very careful about some points. The careless use of spyware can expose your loved one to danger. The information obtained through spyware must be accessible only to you and/or the monitored person; it is dangerous if you allow the spyware vendor to access the information. If the vendor is malicious, then all the privacy of your loved could be disclosed. Any information collected should be encrypted by a password that only you know, and only you should be able to decrypt it. Otherwise, even a benign spyware vendor could lose information due to a leak or security flaw. Much of the spyware we have seen transfers privacy and account authentication data as plaintext. If the monitored person were to use the phone on an unguarded public LAN with no appropriate security settings, all the private information could be snooped by a malicious observer.

Many of these spyware apps claim that their purpose is to protect spouses and kids, or to prevent employees inappropriate actions. However, if these apps are really intended for that purpose, then it would be reasonable to install them on the targets’ devices with their explicit approval and explain that their activities can be remotely monitored. Installing these apps publicly is a more effective way to prevent any unauthorized actions. Installing spyware secretly only opens the door to privacy invasion and potential cybercrime.

The post Spyware Vendors Find New Ways to Deliver Mobile Apps appeared first on McAfee.