Spyware. No, we’re not talking about the gadgets and gizmos Q dishes out to James Bond prior to a mission, but the surveillance technology used to keep tabs on third party devices.
It sounds awfully shady and something reserved for the world of espionage, but any civilian can get their hands on it. Judging by Google’s search data, there is huge demand for mobile spyware with over 90,000 searches a month for the term ‘spy app’ alone.
A market has been made and spyware apps are readily available for less technically inclined snoopers. It’s undoubtedly an ethically questionable technology that infringes on the privacy of its intended targets, hence the reason why Google and Apple have been removing apps of this ilk from their respective app stores.
But what risks does commercial spyware present to the parties involved?
The Wandera Research team has investigated around 40 commercial spyware apps to understand their behavior and vulnerabilities.
Firstly, we need to define what we mean by ‘commercial spyware’.

What are commercial spyware apps?

Commercial spyware apps, also referred to as spy apps or more generically “spyware”, are surveillance applications used to monitor, track and extract information from third-party mobile devices.
Commercial spyware is commonly marketed under the guise of parental control software, which is a seemingly legitimate use. However, like most forms of technology, in the wrong hands it can be misused. Spouses could monitor their partners, organizations could monitor their employees, or hackers could install spyware onto an executive’s device and extract sensitive business information. 
The capabilities of these applications are surprisingly vast. They can provide visibility of SMS messages, phone calls, GPS, calendar, social media, network traffic, multimedia, as well as remotely control the device to do things like activate the microphone or camera, uninstall or install software or lock the device. Basically, anything you do on your phone.
Customers invariably don’t want to let their targets know that they’re being spied on and the apps have been designed with this in mind: either deleting themselves from view post-installation or masking themselves as other apps. It feels more Orwellian than a digital Guardian Angel. 

spyware maskingWhat are the security issues of commercial spyware?

The Wandera Research Team identified the following as some of the security risks with commercial spyware apps.

Installing commercial spyware apps

The spyware apps researched were not bound to any particular device, enabling a hacker to download the software and spy on their targets via an online console. The only prerequisites to getting started are either physical access to the device to install the app or knowledge of iCloud credentials (iPhone only). If working on the latter basis, it generally means that iCloud storage information is being monitored rather than what’s actually on the device.
With access to the device, installation is relatively simple.
For Android, the unknown sources option needs to be enabled so that applications from untrusted sources can be installed. Alternatively, a more extreme measure is to root the device, and again, this is not without its security risks. An iOS device can be jailbroken to achieve the same effect.
Given that the purported use case for these spy apps is to protect loved ones, there is an awful lot of tampering with inherent security features for both the market leading operating systems, which in turn, potentially expose the target to greater threats – as well as possibly encouraging riskier user behavior.

Credentials Handling

In the past few months, there have been a number of vendor breaches, namely mSpy (second time in three years), SpyFone, LocationSmart and CoupleVow. So not only are the devices that are being spied on potentially exposed to more threats due to tampering with OS security features, there is the additional concern that the device and held credentials could be further compromised by a vendor breach.
The Wandera Research team also identified security issues for spyware customers.
One particular vendor auto generates a password for the user, which has a rather weak and predictable pattern: seven numeral digits followed by one letter e.g. 1234657a. If users don’t change this default password it can be easily defeated by a brute force attack.
Another vendor allows users to generate their own password, but after registration sends an email to the user with the password in the body of the email. This practice raises concerns as it indicates that the vendor is storing the password in a plaintext format meaning that if a vendor’s servers were to be compromised (which is not beyond the realm of possibility given a recent breach) individuals under surveillance could then be spied on by an attacker.
Some other findings and statistics about the nature of commercial spyware apps:

  • 28% of the spy apps are meant to be used on Android only, the rest of the apps can be used on both Android and iOS
  • 52% of the iOS apps do not require physical access to the device or any app installation, but instead need iCloud credentials
  • 41% of the apps have complete calendar access
  • 79% of the apps supported social media exfiltration
  • 82% of the apps provide functionality to spy on a user’s browser habits
  • 82% of apps provide access to files stored on the device
  • 50% of apps provide remote control capability

It’s important that organizations are aware that this type of technology exists, is readily available and easy to use and deploy. Spy apps could be easily turned against an organization. There is the barrier of installation, but employees are only one sophisticated phishing attack away from handing over their iCloud credentials.
[text-blocks id=”8932″ slug=”malware-report-download”]