This is what happens when your phone is spying on you
Deficiencies in data security
The researchers also examined how seriously spyware applications protect the sensitive user data they collect. The short answer: not very seriously. Many spyware applications use unencrypted communication channels to transmit the data they collect, such as photos, text, and location data. Only four of the 14 researchers surveyed did this. This data also includes the login data of the person who purchased the application. All of this information can easily be collected by someone else over WiFi.
Most of the apps analyzed by the researchers store the same data on public URLs that can be accessed by anyone with the link. Additionally, in some cases, user data is stored in predictable URLs that allow access to multiple account data by simply removing a few characters from the URLs. In one case, researchers identified an authentication flaw in a leading spyware service that allowed any party to access all of the data on every account.
In addition, many of these applications retain confidential data without a customer agreement or after the customer has stopped using them. Four of the 14 tested applications do not delete data from spyware servers even if the user has deleted their account or the application’s license has expired. One app records the victim’s data during a free trial period, but only makes it available to the abuser after paying for the subscription. And if the abuser doesn’t get a subscription, the app keeps the data anyway.
Protection against spyware
“We propose that Android enforce stricter requirements on which apps can hide icons,” the researchers write. “Most apps running on Android phones should have an icon that appears on the launchpad.”
The researchers also found that many spyware applications resisted removal attempts. Some have automatically restarted themselves after being shut down by the Android system or after restarting the device. “We recommend adding a dashboard to monitor autostart applications,” the researchers write.
To combat spyware, Android devices use a variety of methods, including a flag visible to the user that cannot be dismissed while an app is using the microphone or camera. But these methods can fail for various reasons. For example, legitimate use of the device may also trigger the microphone or camera light.
“Instead, we recommend adding all actions aimed at accessing sensitive data to the privacy dashboard and regularly notifying users of the existence of overprivileged apps,” the researchers write.
Disclosures, safeguards and next steps
The researchers disclosed all their findings to all affected application vendors. No one responded to the notices until the publication date of the paper.
To prevent misuse of the code they develop, researchers only make their work available upon request to users who can demonstrate that they are using it legitimately.
Future work will continue at New York University in the group of Associate Professor Damon McCoy, a former UC San Diego Ph.D. Many spyware applications appear to have been developed in China and Brazil, so further study of the supply chain that enables installation in these countries is needed.
“Each challenge highlights the need for more creative, diverse, and comprehensive interventions by industry, government, and the research community,” the researchers write. “Although technical protection can be part of the solution, the scope of the problem is much larger. A wider range of measures should be considered, including payment interventions from companies such as Visa and Paypal, regular government action, and additional law enforcement measures may be needed to prevent surveillance from becoming a commodity.”
The work was funded in part by the National Science Foundation and received operating support from the UC San Diego Center for Networked Systems.
No Privacy Between Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps
UC San Diego: Enze Liu, Sumath Rao, Grant Ho, Stefan Savage, and Geoffrey M. Voelker
Cornell Tech: Sam Havron
New York University: Damon McCoy