This is what happens when your phone is spying on you

According to a team of computer scientists in New York and San Diego, smartphone spyware that allows people to spy on each other are not only difficult to spot and detect, but also easily leak the sensitive personal data they collect.

Although publicly promoted as a tool for monitoring minor children and employees using their employer’s equipment, spyware applications are also often used by abusers to secretly spy on their spouse or partner.

These applications require little technical expertise from abusers; offers detailed installation instructions; and they only need temporary access to the victim’s device. Once installed, they covertly record the victim’s device activity – including text messages, emails, photos or voice calls – and allow attackers to view this information remotely via a web portal.

Spyware has become an increasingly serious problem. According to a recent study by Norton Labs, the number of devices containing spyware in the United States increased by 63% between September 2020 and May 2021. A similar report from UK-based Avast recorded a staggering 93% increase in spyware usage. applications during a similar period.

If you want to know if your device is infected by one of these apps, check your privacy dashboard and the list of all apps in your settings, the research team says.

“This is a real problem and we want to bring it to the attention of everyone, from victims to the research community,” said Enze Alex Liu, first author of the study No Privacy among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware. Applications and a computer science Ph.D. student at the University of California, San Diego.

Liu and the research team will present their work at the Privacy Enhancing Technologies Symposium in Switzerland in the summer of 2023.

Researchers conducted an in-depth technical analysis of 14 leading spyware apps for Android phones. While Google does not allow such apps to be sold on the Google Play app store, Android phones usually allow such invasive apps to be downloaded individually from the Internet. The iPhone, in comparison, does not allow such “sideloading,” and so consumer spyware applications on this platform tend to have much more limited and less invasive capabilities.

What are spyware applications?

Spyware applications run secretly on the device, most often without the knowledge of the device owner. They collect a range of sensitive information such as location, text messages and calls, audio and video. Some apps can even stream live audio and video. All this information reaches the abuser through an online spyware portal.

Spyware apps are sold directly to the general public and are relatively inexpensive—typically between $30 and $100 per month. They are easy to install on a smartphone and require no special knowledge to install or operate. However, users must have temporary physical access to their target’s device and install apps that cannot be found in pre-approved app stores.

How do spyware applications collect data?

Researchers have found that spyware applications use a wide range of techniques to covertly capture data. For example, an app uses an invisible browser that can stream live video from a device’s camera to a spyware server. Apps can also record phone calls through the device’s microphone and sometimes activate the speaker function in hopes of capturing what the interlocutors are saying.

Many applications also take advantage of the accessibility features of smartphones, which are designed to read on-screen content for visually impaired users. On Android, these features effectively allow spyware to record keystrokes, for example.

Researchers have found several ways to hide apps on a target’s device.

For example, apps can be set not to appear in the launch bar when they are first opened. App icons can also disguise themselves as “Wi-Fi” or “Internet Service”.

Four of the spyware applications receive commands via SMS. Two of the apps analyzed by the researchers did not verify that the text message was from the client and executed the commands anyway. An app can even execute a command that can remotely wipe a victim’s phone.

Deficiencies in data security

The researchers also examined how seriously spyware applications protect the sensitive user data they collect. The short answer: not very seriously. Many spyware applications use unencrypted communication channels to transmit the data they collect, such as photos, text, and location data. Only four of the 14 researchers surveyed did this. This data also includes the login data of the person who purchased the application. All of this information can easily be collected by someone else over WiFi.

Most of the apps analyzed by the researchers store the same data on public URLs that can be accessed by anyone with the link. Additionally, in some cases, user data is stored in predictable URLs that allow access to multiple account data by simply removing a few characters from the URLs. In one case, researchers identified an authentication flaw in a leading spyware service that allowed any party to access all of the data on every account.

In addition, many of these applications retain confidential data without a customer agreement or after the customer has stopped using them. Four of the 14 tested applications do not delete data from spyware servers even if the user has deleted their account or the application’s license has expired. One app records the victim’s data during a free trial period, but only makes it available to the abuser after paying for the subscription. And if the abuser doesn’t get a subscription, the app keeps the data anyway.

Protection against spyware

“We propose that Android enforce stricter requirements on which apps can hide icons,” the researchers write. “Most apps running on Android phones should have an icon that appears on the launchpad.”

The researchers also found that many spyware applications resisted removal attempts. Some have automatically restarted themselves after being shut down by the Android system or after restarting the device. “We recommend adding a dashboard to monitor autostart applications,” the researchers write.

To combat spyware, Android devices use a variety of methods, including a flag visible to the user that cannot be dismissed while an app is using the microphone or camera. But these methods can fail for various reasons. For example, legitimate use of the device may also trigger the microphone or camera light.

“Instead, we recommend adding all actions aimed at accessing sensitive data to the privacy dashboard and regularly notifying users of the existence of overprivileged apps,” the researchers write.

Disclosures, safeguards and next steps

The researchers disclosed all their findings to all affected application vendors. No one responded to the notices until the publication date of the paper.

To prevent misuse of the code they develop, researchers only make their work available upon request to users who can demonstrate that they are using it legitimately.

Future work will continue at New York University in the group of Associate Professor Damon McCoy, a former UC San Diego Ph.D. Many spyware applications appear to have been developed in China and Brazil, so further study of the supply chain that enables installation in these countries is needed.

“Each challenge highlights the need for more creative, diverse, and comprehensive interventions by industry, government, and the research community,” the researchers write. “While technical protections may be part of the solution, the scope of the problem is much larger. A wider range of measures should be considered, including payment interventions from companies such as Visa and Paypal, regular government crackdowns and additional law enforcement measures. also to prevent surveillance from becoming a commodity.”