Misused monitoring tools turn phones into spies for spouses

Time to check your smartphone for a curious new icon that could not only be secretly spying on you, but also leaking sensitive personal data across the web

A study by computer scientists from New York and San Diego reveals that smartphone spyware apps, which enable users to secretly monitor others, are not only difficult to detect but also put sensitive personal information at risk. Marketed as tools for monitoring underage children or employees using company equipment, these apps are often misused by abusers to spy on spouses or partners.

The researchers found that these apps are easy to use, requiring little technical expertise from the abusers. They provide detailed installation instructions and only necessitate temporary access to the victim's device. Once installed, the apps discreetly record the victim's activities, such as text messages, emails, photos, and voice calls, which can be reviewed remotely via a web portal.

Spyware has become an increasingly significant issue, with Norton Labs reporting a 63% increase in devices with spyware apps in the United States between September 2020 and May 2021. A similar study by Avast in the United Kingdom showed an astounding 93% rise in the use of such apps during the same period.

“This is a real-life problem and we want to raise awareness for everyone, from victims to the research community,” says Enze Liu, the first author of the paper No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps and a computer science PhD student at the University of California San Diego.

Liu and the research team will present their work at the Privacy Enhancing Technologies Symposium in summer 2023 in Zurich, Switzerland.

Spy apps gather texts, calls, and even audio and video.

Researchers conducted a thorough technical analysis of 14 leading spyware apps, which are typically prohibited on Google's Play app store but can be downloaded via the web. In contrast, the iPhone does not permit such "side loading," resulting in more limited and less invasive spyware apps on its platform.

Spyware apps run covertly on devices, often without the owner's knowledge, collecting sensitive data such as location, texts, calls, and even audio and video. The information is then sent to an abuser through an online portal. These apps are easily accessible to the general public, with prices ranging from US$30 to US$100 per month, and require no specialised knowledge to install or operate.

The researchers discovered that these apps employ various techniques to secretly record data, including using invisible browsers to stream live video and exploiting accessibility features for vision-impaired users to record keystrokes on Android phones. Spyware apps also utilise methods to remain hidden on target devices, such as not appearing in the launch bar or disguising app icons as "Wi-Fi" or "Internet Service."

Alarmingly, the study found that many spyware apps use unencrypted communication channels, making the collected data, including the buyer's login credentials, vulnerable to interception over WiFi. Additionally, most of the analysed apps stored data in public or predictable URLs, further exposing sensitive information. In one case, an authentication weakness enabled access to data across all accounts of a leading spyware service.

The researchers also highlighted the issue of data retention, with several apps failing to delete data from their servers even after a user deleted their account or the app's licence expired. 

“Our recommendation is that Android should enforce stricter requirements on what apps can hide icons,” the researchers write. “Most apps that run on Android phones should be required to have an icon that would appear in the launch bar.”

The researchers also found that numerous spyware apps are difficult to uninstall and may automatically restart themselves after being halted by the Android system or following a device reboot. The researchers suggest implementing a dashboard to monitor apps that can automatically start themselves in order to better manage this issue.

Android devices employ various methods to combat spyware, such as displaying a visible, non-dismissible indicator when an app is using the microphone or camera. However, these methods can be ineffective for multiple reasons, including the possibility of legitimate device use also activating the indicator.

The researchers shared their findings with all affected app vendors, but received no responses by the paper's publication date. To prevent the misuse of the code they developed, the researchers will only provide access to their work upon request and if users can prove they have a legitimate need for it.

Future research will be conducted at New York University under the guidance of Associate Professor Damon McCoy, a UC San Diego PhD alumnus. As many spyware apps appear to originate in China and Brazil, further investigation of the supply chain enabling their installation outside of these countries is necessary.

“All of these challenges highlight the need for a more creative, diverse and comprehensive set of interventions from industry, government and the research community,” the researchers write. “While technical defences can be part of the solution, the problem scope is much bigger. A broader range of measures should be considered, including payment interventions from companies such as Visa and Paypal, regular crackdowns from the government, and further law enforcement action may also be necessary to prevent surveillance from becoming a consumer commodity.”

Share

Featured Articles

Gartner unveils top cybersecurity predictions for 2023-2024

Half of CISOs will formally adopt human-centric design practices into their cybersecurity programmes, while adoption of zero trust architecture will rise

DDoS protection market to grow amid increase in attacks

According to research by Cloudflare, DDoS attacks increased by 109% last year, with the last 12 months seeing some of the largest attacks the world

The impact data poisoning has on cyber and AI

We take a look at why the risks of data and AI poisoning is continuing to wreak havoc on the cybersecurity industry

Five innovative ways AI can help prevent cyber attacks

Cyber Security

SailPoint delivers new non-employee risk management solution

Cyber Security

Akamai shares details of Asia’s record-breaking DDoS attack

Network Security