Ride the Lightning

Finding and Eradicating Spyware and Stalkerware on Your Phone

September 12, 2018

I seem to be immersed in family law this week – blame it on a CLE I am scheduled to give to local family law attorneys.

ZDNet carried an excellent post on September 6^th entitled “The ultimate guide to finding and killing spyware and stalkerware on your smartphone.”

The guide runs you through what spyware is, what the warning signs of infection are, and how to remove spyware from your mobile devices.

Spyware and so-called “stalkerware,” can result in victims being spied on, the theft of data including images and video, and may allow operators – whether cybercriminals or a spouse or a significant other — to monitor emails, SMS and MMS messages sent and received, intercept live calls for the purpose of eavesdropping across standard telephone lines or Voice over IP (VoIP) applications, and more.

Stalkerware has become an established term in its own right, coined after a series of investigations conducted by Motherboard. Whereas spyware rarely singles out individuals, unless it is in the hands of law enforcement or unscrupulous government agencies, stalkerware is generally perceived as software that anyone can buy, in order to spy on those closest to them.

This can include the stalkerware stealing images and text messages, eavesdropping on phone calls and covertly recording conversations made over the internet. Stalkerware may be able to also intercept app communications made through Skype, Facebook, WhatsApp, and iMessage. Both terms, spyware and stalkerware, relate to similar malicious software functions. However, the latter is deemed more personal in use. I am not sure the lines are clearly drawn here as we see the term spyware used more often than stalkerware in family law cases.

In many cases, in order to avoid potential legal issues, many spyware solutions providers will market their offerings as services for parents seeking a way to monitor their child’s mobile device usage. However, anyone willing to pay for the software can acquire it and monitor an adult.

If you say you are monitoring a child, but are obviously monitoring a parent, don’t expect any sympathy from judges. It is usually clear which person is really the target of the spyware.

Spyware and stalkerware are found less commonly in businesses although some software solutions are marketed for companies to keep track of employee mobile devices and their activities. Most companies today, as a matter of policy and security, advise employees that all activity on company-owned machines may be monitored.

The post covers some of the following spyware/stalkerware:

• SpyPhone Android Rec Pro: This spyware claims to offer “full control” over a smartphone’s functions, including listening in to the background noise of calls and recording them in their entirety; intercepting and sending copies of SMS and MMS messages sent from the victim’s phone, sending activity reports to the user’s email address, and more.
• FlexiSpy: One of the most well-known forms of stalkerware out there is FlexiSpy, which markets itself using the slogan: “It takes complete control of the device, letting you know everything, no matter where you are.” FlexiSpy is able to monitor both Android smartphones and PCs and is willing to deliver a device with the malware pre-installed to users. The spyware is able to listen in on calls, spy on apps including Facebook, Viber, and WhatsApp, turn on the infected device’s microphone covertly, record Android VoIP calls, exfiltrate content such as photos, and intercept both SMS messages and emails.
• mSpy: Another stalkerware app which markets itself as a service for parents, mSpy for the iPhone allows users to monitor SMS messages, phone calls, GPS locations, apps including Snapchat & WhatsApp, and also includes a keylogger to record every keystroke made.
• PhoneSpector: Designed for both Android and iOS phones, PhoneSpector claims to offer “undetectable remote access.” While a disclaimer says that the service is designed for parents and businesses seeking to track company-owned devices used by employees only, the implementation of the software is made through common tactics used by malware and phishing campaigns. “All you have to do is text or email the OTA (over-the-air) link to the target device and our automated system will set up data transfer protocol and the necessary info for you to monitor the device,” the company proclaims. “Just tap a few buttons, then login to your online account! You can be viewing texts, calls, GPS and more within a few short minutes!”

Spyera, SpyBubble, Android Spy, and Mobistealth are a few more examples of stalkerware which offer similar features, among many, many more which are in what has become a booming business.

It is also worth noting that you can be tracked by legitimate software which has been abused. Whether or not GPS is turned on, some information recovery apps and services designed to track down a phone in the case of loss or theft can be turned against victims to track their location instead.

Spyware and stalkerware need to find a way to infiltrate a victim’s mobile device. Most of the time, this is simply done by installing the software on to the device physically, thus giving the app all the permissions it needs at the same time.

However, there are also remote options which do not need physical access. These versions will use the same tactics of cybercriminals — a link or email attachment sent together with the spyware.

WARNING SIGNS: If you find yourself the recipient of odd or unusual social media messages, text messages, or emails, this may be a warning sign and you should delete them without clicking on any links or downloading any files. If stalkers employ this tactic, they need you to respond to it. There’s no magic way to send spyware over the air; instead, physical access or the accidental installation of spyware by the victim is necessary. In other words, be suspicious!

In the case of potential physical tampering, it can take just minutes for spyware to be installed on a device. If your phone or laptop goes missing and reappears with different settings or changes that you do not recognize, this may be an indicator of compromise. However, in most cases, we have found that there is no obvious indicator of compromise – until one party learns that someone close to them knows way more than they should about where they are and what they are doing.

Digital forensics can often (but not always) discover and document the existence of surveillance software. For instance, a giveaway on an Android device is a setting which allows apps to be downloaded and installed outside of the official Google Play Store. If enabled, this may indicate tampering and jailbreaking without consent.

There are many other methods that digital forensics technologists can use to hunt down spyware – if they are experienced in family law cases, they are more likely to be successful in uncovering and documenting spyware.

If spyware is found, you will need to have it removed from your device. Digital forensics technologists are generally the most qualified to assist you. This is not a job for the Geek Squad. You will be advised to change ALL of your passwords and to enable two-factor authentication wherever possible. Your expert will also update your operating system with security patches and upgrades to help prevent further problems. Always protect your devices with a strong PIN or password.

If you are advised to do a factory reset, grit your teeth and do it, having your expert back up important data first. Finding and eradicating spyware is tricky – we own many types of software just so we can install it and watch how it behaves on a device not connected to anything else. Devilishly clever, some of it. But if someone near to you knows far too much about your whereabouts and activities, you hav
e
to at least consider the possibility that spyware exists on one or more of your devices.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson