This is what happens when your phone is spying on you

Smartphone spyware apps that allow people to spy on each other are not only hard to notice and detect, but will also easily leak sensitive personal information they collect, says a team of New York and San Diego computer scientists.

While publicly marketed as tools to monitor underage children and employees using their employer’s equipment, abusers also frequently use spyware applications to covertly spy on a spouse or partner.

These apps require little or no technical expertise from the abusers; offer detailed installation instructions; and they only need temporary access to the victim’s device. After installation, they covertly record the activities of the victim’s device, including text messages, emails, photos, or voice calls, and allow abusers to review this information remotely through a web portal.

Spyware has become an increasingly serious problem. In a recent Norton Labs study, the number of devices running spyware apps in the United States increased by 63% between September 2020 and May 2021. A similar report from Avast in the United Kingdom recorded a staggering 93% increase in the use of spyware. applications during a similar period.

If you want to know if your device has been infected by one of these apps, you should check your privacy panel and the list of all apps in settings, the research team says.

“This is a real-life issue and we want to raise awareness for everyone, from victims to the research community,” said Enze Alex Liu, first author of the article No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps and a PhD in computer science. student at the University of California San Diego.

Liu and the research team will present their work at the Privacy Enhancing Technologies Symposium in summer 2023 in Switzerland.

Researchers conducted an in-depth technical analysis of 14 leading spyware apps for Android phones. While Google does not allow such apps to be sold on its Google Play app store, Android phones commonly allow such invasive apps to be downloaded separately over the Web. The iPhone, by comparison, does not allow such “sideloading” and therefore consumer spyware apps on this platform tend to have much more limited and less invasive capabilities.

What are spyware applications?

Spyware apps run surreptitiously on a device, most of the time without the device owner’s knowledge. They collect a variety of sensitive information, such as location, text messages and calls, as well as audio and video. Some apps can even stream live audio and video. All of this information is delivered to an abuser through an online spyware portal.

Spyware applications are marketed directly to the general public and are relatively inexpensive, typically $30-$100 per month. They are easy to install on a smartphone and do not require specialized knowledge to implement or operate. But users must have temporary physical access to their target’s device and the ability to install apps that aren’t in pre-approved app stores.

How do spyware apps collect data?

The researchers discovered that spyware applications use a wide range of techniques to surreptitiously record data. For example, an app uses an invisible browser that can stream live video from the device’s camera to a spyware server. Apps can also record phone calls through the device’s microphone, sometimes turning on the speakerphone in the hopes of capturing what the callers are saying as well.

Several apps also take advantage of accessibility features on smartphones, designed to read what appears on the screen for users with low vision. On Android, these features allow spyware to log keystrokes, for example.

The researchers also found various methods that the apps use to hide themselves on the target device.

For example, apps can specify that they not appear on the launch bar when they are initially opened. App icons also pose as “Wi-Fi” or “Internet Service.”

Four of the spyware applications accept commands via SMS messages. Two of the apps the researchers analyzed didn’t check to see if the text message came from their client and executed the commands anyway. An app could even run a command that could remotely wipe the victim’s phone.

Data security loopholes

The researchers also studied how seriously spyware applications take to protect the sensitive user data they collect. The short answer is: not really seriously. Various spyware applications use unencrypted communication channels to transmit the data they collect, such as photos, texts, and location. Only four of the 14 that the researchers studied did this. That data also includes the login credentials of the person who purchased the app. All of this information could easily be collected by someone else over WiFi.

In most of the apps the researchers analyzed, the same data is stored on public URLs that can be accessed by anyone with the link. Also, in some cases, user data is stored in predictable URLs that allow data from multiple accounts to be accessed by simply changing a few characters in the URLs. In one case, researchers identified an authentication weakness in a leading spyware service that would allow any party to access all of the data in every account.

Additionally, many of these applications retain sensitive data without a customer contract or after a customer has stopped using them. Four of the 14 apps studied do not remove data from spyware servers, even if the user deleted their account or the app’s license expired. An app captures data from the victim during a free trial period, but only makes it available to the abuser after they have paid for a subscription. And if the abuser doesn’t get a subscription, the app keeps the data anyway.

How to counter spyware

“Our recommendation is that Android should place stricter requirements on which apps can hide icons,” the researchers write. “Most apps running on Android phones should have an icon that would appear in the launch bar.”

The researchers also found that many spyware applications resisted attempts to uninstall them. Some also rebooted automatically after being stopped by the Android system or after the device was rebooted. “We recommend adding a dashboard to monitor applications that will start automatically,” the researchers write.

To counter spyware, Android devices use several methods, including a user-visible indicator that cannot be dismissed while an app is using the microphone or camera. But these methods can fail for various reasons. For example, legitimate uses of the device may also trigger the microphone or camera indicator.

“Instead, we recommend that all actions to access sensitive data be added to the privacy panel and that users be regularly notified of apps with an excessive amount of permissions,” the researchers write.

Disclosures, Safeguards, and Next Steps

The researchers disclosed all their findings to all affected application providers. No one responded to the disclosures before the article’s publication date.

To prevent abuse of the code they developed, the researchers will only make their work available to users who request it and who can show they have a legitimate use for it.

Future work will continue at New York University, in the group of Associate Professor Damon McCoy, who has a Ph.D. from UC San Diego. old student. Many spyware applications appear to be developed in China and Brazil, so further study of the supply chain is needed to enable installation outside of these countries.

“All of these challenges highlight the need for a more creative, diverse, and comprehensive set of interventions by industry, government, and the research community,” the researchers write. “While technical defenses may be part of the solution, the scope of the problem is much larger. A broader range of measures should be considered, including payment interventions by companies like Visa and Paypal, regular government crackdowns, and more steps may be taken to enforce the law.” it will also be necessary to prevent surveillance from becoming a consumer good.”