Mobile Spyware and Surveillance Tools

Introduction

In 2023, over 50% of mobile apps were found to collect unnecessary user data, turning trusted tools into potential spyware. Users often assume that spyware comes from shady downloads, but your favorite flashlight or weather app might be monitoring you. The pop-ups that users get when configuring a newly downloaded app ask to allow the app to track their data.

Every day, apps can act as spyware, harvesting user data, exploiting permissions, and serving as gateways for cyber threats. Users overlook many apps or allow their data to be shared, but there may be more than just an exchange of relevant data happening behind the scenes. From 2015 to the present day, there has been a large rise in mobile spyware.

This article explores cybersecurity risks posed by ordinary mobile apps, focusing on how they can function as surveillance tools, expose users to data breaches, and be leveraged by attackers, causing both individually and organizational risks.

Over-Permissioned Apps: A Cybersecurity Weak Spot

Mobile apps often request excessive permissions (camera, mic, GPS, etc.) without clear justification. This is where the risk lies. These permissions create potential attack surfaces. A compromised app can give attackers direct access to sensitive user data. Apps can be compromised by software called “stalkerware.”

According to an article published by the Electronic Frontier Foundation in 2021, “The Federal Trade Commission (FTC) today banned the Android app company Support King and its CEO Scott Zuckerman, developers of SpyFone, from the surveillance business. The app sold real-time access to surveillance, allowing stalkers and domestic abusers to track potential targets of their violence.” Spyware poses a serious risk to its compromised victims and unfortunately companies legally collect user data under vague Terms of Service.

Legit Apps, Malicious SDKs: The Insider Threat

Although there is an obvious risk with spyware, even reputable apps can become threats due to third-party SDKs with embedded malicious code. These SDKs (Software Development Kits) can exfiltrate data, monitor user behavior, and even download payloads remotely. SDKs often leak data from ad networks or connect to foreign C2 (Command & Control) Servers.

Portnox, a cybersecurity forum, writes, “A C2 server is used by attackers to remotely control compromised devices within a target network. Once Malware infects a system, that system will typically connect to the C2 server.” The Portnox article states that malicious attackers can receive commands, send stolen data back to the attacker, download updates, and coordinate attacks. C2 servers are a hub for attackers to manage infected machines. Blocking C2 servers is critical to stopping attacks before they escalate.

Stalkerware, Spyware, and Nation-State Tools

Apps posing as parental control or phone trackers are used for targeted surveillance. Apps run in stealth mode and bypass standard detection tools. One of the most recent tools that has been utilized is Pegasus. Pegasus has turned smartphones into persistent surveillance devices, sparking global concern about cyber-espionage.

Andrew Zola writes, “Pegasus malware is a spyware that can hack any IOS or Android device and steal a variety of data from the infected device, including text messages, emails, key logs, audio and information from installed applications. (3)” Essentially, this breach of privacy leaves user data vulnerable to data leaks and malicious attackers on a variety of attack surfaces.

According to CISA.gov, “Nation-state actors and nation-states sponsored entities pose an elevated threat to national security. (4)” According to CISA, Chinese, Iranian, North Korean, and Russian government entities are known for their advanced persistent threat (APT) activity. (4)

Mobile App Vulnerabilities & Supply Chain Risk

Developers using outdated libraries or insecure APIs introduce zero-day vulnerabilities to applications that provide little security oversight. A zero-day vulnerability is an attack vector that is unknown to developers or vendors at the time of its discovery and is exploited by attackers. Threat actors often exploit these flaws for remote code execution (RCE) or privilege escalation.

Mobile app ecosystems’ dependency on third-party code increases supply chain risks, leaving supply chains vulnerable to spyware such as XcodeGhost (IOS) and Joker (Android) malware. With more small businesses and corporations using IOS and Android-based software and apps such as Squarespace and third-party distributors that are managed by mobile devices often, critical infrastructure is left susceptible to being exploited by these malicious attackers and software. Vetting third-party libraries and enforcing secure coding standards can reduce risks.

Conclusion

In conclusion, everyday apps can act as spyware, creating serious cybersecurity implications. Cyber hygiene, permission auditing, and app vetting are essential to reduce attack surfaces. As Attackers evolve, so must our approach to mobile cybersecurity. Users must focus on proactive defense, threat intelligence, and user education.

Educating users on potential threats will help to mitigate the risk of potential attacks on businesses and supply chain providers. Users should review app permissions weekly and install reputable antivirus software. Proactive security will always prove to be the most valuable tool in achieving a strong security posture.

Thomas Chustz, Information Security Analyst

Thomas started at TraceSecurity as a part of the Atlas team of associate information security analysts, performing remote social engineering and penetration tests. Now, as a full-time ISA, he has started performing some of our risk assessment and IT security audit services. Thomas earned a Bachelor of Science in Psychology from Louisiana State University and is currently working toward his Security+ certification.