A team of computer scientists has warned of the dangers of smartphone spyware apps, saying they can easily leak sensitive personal information.
The University of California, San Diego team also warned that spyware apps are difficult to notice and detect.
These apps are marketed to monitor children’s internet usage and employers’ use of work property. However, they are also commonly used by criminals to secretly spy on a spouse or partner. These apps require little to no technical expertise from the perpetrators, provide detailed installation instructions, and require only temporary access to a victim’s device. This is a massive data breach and has many cybersecurity implications.
Spyware has become an increasingly serious problem. In a recent study by Norton Labs, the number of devices running spyware apps in the United States increased by 63% between September 2020 and May 2021. A similar report by Avast in the UK saw a sharp 93% increase in the use of spyware apps over a comparable period.
“This is a real problem, and we want to raise awareness for everyone, from the victims to the research community,” said Enze Alex Liu, a graduate student in computer science at the University of California and the paper’s lead author.
For their research, the team conducted an in-depth technical analysis of 14 leading spyware apps for Android phones. While Google does not allow such apps to be sold on the Google Play app store, Android phones generally allow such invasive apps to be downloaded separately over the Internet. iPhones, by comparison, don’t allow this, so consumer spyware apps on this platform tend to be far more limited and less invasive in their capabilities.
The study “No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps” will be presented at the Privacy Enhancing Technologies Symposium in Zurich, Switzerland.
What are spyware apps and how do they collect private data?
Spyware apps often run on our devices without our knowledge. They collect sensitive information such as location, texts and calls, as well as audio and video data. Some apps can even stream live audio and video.
Spyware apps are marketed directly to the general public and are relatively inexpensive – typically between $30 and $100 per month. They are easy to install on a smartphone and require no special skills to deploy or operate. However, users need temporary physical access to their target’s device and the ability to install apps that are not in the pre-approved app stores.
Researchers found that spyware apps use various techniques to secretly record data. For example, an app uses an invisible browser to stream live video from the device’s camera to a spyware server. These apps can also record phone conversations using the device’s microphone and sometimes turn on the speakerphone feature to capture what people are saying. In addition, several apps also take advantage of accessibility features on smartphones that are designed to read aloud what’s on the screen to visually impaired users.
Researchers also discovered that the app uses multiple methods to hide itself on the target’s device. For example, apps can choose not to appear in the launch bar when first opened.
Four spyware apps accept commands via SMS, two did not check whether the SMS came from their client and executed the commands anyway. Alarmingly, one app was even able to run a command that could remotely wipe the victim’s phone.
There are serious gaps in data security
As part of the research, researchers evaluated how well spyware apps protect the sensitive data they collect. They found out that many of the apps use unencrypted communication channels to transmit the collected data like photos, texts and location.
Of the 14 apps examined, four had this feature. This data also includes the login data of the person who bought the app. The researchers found that someone else could easily collect all of this personal information over Wi-Fi, indicating serious privacy and security vulnerabilities.
© Jacobs School of Engineering/University of California San Diego
This app launcher on Android phone shows app icons: The Spyhuman app installed itself as a harmless-looking WiFi icon.
Most spyware apps store the same data in public URLs that anyone with the link can access. In some cases, user data is stored in predictable URLs that allow data to be accessed across multiple accounts simply by swapping a few characters in the URLs. In one case, researchers identified an authentication weakness in a leading spyware service that would allow any party to access any data for any account.
Additionally, many of these apps store sensitive data without a customer contract or after a customer stops using it. Four of the 14 apps examined do not delete data from the spyware servers – even if the user has deleted their account or the app’s license has expired. An app collects data from the victim during a free trial period, but only makes it available to the perpetrator after he has paid for a subscription.
How can we fight spyware apps and ensure our data stays protected?
“We recommend that Android should enforce stricter requirements for which apps can hide icons,” the researchers write in their paper. “Most apps running on Android phones should have an icon that appears in the launch bar.”
Also, since many spyware apps resist attempts to uninstall them, the researchers recommended adding a dashboard to monitor apps that launch automatically. Some also restarted themselves automatically after being stopped by the Android system or after the device restarted.
To combat spyware, Android devices use various methods, including a visible indicator to the user that cannot be hidden while an app is using the microphone or camera. But these methods may fail due to various reasons. For example, legitimate uses of the device may also trigger the microphone or camera indicator.
The team explained: “Instead, we recommend that all actions to access sensitive data are added to the privacy dashboard and that users should be regularly notified of the existence of apps with excessive privileges.”
Next steps for data monitoring
The researchers shared all of their findings with all affected app vendors, but none responded to the disclosures by the paper’s publication date. Therefore, to avoid misuse of the code they develop, the researchers only make their work available upon request to users who can prove their legitimate use for it.
Future work will continue at New York University by a group led by Associate Professor Damon McCoy, a UC San Diego PhD alumnus. Many spyware apps are developed in China and Brazil, so further investigation of the supply chain is required that allows installation outside of these countries.
The researchers concluded: “All of these challenges underscore the need for more creative, diverse and inclusive responses from industry, government and the research community.
“While technical defenses can be part of the solution, the problem area is much larger. A broader range of measures should be considered, including payment interventions by companies such as Visa and PayPal, regular government crackdowns, and further law enforcement action may also be needed to prevent surveillance from becoming a consumer product.”
