Image: This app launcher on an Android phone shows app icons: The Spyhuman app installed itself as a harmless-looking WiFi icon. What are spyware apps? Spyware apps run stealthily on a device, mostly without the knowledge of the device owner. They collect a range of sensitive information such as location, texts and calls, and audio and video data. Some apps can even stream live audio and video. All of this information is conveyed to a perpetrator via an online spyware portal. see more
Photo credit: Jacobs School of Engineering/University of California San Diego
Smartphone spyware apps that allow people to spy on each other are not only difficult to notice and detect, they also easily leak the sensitive personal information they collect, says a team of computer scientists from New York and San Diego.
While spyware apps are publicly marketed as tools to monitor underage children and employees using their employer’s devices, they are also commonly used by criminals to covertly spy on a spouse or partner. These apps require little to no technical expertise from the abusers; Offer detailed installation instructions; and only require temporary access to a victim’s device. Once installed, they secretly record the victim’s device activities – including any text messages, emails, photos or voice calls – and allow abusers to remotely check this information via a web portal.
Spyware has become an increasingly serious problem. In a recent study by Norton Labs, the number of devices running spyware apps in the United States increased by 63% between September 2020 and May 2021. A similar report by Avast in the UK saw a staggering 93% increase in spyware app usage over a similar period of time.
If you want to know if your device has been infected by one of these apps, you should check your privacy dashboard and the listing of all apps in Settings, the research team says.
“This is a real problem, and we want to raise awareness for everyone, from victims to the research community,” said Enze Alex Liu, the first author of the paper No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps and A Computer Science Ph.D. student at the University of California San Diego.
Liu and the research team will present their work at the Privacy Enhancing Technologies Symposium in summer 2023 in Zurich, Switzerland.
The researchers performed an in-depth technical analysis of 14 leading spyware apps for Android phones. While Google does not allow such apps to be sold on its Google Play app store, Android phones generally allow such invasive apps to be downloaded separately over the Internet. By comparison, the iPhone does not allow such “side loading” and as such, consumer spyware apps on this platform tend to be far more limited and less invasive in their capabilities.
What are spyware apps?
Spyware apps run stealthily on a device, mostly without the knowledge of the device owner. They collect a range of sensitive information such as location, texts and calls, and audio and video data. Some apps can even stream live audio and video. All of this information is conveyed to a perpetrator via an online spyware portal.
Spyware apps are marketed directly to the general public and are relatively inexpensive – typically between $30 and $100 per month. They are easy to install on a smartphone and require no special skills to deploy or operate. However, users must have temporary physical access to their target’s device and the ability to install apps that are not included in the pre-approved app stores.
How do spyware apps collect data?
Researchers found that spyware apps use a variety of techniques to secretly record data. For example, an app uses an invisible browser that can stream live video from the device’s camera to a spyware server. Apps can also record phone conversations using the device’s microphone and sometimes turn on the speakerphone feature in hopes of capturing what other people are saying as well.
Several apps also take advantage of accessibility features on smartphones designed to read what’s on the screen to visually impaired users. For example, on Android, these features allow spyware to record keystrokes.
The researchers also found several methods the apps use to hide themselves on the target’s device.
For example, apps can choose not to appear in the launch bar when first opened. App icons also disguise themselves as “WLAN” or “Internet service”.
Four of the spyware apps accept commands via SMS messages. Two of the apps analyzed by the researchers didn’t verify that the SMS came from their client and still executed the commands. An app could even run a command that could remotely wipe the victim’s phone.
gaps in data security
The researchers also looked at how seriously spyware apps were protecting the sensitive user data they collected. The short answer is: not very seriously. Several spyware apps use unencrypted communication channels to transmit the collected data like photos, texts and location. Only four of the 14 researchers studied did so. This data also includes the login data of the person who bought the app. All of this information could easily be harvested by someone else over WiFi.
In a majority of the applications analyzed by the researchers, the same data is stored in public URLs that anyone with the link can access. Additionally, in some cases, user data is stored in predictable URLs, allowing data to be accessed across multiple accounts simply by swapping a few characters in the URLs. In one case, researchers identified an authentication weakness in a leading spyware service that would allow any party to access any data for any account.
Additionally, many of these apps store sensitive data without a customer contract or after a customer stops using them. Four of the 14 apps examined do not delete data from the spyware servers, even if the user has deleted their account or the app’s license has expired. An app collects data from the victim during a free trial period, but only makes it available to the perpetrator after he has paid for a subscription. And if the offender doesn’t get a subscription, the app still keeps the data.
How to fight spyware
“Our recommendation is that Android should have stricter requirements for apps that can hide icons,” the researchers write. “Most apps running on Android phones should have an icon that appears in the launch bar.”
The researchers also found that many spyware apps resisted attempts to uninstall them. Some also restarted themselves automatically after being stopped by the Android system or after restarting the device. “We recommend adding a dashboard to monitor apps that start automatically,” the researchers write.
To combat spyware, Android devices use various methods, including a visible indicator for the user that cannot be closed while an app is using the microphone or camera. But these methods may fail due to various reasons. For example, legitimate uses of the device may also trigger the microphone or camera indicator.
“Instead, we recommend adding all actions related to accessing sensitive data to the privacy dashboard and regularly notifying users of the existence of apps with an excessive number of permissions,” the researchers write.
Disclosures, Safeguards, and Next Steps
The researchers shared all of their findings with all affected app providers. No one responded to the disclosures as of the paper’s publication date.
To avoid misuse of the code they develop, the researchers only make their work available upon request to users who can show they have a legitimate use for it.
Future work will be at New York University in the group of Associate Professor Damon McCoy, a Ph.D. of UC San Diego, continued. Graduate. Many spyware apps appear to have been developed in China and Brazil, so further investigation of the supply chain is needed that allows installation outside of these countries.
“All of these challenges underscore the need for more creative, diverse and inclusive responses from industry, government and the research community,” the researchers write. “While technical defenses can be part of the solution, the problem area is much larger. A broader range of measures should be considered, including payment interventions by companies such as Visa and PayPal, regular government crackdowns, and further law enforcement action may also be needed to prevent surveillance from becoming a consumer product.”
The work was funded in part by the National Science Foundation and had operational support from the UC San Diego Center for Networked Systems.
No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps
UC San Diego: Enze Liu, Sumath Rao, Grant Ho, Stefan Savage, and Geoffrey M. Voelker
Cornell Tech: Sam Havron
University of New York: Damon McCoy