Our digital selves are now an established part of our identity. The emails we send, the conversations we have over social media -- both private and public -- as well as the photos we share, the videos we watch, the apps we download, and the websites we visit all contribute to our digital personas.
There are ways to prevent a government agency, country, or cybercriminal from peeking into our digital lives. Virtual private networks (VPNs), end-to-end encryption, and using browsers that do not track user activity are all common methods.
However, governments and law enforcement agencies are now taking advantage of sophisticated spyware developed by companies like NSO. When implanted on a device, it can be extremely difficult to detect or remove.
This guide will run through different forms of malicious software on your iOS or Android handset, what the warning signs of infection are, and how to remove such pestilence from your mobile devices -- if it is possible to do so.
What is nuisanceware?
At the bottom of the pile, you have nuisanceware, which often comes in software bundles together with legitimate, free programs. Also known as Potentially Unwanted Programs (PUP), this sort of software may interrupt your web browsing with pop-ups, change your homepage settings by force, and may also gather your browsing data in order to sell it off to advertising agencies and networks.
Sometimes, nuisanceware packages are bundled with legitimate apps.
Although considered malvertising, nuisanceware is generally not dangerous or a threat to your core security -- although it may collect some of your personal data. Antivirus solutions and app scans will normally pick PUP up and wipe it from your handset without too much fuss.
What are spyware and stalkerware?
Spyware and stalkerware are types of software -- often unethical and sometimes dangerous -- that can result in the theft of data including images, video, call logs, contact lists, and more.
These types of software are sometimes found on desktop systems, but they are now most commonly implanted in mobile handsets across all operating systems.
Operators -- whether fully-fledged cybercriminals, government agents, or your nearest and dearest loved ones -- may be able to harness the software to monitor emails, SMS, and MMS sent and received; to intercept live calls for the purpose of eavesdropping across standard telephone lines or Voice over IP (VoIP) applications; to covertly record environmental noise or take photos; to track GPS locations; and to compromise commonly-used social media apps including Facebook and WhatsApp.
Stalkerware is the next step up from generic spyware and has become an established term in its own right. The difference between them is that spyware is usually more generic in purpose: stealing OS and clipboard data and anything of potential value, such as cryptocurrency wallet data or account credentials. Stalkerware, however, is downloaded to spy on someone as an individual, usually in cases of domestic abuse.
The exception, however, is when high-grade spyware is used in targeted attacks against an individual.
Spyware and stalkerware are found less commonly in the enterprise, although some software solutions are marketed for companies to keep track of employee mobile devices and their activities.
The lines here can be blurry, but if a mobile device belongs to a company and is used by a staff member in the full knowledge that it is tracked or monitored, then this may be considered accepted as part of a workspace. In these cases, employees should keep their private lives, social media, and emails on their own smartphone or tablet and off company property.
What kinds of spyware and stalkerware apps are out there?
- SpyPhone Android Rec Pro: This spyware claims to offer "full control" over a smartphone's functions, including listening in on the background noise of calls and recording them in their entirety; intercepting and sending copies of SMS and MMS messages sent from the victim's phone; sending activity reports to the user's email address; and more.
- FlexiSpy: One of the most well-known forms of stalkerware, FlexiSpy markets itself using the slogan: "Know Everything that Happens on a Computer or Smartphone, No Matter Where You Are." FlexiSpy is able to monitor both Android smartphones and PCs and is willing to deliver a device with the malware pre-installed to users. The spyware is able to listen in on calls; spy on apps including Facebook, Viber, and WhatsApp; turn on the infected device's microphone covertly; record Android VoIP calls; exfiltrate content such as photos; and intercept both SMS messages and emails. At the time of writing, marketing seems to be geared -- at least, publicly -- towards parents and business owners.
- PhoneSpector: Designed for both Android and iOS handsets, PhoneSpector claims to offer a means to "get texts, call history, GPS location, and more without having the phone in your possession."
Mobile Tracker, FoneMonitor, Spyera, SpyBubble, Android Spy, and Mobistealth are a few more examples of spyware and stalkerware which offer similar features, among many, many more in what has become a booming industry.
Highly advanced spyware, known as Pegasus, is offered by NSO Group, an Israel-based company that markets itself as a provider of solutions to "help government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe."
NSO Group has denied these accusations, but this hasn't stopped the US Department of Commerce from sanctioning the company -- alongside Candiru, Positive Technologies, and Computer Security Initiative Consultancy (COSEINC) -- for selling spyware used to attack individuals and businesses.
Apple has also launched a lawsuit against the company, seeking a permanent injunction to prevent NSO from using Apple software, services, or devices in the future. In other words, the court case is intended to stop NSO from being able to develop or sell iOS-based spyware.
What are the warning signs of spyware?
If you find yourself the recipient of odd or unusual social media messages or emails, this may be a warning sign. You should delete them without clicking on any links or downloading any files. The same goes for SMS content, too, which may contain links to lure you into unwittingly downloading spyware.
To catch a victim unaware, these messages -- known as phishing attempts -- will attempt to lure you into clicking a link or executing software that hosts a spyware/stalkerware payload.
Should operators employ this tactic, they need their victims to respond. In order to ensure this, messages may contain content designed to induce panic, such as a demand for payment or a failed delivery notice. Messages could potentially use spoofed addresses from a contact you trust as well.
When it comes to stalkerware, initial infection messages may be more personal and tailored to the victim.
There's no magic button to send spyware over the air; instead, physical access or the accidental installation of spyware by the victim is necessary. However, it can take less than a minute to install some variants of spyware and stalkerware, so the required time window is short.
If your mobile goes missing and reappears with different settings or changes that you do not recognize -- or it has been confiscated for a time -- this may be an indicator of tampering.
How do I know when I'm being monitored?
Surveillance software is becoming more sophisticated and can be difficult to detect. However, not all forms of spyware and stalkerware are invisible, and it is possible to find out if you are being monitored.
Android: A giveaway on an Android device is a setting that allows apps to be downloaded and installed outside of the official Google Play Store.
If enabled, this may indicate tampering and jailbreaking without consent. Not every form of spyware and stalkerware requires a jailbroken device, though.
This setting is found in modern Android builds in Settings > Security > Allow unknown sources. (This varies depending on device and vendor.) You can also check Apps > Menu > Special Access > Install unknown apps to see if anything appears that you do not recognize, but there is no guarantee that spyware will show up on the list.
Some forms of spyware will also use generic names and icons to avoid detection. If a process or app comes up on the list you are not familiar with, a quick search online may help you ascertain whether it is legitimate.
iOS: iOS devices that aren't jailbroken are generally harder to install with malware -- unless a zero-day exploit is used. However, the presence of an app called Cydia, which is a package manager that enables users to install software packages on a jailbroken device, may indicate tampering (unless you knowingly downloaded the software yourself).
You may experience unexpected handset battery drain and overheating, as well as unexpected or strange behavior from the device operating system or apps. But in the latter case, many spyware operators will try not to show their hand, and the software is developed to be as silent as possible.
An open source project developed by Amnesty International, MVT (Mobile Verification Toolkit), is a cyber forensics package able to scan for advanced spyware on mobile devices. However, this is most suited to investigators.
How can I remove spyware from my device?
This is where things get difficult.
By design, spyware and stalkerware are hard to detect and can be just as hard to remove. It is not impossible in most cases, but it may take some drastic steps on your part. When it comes to more advanced spyware suites, however, the only option may be to abandon your device.
When removed, especially in the case of stalkerware, some operators will receive an alert warning them that the victim's device has been cleaned up. In addition, should the flow of information suddenly cease, this is a clear indicator that the malicious software has been eradicated.
If you feel your physical safety may be in danger, do not tamper with your device -- instead, reach out to the police and supporting agencies.
Now, here are some removal options:
- Run a malware scan: There are many mobile antivirus solutions available that may be able to detect and remove basic forms of spyware. This is the easiest solution available, but it may not prove effective in every case. Cybersecurity vendors including Malwarebytes, Avast, and Kaspersky all offer spyware-scanning tools. You can try downloading them and performing a scan to wipe out infections.
- Change all of your passwords: If you suspect account compromise, change every password on every important account you have. Many of us have one or two central accounts, such as an email address, which will act as a hub for other accounts and password recovery. Begin there. It might also be a good idea to remove access to any "hub" services you use from a device you think has been compromised.
- Enable two-factor authentication (2FA): When account activity and logins require further consent from a mobile device, this can also help protect individual accounts. However, spyware may intercept the codes sent during 2FA protocols.
- Consider creating a new email address: Known only to you, the new email becomes tethered to your main accounts.
- Update your OS: It may seem obvious, but when an operating system releases a new version, which often comes with security patches and upgrades, this can -- if you're lucky -- cause conflict and problems with spyware. In the same way as antivirus solutions, keep this updated.
- Protect your device physically: A PIN code, pattern, or enabling biometrics can protect your mobile device from future tampering. However, it will not help if a device has already been compromised.
- If all else fails, factory reset... or junk it: Performing a factory reset and clean install on the device you believe is compromised may help eradicate some forms of spyware and stalkerware. However, make sure you remember to back up important content first. On Android platforms, this is usually found under Settings > General Management > Reset > Factory Data Reset. On iOS, go to Settings > General > Reset.
Unfortunately, some stalkerware services may survive factory resets. So, failing all of that, consider restoring to factory levels and then throwing your device away.
What about advanced spyware?
Government-grade spyware can be more difficult to detect. However, as noted in a guide on Pegasus published by cybersecurity firm Kaspersky, there are some actions you can take to mitigate the risk of being subject to such surveillance, based on current research and findings:
- Reboots: Rebooting your device daily to prevent persistence from taking hold. The majority of infections have appeared to be based on zero-day exploits, with little persistence, and so rebooting can hamper attackers.
"We analyzed one case in which a mobile device was targeted through a zero-click exploit (likely FORCEDENTRY)," Kaspersky says. "The device owner rebooted their device regularly and did so in the next 24 hours following the attack. The attackers tried to target them a few more times but eventually gave up after getting kicked a few times through reboots."
- Disable iMessage and Facetime (iOS): The researchers say that as features enabled by default, iMessage and Facetime are attractive avenues for exploitation. A number of new Safari and iMessage exploits have been developed in recent years.
- Consider using a browser other than Safari, default Chrome: Kaspersky says that some exploits do not work "as well" on alternatives such as Firefox Focus.
- Use a trusted, paid VPN service, and install an app that warns when your device has been jailbroken. Some AV apps will perform this check.
The researchers also recommend that you make iTunes and sysdiags backups (iOS) if you suspect an infection, as they will help researchers diagnose a device properly.
It is also recommended that individuals who suspect a Pegasus infection make use of a secondary device, preferably running GrapheneOS, for secure communication.
"Use a prepaid card in it, or, only connect by Wi-Fi and TOR while in airplane mode," the researchers say. "Avoid messengers where you need to provide your contacts with your phone number."
The full guide can be accessed here: Staying safe from Pegasus, Chrysaor and other APT mobile malware
So, what are Google and Apple doing about this problem?
Both Google and Apple are generally quick to notice if spyware or other forms of malicious apps manage to circumvent the privacy and security barriers imposed for applications hosted in their respective official app stores.
In July 2019, Google removed seven apps from the same Russian developer from the Play Store. While marketed as employee and child trackers, the tech giant took a dim view of their overreaching functions -- including GPS device tracking, access to SMS messages, the theft of contact lists, and potentially the exposure of communication taking place in messaging applications.
When it comes to Apple, the iPad and iPhone maker began a crackdown on parental control apps several years ago, citing privacy-invading functions as the reason for some iOS apps to be removed from the App Store. In some cases, Apple requested developers to remove functions, whereas, in others, the apps were simply removed. The company offers its own parental device control service called Screen Time for parents who want to limit their child's device usage.
Surveillance without consent is unethical. In domestic situations, it causes a severe imbalance in power. If your sixth sense says something is wrong, listen to it. A physical object is not worth sacrificing your privacy and personal security.
Should your device become compromised, take back control of your right to privacy -- whether or not this means replacing your handset entirely -- but only if your physical safety isn't being threatened. In those cases, you should contact the authorities and investigators rather than tamper with your handset.