This is your Shared Security Weekly Blaze for October 29th 2018 with your host, Tom Eston. In this week’s episode: Spy apps and Stalkerware with special guest Jeff Tang.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Spy apps, or better known as “stalkerware”, are apps that can be used to track and spy on the activities that someone does on a mobile device. Activities can include everything from being able to read text messages, view photos, emails, see websites visited, track real-time GPS location, turn on the microphone or camera, view social media usage, and much more. These apps go by the names of mSpy, FlexiSPY, Retina-X, and many others that are widely available for purchase. While there may be legitimate purposes for installing an app like these, for example, parents that might want to track what their kids are doing on their mobile devices or employers monitoring company issued mobile phones; criminals as well as stalkers are also using these apps to conduct surveillance and monitoring of a victim’s device. These apps are very concerning for someone that might be in a domestic abuse situation or is being criminally stalked. In this episode we’re going to cover why these apps have become so popular, how they are installed and how you can detect if someone has installed one of these apps on your mobile device.
Tom Eston: Joining me to talk about spy apps and stalker-ware is Jeff Tang, who is the Senior Manager of Applied Research at Cylance. Welcome to the show, Jeff.
Jeff Tang: Hey Tom, thanks for having me.
Tom Eston: So what’s your take on these apps, and why do you think they’re becoming so popular?
Jeff Tang: I think there’s a lot of interest in these apps because we’re in a new society where we’re actually recording everything, and everything is becoming digital. Our entire lives are captured onto our cell phones from photos, to text messages, to emails, to just GPS location. And we’re in this age were all this data is now available, and I think we’re seeing the commoditization of the spying applications that take advantage of the availability of this data. So I think a lot of the popularity is just like this wasn’t possible before smartphones existed, it was much more difficult to try to capture someone’s location, but now we all carry a GPS device in our pockets.
Tom Eston: Yeah, I’m kind of reminded of… If you’re a fan of the Breaking Bad TV show where they put a GPS locator on somebody’s car and then they use a old style type of GPS tracker to follow the car around, right?
Jeff Tang: Yeah, and those are actually still really common, right? You can go on Amazon and buy them for as cheap as 20 bucks.
Tom Eston: So the technology has definitely evolved. So, is it just because we now have more power in our finger tips that it makes these apps a lot easier for people to use?
Jeff Tang: Yeah, I think it’s… We’ve all had kind of an inclination to know what’s going on. And now in 30 seconds we can go and search for something like this. And there are other vendors out there that are willing to provide this as a service.
Tom Eston: So how do these apps get installed? I would think that you either have to have physical access to the device, or are there other ways that somebody would install this on your device?
Jeff Tang: So there are effectively two ways that these apps can work. The first way is if you are an iCloud customer where your phone is constantly being backed up to the Cloud. If your iCloud credentials get compromised, as we’ve seen in the past when celebrities were getting their phones hacked, these services can just go download the backup off from the Cloud, extract all the information, and present it to you in their dashboard. The second way is having physical access to the device or having some way of installing this malicious application onto the device. So if for instance, if you lose sight of your phone for a few minutes and you don’t have a pass code on it, someone can easily just grab your phone, install the app, allow it the necessary permissions to access your microphone, your contacts, your GPS location and so on, and then it functions like a normal application.
Tom Eston: So are there any dangers to having one of these apps installed on your phone? So I know a couple of these apps do things like they jail break or root your device. I would assume that that’s dangerous in terms of disabling certain things on your device in order for this app to run, correct?
Jeff Tang: They can run in different modes. For the most part, mobile devices have good sandboxes, which constrain the application to only operating within its sandbox. Some of them do support jail breaking, which compromises the security integrity of the device, allowing it to access other information outside of its sandbox. So you can actually become more vulnerable, say, to another malicious application that was on your device, maybe something that pretended to be something that it wasn’t… It really wasn’t. Like pretending to be some sort of text messaging service, when reality it’s some piece of malware. And then we also see things like if a phone is vulnerable to… And it hasn’t been updated and is vulnerable to some browser-based exploits, that’s one less thing that a malicious attacker has to do in order to gain access to your phone.
Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.
Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:
- Visibility into workload communication pathways;
- Security policies built on the cryptographic fingerprint of the software;
- The ability to apply policies and segment your networks in one click; and
- A way to continuously monitor and assess risk.
Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.
Tom Eston: So it sounds like a lot of these apps in the way that they function, they are very similar to techniques that a government or, say, a very large nation state, that was going to target, maybe, an individual. You’ve probably seen the news about the Pegasus malware created by that group… The NSO group over in Israel, and at which they’re selling that software to governments. But for somebody that like, say, is in a domestic abuse situation or might fear that they are being stalked, how could these people defend themselves from having these applications installed on their devices?
Jeff Tang: The first step is to maintain physical security over your device, which isn’t always possible, right? So the second part is making sure that you have a strong passcode on the device that no one else knows. And it’s pretty common to have simple four-digit pins on phones, in the case of Android, the little connecting the dots, we should really start moving towards something much more stronger, having longer passcodes, full alphanumeric and so on. And the second part of that is, if you’re using some sort of Cloud backup service that your phone constantly sends data to, is ensuring that the credentials for that service is also strong. Making sure that we’re not reusing the same passwords for our phone and that backup service. And then following that, if there’s a suspicion that the device is compromised, it might be best to pick up a new device and start using that so that we know that that one isn’t compromised at the time.
Tom Eston: Is there any best practices? Should someone use an Apple iOS device versus an Android, or are they both about the same?
Jeff Tang: They’re both reasonably the same. The same best practices have been around for almost two decades now. It’s using strong credentials, and is keeping the device up to date. And then we can also go and routinely eye what applications are installed on the phone. And then it also might be just a good time to start cleaning out the phone for applications that you don’t use. Some of these tend to masquerade as a patsy application, right? They’re not all gonna claim that they’re spying device… That they’re spyware applications.
Tom Eston: They would have to be installed as some type of app, correct? Probably hidden?
Jeff Tang: Yeah, for the most part they are installed as a normal application. I’d imagine some of the fancier ones, especially when you start going towards like Pegasus, that they are being hidden from your display. But when we’re looking at the run of the mill spyware, stalker-ware apps, they’re typically not going that far.
Tom Eston: Well, great advice, Jeff. I really appreciate your time, and thanks for coming on the show.
Jeff Tang: Alright. Thanks Tom.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
