PhoneSpy is the latest stage in spyware’s long evolution - The EE

PhoneSpy is the latest stage in spyware’s long evolution

One of the greatest cyberthreats today isn’t locked to an earthbound endpoint, data centre or server, but can walk around with us, follow us home and into work all from the comfort of our own pockets, says Richard Melick, director, product marketing for endpoint security at Zimperium.

Spyware isn’t necessarily a headline-grabbing threat in the way ransomware has become but for cybercriminals, it’s one of the most reliable and effective tools to steal information. We recently discovered a new piece of spyware called PhoneSpy, targeting Android devices in South Korea.

While spyware commonly takes advantage of vulnerabilities in their target devices, we found this particular piece disguised as at least 23 seemingly normal lifestyle applications. While hiding as a “normal” application, PhoneSpy would steal data, messages and images while being able to take remote control of the infected and otherwise spy on its user.

PhoneSpy came armed with a whole array of capabilities. It could steal or send GPS locations, images, SMS messages, contacts, call logs and critically, credentials. Furthermore, it could record audio and video in real time as well as take photos using the front and rear cameras. It could do all this while concealing its presence from the user and covertly sending information back to its controllers. Indeed, we observed this piece of spyware steal everything from personal photos to corporate communications all without the legitimate users knowledge.

How phoneSpy works

Upon first infection, PhoneSpy would immediately send GPS data, photos and communications, contact lists, and downloaded documents to the Command and Control server. It would then disguise itself as one of a number of lifestyle apps targeting Korean-speakers.

Importantly, PhoneSpy was not detected in any Android store, so it was likely distributed through web traffic redirection or some form of social engineering. After it was installed, the application would ask for access permissions and then open a phishing page that masquerades as the South Korean messaging app “Kakao Talk” so that it could steal credentials. However, it could also use Facebook, Instagram and Google pages for phishing.

Though PhoneSpy would pretend to be one of the aforementioned lifestyle apps, those fake apps didn’t serve their users particularly well. Users couldn’t use many of their advertised functions, and the fake apps merely acted to hide the activities of PhoneSpy. In the meantime, PhoneSpy would access their victims’ devices and send data back to the Command and Control servers which would maintain a communication channel to send commands to the infected device.

Importantly, PhoneSpy’s access capability was so great that it could uninstall pre-existing applications, including mobile security apps. Furthermore, once that access was given, it could not be revoked and would persist even after the user had deleted the fraudulent app.

The PhoneSpy campaign has claimed thousands of victims in South Korea. We believe that PhoneSpy’s controllers have gathered large amounts of personal and corporate data from their victims. Although we do not know whether those victims are linked, we do suspect that, given the spyware’s ability to send messages and acquire contacts, victims’ associates have also been targeted.

Spyware a long and destructive history

PhoneSpy is just the latest iteration in the long evolution of spyware. Sometimes known as RATs, or Remote Access Trojans, these programmes have seen use in both legal and illegal capacities to surveil their targets. Spyware can come in many forms they can be used for covert surveillance and cybercrime, but also to serve pop ads to otherwise unwilling viewers.

They commonly grant their controllers profound access to the infected device. When it’s installed, it can often see all the communications, credentials and rerouting that happens on the device, as well as download other kinds of information from the phone.

Spyware is easily available with some forms being advertised on app stores as legitimate security applications used to track employees, family members or even lost devices. A new study from Kaspersky has revealed that as many as 11% of UK adults have been compelled to install spyware on their phones so that they can be tracked by family members or partners. Some widely used apps, though not explicitly labelled as spyware, can be used for the same purposes. Apple’s Find My app has been flagged as a potential enabler for location tracking and remote observation.

It’s also commonly used for espionage and blackmail. Perhaps the most famous example of late is the Pegasus spyware, which has targeted over 50,000 victims around the world. Developed by Israeli firm, NSO group, Pegasus has been used to spy on Indian politicians, Armenian state officials, French journalists, Emirati activists and American business leaders. Jeff Bezos, founder of Amazon, has been one of its victims as has the French president, Emmanuel Macron.

Still, Pegasus and PhoneSpy are just two examples and spyware doesn’t need to be nearly as sophisticated as Pegasus to do damage. 

Personal threats turned corporate problems

Many of these threats initially seem to be consumer level personal threats. That would be almost acceptable if the state of IT weren’t what it is.

The legendary military strategist, Sun Tzu, once said “There is no place where espionage is not possible” that’s just as true in this case as it was on a Chinese battlefield in 500 BC.

In an age of BYoD and mass remote working, a consumer focused threat is an enterprise threat. When someone is using their spyware-infected phone for work, or at work – then that becomes a threat to enterprise security. That could mean a spyware-infected phone logging into corporate accounts while attackers see their password being entered. That could also mean such a device entering a meeting in which sensitive IP is discussed. Either way, spyware can turn a mobile phone into a covert listening device which now poses just as much of a threat to an individual as it does their employer.

Blinding spyware threats

Richard Melick

Mass remote work has exploded over the course of the pandemic. In fact, many enterprises were forced to enable it, or suffer serious consequences. This has fundamentally changed the shape of corporate networks, and considering the above, given spyware threats dangerous new opportunities.

A range of technologies called Mobile Threat Defense can be useful when facing down threats like these. As part of a Zero Trust approach, MTD can provide visibility into individual devices’ security postures and ensure that they have not downloaded malicious apps, been jailbroken, compromised or tampered with. We’ve helped numerous major companies in pharmaceutical, financial and public utility sectors protect their critically sensitive data from mobile threats like spyware.

Spyware is an enduring problem in cybersecurity and it has been for several decades. However, it’s been given a lethal new edge against corporate networks by the rise of BYoD, mobile computing and mass remote working. If organisations want to protect themselves, their IP, their proprietary secrets and data from attackers, then they need to think about mobile threat defense and how they can protect their corporate networks from personal threats.

The author is Richard Melick, director, product marketing for endpoint security at Zimperium.

Follow us and Comment on Twitter @TheEE_io

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.