acm-header
Sign In

Communications of the ACM

ACM News

Spyware Lurks in Android Smartphones


View as: Print Mobile App Share:
Spyware secretly gathers information about a person or organization and relays this data to other parties.

Spyware installs itself on your computer or mobile device and starts covertly monitoring your online behavior without your knowledge or permission.

Credit: Glenn Harvey

Google has made it easy to install spyware apps on Android smartphones, according to researchers at the University of California in San Diego, New York University, and Cornell.

Said Rahul Chatterjee of the University of Wisconsin–Madison, an expert on spyware who was not involved in the research, "The researchers show how these Android spyware apps are built and use rather simple Android APIs to achieve such invasive spying capabilities. Although many of those APIs are necessary and provide useful features, I hope the Google/Android team will look further into how to prevent those APIs from being abused for spying on others."

Spyware apps are easily loaded into Android smartphones as a result of Google's decision to allow its Android operating system to install third-party apps from any online service (so-called side-loading). The spyware installation process is just as easy as it is for apps vetted as "safe" by the Google Play Store.

iOS apps are vetted for safe use on the iPhone before being accepted by Apple's App Store; a major difference is that Apple opted to permit downloads only from its store, not from third-party websites as Android allows.

"It is much easier to install a spyware app in Android than in iOS," said Chatterjee, who has been doing research "on mobile phone apps and other technologies (such as smart home devices) that can be used for spying, tracking, and monitoring intimate partners for some six years now." 

GitHub references hundreds of spyware apps (often called by similar names such as Stalkerware and Watchware, as well as spyware services hidden in 3,988 dual-use apps). Spyware is used by criminals for purposes ranging from illegal surveillance for profit, political leverage, blackmail, and other nefarious uses. Spyware apps allow any purchaser (with access to a phone's passcode) to easily follow in real time (or from logs) nearly every action performed by a targeted victim on their Android phone.

TechCrunch estimates these apps are actively spying on hundreds of thousands of people around the world at any one time, with millions of text messages and telephone call logs being monitored every month. According to New York Attorney General Letitia James, only a handful of the companies writing and promoting spyware are being held accountable.

Last year, the U.S. Federal Trade Commission (FTC) banned the SpyTrack app and SpyFone. It previously had banned  Spy Wiper and Spy Deleter, which masqueraded as "cleaner" programs advertised as removing spyware, rather than installing it.

The efforts of law enforcement to date pale in the face this new barrage of Android apps, say the researchers; many of the apps are free, and sprout up and disappear whack-a-mole style.

Also on close inspection of these apps, the researchers said many of them are merely copying code-segments from each other during their sometimes-brief appearances for sale online.

"It's not clear why, but the pandemic spurred the use of these Android spyware apps, boosting their streaming of megabytes to gigabytes of data to the servers monitoring infected smartphones," said Enze Liu, first author of No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps.

In the study, Lui and his colleagues detail the ongoing damage done by 14 currently available spyware programs raning in price from free (with advertising, of course) to $100:

  • Cerberus
  • Clevguard
  • Flexispy
  • Highstermobile
  • HoverWatch
  • iKeyMonitor
  • Meuspy
  • Mobile-tracker
  • mSPY
  • Spapp
  • Spy24
  • Spyi
  • Spyhuman, and
  • TruthSpy.

The researchers discuss in detail how Android APIs enable the spyware to hide from detection, achieve persistence even when discovered by their victims, and expose user's data not just to the purchaser of the spyware, but to any industrious hacker.

"The victim's data is usually streamed to a cloud server, where the buyer who installed it on the victim's smartphone uses a Web portal to gain instant access to past and real-time data being processed on the infected phone," said Lui. "What is worse is that this data, once it is streamed to a cloud server, is often not protected from being accessed by hackers for more nefarious purposes than just spying on your spouse."

These capabilities are not new to desktop and laptop computers, with reports growing significantly the same year (2005) that laptop computer sales surpassed those of desktop computers, and the Pew Research Center reported scans for spyware revealed that 80% of laptop and desktop computers were found to be infected. Since then, spyware has become an accepted way of life for ordinary programmers, and even a corporate business model for companies like Google, Microsoft, and Amazon, which use it to track your Web surfing habits in order to present you with targeted ads from which they make billions of dollars.

This type of spyware tracks (with cookies) your browser activity for ad targeting and can catalog nearly everything you do on your computer, if you accept its cookies. Trojan-horse apps, on the other hand, monitor even your keystrokes and take revealing screenshots. Trojan-horse apps are inadvertently installed by naive users because they are disguised as legitimate software in system updates, freeware, and even from just clicking on an email attachment. Complete system monitors have infected millions of users' computers worldwide in search of passwords, data for targeting demographic groups, and chat-room dialogs that can be recorded for profitable scams, political gain, and illegal transactions.

Smartphones initially were subject only to the spyware running on websites using cookies and with Trojan-horse apps designed by professional hackers. Today, however, complete spyware software apps can be purchased to anybody who wants to spy on anyone else. Once surreptitiously installed on a victim's mobile phone, they can perform all of the above actions on the victim's device and report the results to the purchaser of the spyware. Dozens of such spyware apps are available for download to any smartphone running the Android operating system, and are as easily installed as any legitimate app.

Why is this legal? Because each vendor markets its spyware as a tool for responsible parents to make sure their children are not surfing porn sites, and for employers to make sure their employees with company-owned phones are using them for legitimate business purposes. "However, they can easily be used for tracking other victims without their consent," said Chatterjee. 

Different spyware apps offer different capabilities, but all offer covert access to a smartphone's camera, microphone, and screenshots, as well as access to private data stored by other apps on the same Android phone.

Other spyware capabilities cataloged by the researchers include access to:

  • Ambient microphone recording
  • Ambient camera recording
  • Stored photos, videos, audio
  • Calendars
  • Call logs
  • Clipboards
  • Contacts
  • Information stored by other applications
  • Current Location
  • Network addresses used
  • Phone call details
  • Text files
  • Shared media files
  • Protected data
  • Screenshots.

Some spyware also can "play tricks" on the phone's user, by

  • Hiding the app's icon
  • Launching hidden apps
  • Sabotaging the uninstallation process, and
  • Creating "diehard" services that reinstall the spyware after you delete it.

 

To protect your Android phone from running spyware:

  1. Memorize your passcode and never tell anyone what it is (plus don't allow it to be seen when entered),
  2. Never download an app from anywhere but the Google Play Store.
  3. Periodically run Google's Privacy Dashboard (available only recently in version 12), and
  4. Delete any program you don't use.

 

R. Colin Johnson is a Kyoto Prize Fellow who ​​has worked as a technology journalist ​for two decades.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account