On August 15th, 2018, an unsavory character was able to obtain complete and total access to everything on my personal cell phone. In just a few minutes, they were able to download all of my pictures and videos. They could read my text messages and emails, and even send whatever they wanted to while pretending to be me. They tracked my location and secretly activated my microphone and camera. They knew where I was at any given moment and where I would be according to my calendar. They had access to my entire life.
Fortunately, I was that unsavory character. And just as fortunately, I was conducting an experiment to demonstrate how easy it can be to weaponize our own phones against us, how hard it can be to detect for even advanced users, and how disastrous it can be if it happens. Turns out, it’s pretty easy.
In May of 2018, security researchers Andrew Blaich and Michael Flossman with the security firm Lookout, discovered a new malware variant that they dubbed Stealth Mango (for Android) and Tangelo (for IOS). These tools were successfully deployed against military and government targets in Pakistan, Afghanistan, India, Iraq, Iran, and the UAE, and spread largely through phishing and compromised websites. The campaign was ultimately able to exfiltrate over 15GB of data, including text messages, contacts, secret recordings, and sensitive military/government communications. The stolen data even included passport scans, ID cards, whiteboards, and meeting/ceremony pictures that included US service members. In other words, it was a treasure trove of information.
While researching the campaign, the researchers make a remarkable discovery: the same team that developed Stealth Mango and Tangelo also made a commercial variant and the code was almost exactly the same. Commercial variants of mobile spyware are often referred to as “stalkerware” or “spouseware”, named after their common usage.
Once upon a time, sophisticated mobile attacks and intelligence operations were the purview of state actors. This is why the government and military doesn’t allow cell phones into certain areas. But now the threat has grown exponentially and the sheer number of potential attack vectors warrant a careful reconsideration of our policies, training, and defensive posture. Today, the threat includes anyone with $60 or so and easily who can follow basic instructions. There are countless variants of this sort of software commercially available, not to mention the multiple homebrew versions. We can start to get some idea of the sheer scope of the problem by analyzing the data leaded from a self-identified employee of one such company, Flexispy.
Flexispy makes and sells this sort of software. They also sell a “white label” version for other companies to resell under their own brand. According to the information provided to motherboard security researchers Lorenzo Franceschi-Bicchierai and Joseph Cox, at least 130,000 people had accounts with the service. Among them, a fifth-grade teacher, the president of a distribution company, the vice-president of a bank and many more. And that’s just one company- there’s many others with their own customer base.
Recently, I went to the website of one such company. Their website lists two primary uses for their brand of stalkerware: to “keep your children safe” and to “monitor your employee’s company phone usage”. Insert additional air quotes liberally. It’s important to note that both of those purposes are technically legal, although there would be certain caveats and provisions that would be the responsibility of the buyer to obey.
As an experiment, I contacted this company with a fictitious back story. I told the sales rep that I thought my “girlfriend” was cheating on me, and I wanted to know if their product could help me spy on her. I expressed concern that she would discover it, and mentioned that it’s her phone on her own account. In other words, I was asking if I could use their software to commit a major crime. The rep assured me that it would work perfectly for this purpose. They offered tips on installing it without the victim discovering it, and they even offered a 10% discount code for my first month.
After I purchased a one-month license (I chose not to take advantage of discounts offered for longer durations), it took about two minutes to infect my phone. After that, I merely had to login to my online dashboard on the company’s website to access everything on my now-infected phone. If I intended harm, I would have had ample means to do it then.
The fictitious story is a realistic one, and includes not only an abusive partner but also burglars, hackers, or anyone else that would benefit from this unprecedented level of access when trying to accomplish their goals our counter our own. It’s an inexpensive and low-risk method of intelligence gathering that can be initiated from anywhere in the world, depending on the technical capabilities of the attacker.
As discussed previously, we already restrict cell phones in specific areas. This is a good thing, and that shouldn’t change. But what could your adversary could do if they manage to infect one or more of your employee’s personal or issued cell phones?
We all know that we’re not supposed to talk about work-related topics while we’re out of the office for lunch, but we feel a little bit safer when we’re alone with our trusted coworkers who are working on the same project. We wouldn’t tell our adversary about network issues and vulnerabilities, but we might do a quick internet search on our phone while trying to fix a router configuration issue. And we work hard to protect information about client arrivals, even though a compromised phone can tell far more than an itinerary can. That’s not to mention the blackmail potential for well-placed employees based on their app usage (for example, a married employee using a dating / hookup app), location history, email receipts, and more. The next time you think about the information you want to protect, think about all the items that could potentially be compromised along with your employee’s phones.
As always, real-world risk should inform policy. But when we’re talking about personal devices and non-work hours, there’s only so much that policy can adequately address. We need to provide our users with the resources and information they need to protect themselves under those conditions. For example, these are some important concepts that can be relayed to your employees in order to help protect them and your critical information:
– Free antivirus apps are able to detect many variants of stalkerware, but are often not installed by default. Installing a third-party antivirus app by a reputable company will help prevent infection in the first place
– Periodically scan through your list of installed apps to look for anything you didn’t install or don’t recognize. Many stalkerware apps don’t actually display an icon, so this may not be enough on its own
– If using an android device, look through the settings for “device administrators.” Any apps listed here have more or less full control of your device. For example, the program that I tested required these privileges in order to function. Also, disable the “install from unknown sources” option to help prevent the surreptitious installation of apps
– The least difficult method of installing stalkerware involves physical access to the device. This allows the attacker to ensure that it’s working properly and their tracks are fully removed. Make sure your device is locked and uses a password, PIN, or some other security feature. Other methods of installation seen in the wild include phishing attacks or luring users to a compromised website, referred to as a “watering hole” attack. Make sure these methods are addressed in your training and awareness program
– Some users choose to root or jailbreak their phone in order to increase functionality or unlock certain features. However, this also increases the options available to the attacker. For example, some attacks against iOS devices simply won’t work unless the device is jailbroken. If your users have rooted or jailbroken their devices, make sure they’re aware of the risks
This was only a very broad overview discussing the scope of the problem and basic remediation measures. We have no choice but to meet this emerging threat head on before it’s too late. Much like our adversaries, we have to adapt to a new, increasingly connected environment where the battle lines are blurry at best and ordinary users are on the front lines of a new kind of war.
Sometimes, around this time of year, I think of Jane and her children. Jane isn’t her real name, but her story’s real and she’s allowed me to share it.
Here is some amazing news.
