Mobile Spyware: How Hackers Can Turn Your Phone Into a Stalking Machine

In the mid-2000s a commercial advertisement achieved so much notoriety that its existence bordered on parody. The product was a headache-relieving cream called HeadOn and its advertisements told you three times to “apply it directly to the forehead.”

The commercial was widely panned for its bizarre nature and lack of specificity. What, exactly, was HeadOn? What problems did it solve? Why is it supposed to be applied directly to the forehead? Why would anyone do this?

That bizarre nature and poor production value must have been in mind when the makers of StealthGenie commissioned this advertisement. After all, how else would one sell a spyware product allowing its purchaser to spy on their spouse, children and employees?

That’s right, spyware—a type of software that enables its users to monitor all forms of communications on a targeted device—is now being advertised to a consumer audience. According to our team at McAfee Labs™, this has been a long time coming.

Spyware isn’t malware in the traditional sense. Like malware, it’s loaded onto devices for the expressed purpose of monitoring a user’s activity, typically without the user’s knowledge. Spyware is often used by law enforcement, government agencies and information security organizations to test and monitor communications in a sensitive environment or in an investigation—not for fueling a personal drama. StealthGenie, and other applications like it, change that dynamic.

Here’s how.

Spyware apps are currently available for every mobile device platform on the market. Some of these apps simply redirect users to sales sites where spyware can be purchased, while others directly download the spyware tool onto the device. Most of these apps have the ability to hide their icon from your screen, making it difficult to detect by the victim. Others go even further, requesting or requiring DeviceAdmin privilege—a level in which the app has access to pretty much anything on your phone—to make the spyware impossible to remove if detected. Luckily for Android users, our free Hidden Device Admin Detector scans and detects malicious apps that have been granted device administrator privileges.

Once the spyware is installed, the purchaser can establish rules for monitoring their victim. For example, they can tell the spyware to monitor communications and movements once their target leaves, or enters, a particular zone. The purchaser can also choose to begin recording and relaying messages, movements and other data to a remote server as soon as it’s installed. After the installation and setup, purchasers can log onto a web page where they can access that data.

These apps, if used for nefarious purposes, could put people in serious danger. Abused spouses could be tracked and children could be remotely monitored. But such technology does have practical uses for organizations that would need to monitor internal communications, or for law enforcement agencies that would need the aid of spyware in an investigation. For those reasons, spyware falls under a legal grey zone: it’s not illegal for consumers to own, yet, but the Department of Justice is aggressively pursuing those who sell spyware to a consumer-centric market.

StealthGenie, again, is the perfect example: its CEO was recently arrested by the F.B.I. for the advertisement and sale of a mobile device spyware app that could “monitor calls, texts, videos and other communications on mobile phones without detection,” according to a Department of Justice press release. The CEO pled guilty, marking the first criminal conviction for advertising and selling mobile device spyware online. He likely won’t be the last.

StealthGenie is off the market, but there are plenty of spyware apps that are still available. So how can you protect yourself? Here are a few methods:

• Don’t let your mobile phone out of sight. Keeping your mobile phone in your possession at all times is a surefire way to keep an adversary from placing spyware on your device. If you do lend out your phone for any reason, be sure to check its settings and apps. If your default settings have changed, or a new app has mysteriously appeared, it might be a sign that spyware has been installed.

• Stick to official app stores. While spyware can be found on official app stores, they thrive on obscure third-party stores promoting unofficial apps. By downloading apps for jailbroken or rooted devices, you bypass built-in security and essentially place your device’s data into the hands of a stranger.

• Use comprehensive security. Spyware exists for both mobile and desktop devices. So to protect yourself from spyware, using comprehensive security is a must.  McAfee LiveSafe™ service, our comprehensive security solution, can cover every device you own and detect most spyware on the market today. If you already have computer protection, you can install McAfee Mobile Security on your iPhone or Android device free of charge.