US Army Corps of Engineers
Albuquerque District

Focus on Cybersecurity: Stalkerware

Defense Security Service
Published Oct. 30, 2018

 

National OPSEC Program Logo

 

August 15th, an unsavory character was able to obtain complete and total access to everything on my personal cell phone. In just a few minutes, they were able to download all of my pictures and videos. They could read my text messages and emails, and even send whatever they wanted, to while pretending to be me. They tracked my location, and secretly, activated my microphone and camera. They knew where I was at any given moment, and where I would be, according to my calendar. They had access to my entire life.

Fortunately, I was that unsavory character. Also, just as fortunately, I was conducting an experiment to demonstrate how easy it can be to weaponize our own phones against us, how hard it can be to detect, even for advanced users, and how disastrous it can be if it happens. Turns out, it’s pretty easy.

In May of 2018, security researchers, Andrew Blaich and Michael Flossman, with the security firm Lookout, discovered a new malware variant that they dubbed Stealth Mango (for Android) and Tangelo (for IOS). These tools were successfully deployed against military and government targets in Pakistan, Afghanistan, India, Iraq, Iran, and the UAE, and spread largely through phishing and compromised websites. The campaign was ultimately able to exfiltrate over 15GB of data, including text messages, contacts, secret recordings, and sensitive military/government communications. The stolen data even included passport scans, ID cards, whiteboards, and meeting/ceremony pictures which included U.S. service members. In other words, it was a treasure trove of actionable intelligence.

While researching the campaign, the researchers made a remarkable discovery: the same team that developed Stealth Mango and Tangelo also made a commercial variant, and the code was almost exactly the same. Commercial variants of mobile spyware are often referred to as “stalkerware,” or “spouseware,” named after their common usage.

Once upon a time, sophisticated mobile attacks, and intelligence operations, were the purview of state actors. As such, our threat models, and resulting policy, traditionally reflected that fact. This is, of course, why we can’t bring personal cell phones into areas that would be attractive to our adversary, such as a SCIF, or sometimes, entire buildings. But, now the threat has grown exponentially, and the sheer number of potential attack vectors warrant careful reconsideration of our policies, training, and defensive posture.

Today, the threat includes anyone with $60, or so, and, who can, easily, follow basic instructions. There are countless variants of this sort of software commercially available, not to mention the multiple homebrew versions. We can start to get some idea of the sheer scope of the problem by analyzing the data from a self-identified employee of one such company, Flexispy.

Flexispy makes and sells this sort of software. They also sell a “white label” version for other companies to resell, under their own brand. According to the information provided to motherboard security researchers, Lorenzo Franceschi-Bicchierai and Joseph Cox, at least 130,000 people had accounts with the service. Among them, a fifth-grade teacher, the president of a distribution company, the vice-president of a bank and many more. This is just one company: there are many others, with their own customer base.

Recently, I went to the website of one such company. Their website lists two primary uses for their brand of stalkerware: to “keep your children safe,” and to “monitor your employees’ company phone usage”. (Insert additional air quotes liberally.) It is important to note that both of those purposes are technically legal, although there would be certain caveats, and provisions, that would be the responsibility of the buyer to obey.

As an experiment, I contacted this company with a fictitious back story. I told the sales rep that I thought my “girlfriend” was cheating on me, and I wanted to know if their product could help me spy on her. I expressed concern that she would discover it, and mentioned that it is her phone on her own account. In other words, I was asking if I could use their software to commit a major crime. The rep assured me that it would work perfectly for this purpose. They offered tips on installing it without the victim discovering it; they even offered a 10 percent discount code for my first month.

After I purchased a one-month license (I chose not to take advantage of discounts offered for longer durations), it took about two minutes to infect my phone. After that, I merely had to login to my online dashboard on the company’s website to access everything on my now-infected phone. If I intended harm, I would have had ample means to then do it.

The fictitious story is a realistic one, but an abusive partner is not the only potential adversary that can use this type of software. It is just as accessible to corporate spies, malicious insiders, hactivists, state actors, and anyone else that would benefit from this unprecedented level of access, when trying to accomplish their goals our counter our own. It is an inexpensive, low-risk method of intelligence gathering that can be initiated from anywhere in the world, depending on the technical capabilities of the attacker.

As discussed previously, we already restrict cell phones in specific areas. This is a good thing; that should not change. But, what could your adversary-of-choice could do if they manage to infect one or more of your employees’ personal or issued cell phones?

We all know that we are not supposed to talk about work-related topics while we are out of the office for lunch; but we feel a little bit safer in our building cafeteria, with our trusted coworkers, who are working on the same project. We would not tell our adversary about network issues and vulnerabilities, but we might do a quick internet search, on our phone, while trying to fix a router configuration issue. And, we work hard, to protect movement details relating to VIPs or senior personnel, even though a compromised phone can tell far more than an itinerary, not to mention the blackmail potential for cleared, or well-placed, employees, based on their app usage (for example, a married employee using a dating / hookup app), location history, email receipts, and more. The next time you look at your CIL, think about all the items that could potentially be compromised along with your employees’ phones.

As always, real-world risk should inform policy: but when we are talking about personal devices, and non-work hours, there is only so much that policy can adequately address. We need to provide our users with the resources and information they need to protect themselves under those conditions. For example, these are some important concepts that can be relayed, to your employees, in order to help protect them and your critical information:

-- Free antivirus apps are able to detect many variants of stalkerware, but are often not installed by default. Installing a third-party antivirus app by a reputable company will help prevent infection in the first place.
-- Periodically, scan through your list of installed apps to look for anything you did not install or do not recognize. Many stalkerware apps do not actually display an icon; this may not be enough on its own.
-- If using an android device, look through the settings for “device administrators.” Any apps listed here have more or less full control of your device. For example, the program that I tested required these privileges in order to function. Also, disable the “install from unknown sources” option to help prevent the surreptitious installation of apps.
-- The least difficult method of installing stalkerware involves physical access to the device. This allows the attacker to ensure that it’s working properly and their tracks are fully removed. Make sure your device is locked, and uses a password, PIN, or some other security feature. Other methods of installation, seen in the wild, include: phishing attacks, or luring users to a compromised website, referred to as a “watering hole” attack. Make sure these methods are addressed in your training and awareness program.
-- Some users choose to root or jailbreak their phone in order to increase functionality or unlock certain features. However, this also increases the options available to the attacker. For example, some attacks against iOS devices simply won’t work unless the device is jail-broken. If your users have rooted or jail-broken their devices, make sure they are aware of the risks.

This was only a very broad overview discussing the scope of the problem and basic remediation measures.