Keeping Up with Today’s Top Mobile Spyware Threat Trends
You’re doing all you can to build a hardened cybersecurity fortress around your digital assets. But are you leaving a backdoor open to attackers without realizing it?
Mobile devices are central to how we all work today, but they’re also a major source of vulnerability—and attackers are taking advantage with a crop of new spyware that’s increasingly difficult to prevent, detect, and uproot.
Users don’t typically worry about securing their personal devices. They assume they have nothing to hide, so they’re not going to be a target. But even if they aren’t a target, your organization probably is.
From municipalities targeted by nation-state actors, corporations under attack by competitors, startups sitting on prized intellectual property… No matter what industry you’re in, you have critical assets you need to protect, and failing to secure user devices can leave you vulnerable.
In this post, we will explore trends including the rise of new and more sophisticated types of mobile spyware: nation-level spyware and modified applications. We’ll also present several best practices to help you protect all your organization’s assets.
Mobile Spyware Attacks: Definition, Trajectory, Impact
Mobile spyware is designed to collect personal information from a mobile device without the user’s knowledge or consent: tracking their online activity, stealing their personal data, or even controlling their device remotely.
Spyware has been around for decades; early variants were developed in the 2000s and 2010s by the Italian Hacking Team and German FinFisher. Today, a wide range of mobile spyware is available, primarily for Android devices, but also for iOS. That means almost no mobile device is safe.
Spyware can invade a user’s mobile device in one of a few ways.
User Downloads a Malicious App
This is the most common way that spyware attacks mobile devices. Malicious apps can be disguised as legitimate apps, so it’s important to be careful about what apps you download and install and their source.
User Clicks a Malicious Link
This could be a link in an email, text message, or social media post that ultimately causes spyware to be installed on their device without their knowledge.
User Opens a Malicious Attachment
Malicious attachments to email or text messages are one of the most common ways spyware is installed on mobile devices. These are usually disguised as legitimate files, such as PDF, Word, or image files. Opening the attachment installs the spyware on the device.
User Does Nothing
That’s right: Even if the user does absolutely nothing to download or activate the malware on their device, today’s newest “zero-click malware,” takes advantage of existing vulnerabilities to infect their device completely invisibly—without the user needing to do a thing. Meaning no amount of education and user vigilance can prevent this type of attack.
Once spyware is present on a mobile device inside your network, the consequences of the attack can include:
- Access: Infiltrating personal and corporate devices, granting unauthorized access and control over sensitive information and devices such as microphones and cameras
- Exfiltration: Removing a wide range of potentially compromising data from your own network, from payment-card data to PHI, PII, and more
- Lead generation: Harvesting contacts from user devices and using these to target additional users via phishing and other types of social engineering-based attacks
Every single day, spyware attacks lead to data theft, location tracking, the spread of malware, blackmail and extortion, banking and financial fraud, and other forms of harm—both to the user and, potentially, to your entire organization.
Troubling Trends in Today’s Mobile Spyware
In addition to older models of spyware, which continue to grow and proliferate, two new trends are unfolding that are particularly troubling.
Trend #1 – Nation-Level Mobile Spyware
The term “nation-level” refers to the origins, capabilities, and use cases of this type of spyware because it is often developed for high-level government clients and also often attacks targets in the government and civil sector.
The biggest name by far in nation-level spyware is NSO Group’s Pegasus, which has been condemned by the U.S. government—but which other sources reveal they are still using. Other big names in the nation-level spyware game include Cytrox’s Predator, a reincarnation of older mercenary spyware that’s been designed to get around security guardrails built into Android. There is also a growing number of advanced persistent threat (APT) groups using open-source spyware rather than brand-name versions.
Beyond these apps, there’s also a wide range of stalkerware (sometimes known as stalkware), such as Spyhide, an Iranian-developed app that TechCrunch reports “continually uploads the phone’s contacts, messages, photos, call logs and recordings, and granular location in real time.”
At least 65 governments worldwide are currently known to be using variations of spyware, often referred to as “private surveillance tools,” including Poland, Italy, Spain, and the U.S. According to human-rights organization Amnesty International, governments use these tools to track lawyers, journalists, political opponents, and human rights activists.
In addition, nation-level spyware methodologies are inevitably trickling down into non-governmental hands. This is particularly true of stalkerware, with more than 1,000 apps currently out there designed to stalk users by accessing devices’ cameras, microphones, location, and more, without consent. This gives rival governments or corporations ideal access to possibly conduct corporate espionage.
Trend #2 – Modified Applications
Another growing threat comes from modified applications. These are often disguised as legitimate apps, so they’re downloaded by users without their knowledge. Once installed, modified apps can steal data, track location, access onboard cameras and microphones, collect contacts, and spread malware. This is a variation on the classic Trojan Horse type of malware with a terrible spyware twist.
Attackers use lure techniques to trick users into downloading these apps unknowingly; for instance, by packaging them as attractive games or user-friendly utilities. Many of these may actually do what they are supposed to do, for instance, offer legitimate gameplay. But meanwhile, they are also spying on users in the background, performing unauthorized file operations; hackers can even possibly exfiltrate confidential user data, including clipboard contents, potentially allowing access to assets such as crypto wallets.
Due to the modular nature of software development today, a single malicious library or module can find its way into a large number of apps in an astonishingly short span of time.
For example, one malicious SDK known as the “SpinOK” module was discovered in 101 apps on the Google Play store, including a range of addictive minigames, resulting in 421 million total downloads.
Best Practices for Securing Your Organization Against Spyware
These trends, coupled with the growth in the number of reported spyware incidents year after year in regions worldwide, including incidents against civilians, have led to Microsoft’s recent condemnation of mercenary spyware as “a threat to democracy and human rights around the world.”
It’s not enough to just be aware—and no region is safe. Every organization, everywhere in the world, must take steps to stay safe against spyware of all kinds. To protect your organization from mobile spyware attacks, you need a comprehensive security strategy:
- Update: Make sure to update your devices and software with the latest security patches.
- Verify: Only download apps from trusted sources.
- Authenticate: Use strong passwords, biometric security, and two-factor authentication.
- Educate: Train employees to raise awareness; be careful about what apps you download and know the signs of a spyware infection; do not open emails or text messages from senders you do not know or from senders whose addresses you cannot verify.
- Centralize: Implement mobile device management (MDM) platforms to centrally enforce security policies, track device usage, and wipe devices remotely when lost or stolen.
However, none of these steps is enough in itself. For example, keeping devices up to date cannot defend against zero-day attacks. Endpoint-management solutions are not enough to secure an increasingly mobile workforce. And with zero-click malware, educating users can only go so far.
That’s why the most important step you can take to keep your assets safe is implementing a mobile security solution that will scan apps and files for malicious content, as well as block phishing attacks and other threats. The solution you choose must also be able to scale effectively across all your users and all their devices, without interfering with normal device use.
How Check Point Can Help
Check Point has been an industry leader in cyber security for decades. Backed by the power of Check Point ThreatCloud AI, Check Point Harmony Mobile offers a comprehensive solution that protects your organization from mobile spyware attacks.
Because attacks can come from multiple directions, Check Point Harmony Mobile keeps you safe in a few different ways:
- Identifies: Pinpoints OS versions that are vulnerable to Pegasus and other spyware exploits; scans incoming files for the industry’s best on-device mobile file protection.
- Intercepts: Stops attempted communications between spyware and command-and-control (CnC) servers; recognizes and shuts down known malicious files used in recent spyware attacks; denies access to corporate assets and resources to infected devices.
- Alerts: Warns your security team if a device has been jailbroken, or about attempted sideloading of apps from unofficial app stores, both common spyware tactics to gain access to sensitive data. (It also blocks sideloading on Samsung devices using Samsung Knox Agent.)
And Harmony Mobile accomplishes all of this while having no impact on user experience or privacy.
Check Point Harmony Mobile can even defend against the latest zero-click spyware that takes advantage of vulnerabilities in apps like SMS, other messaging platforms, and email/phone apps to deliver spyware without the user having to take any action at all. Plus, Harmony Mobile is sophisticated enough to detect obfuscated (hidden) polymorphic and zero-day malware
Stay Ahead of Today’s Toughest Mobile Threats
You can’t afford to leave your users’ mobile devices unprotected. There are too many hazards out there and too many attackers eager to access your information, contacts, IP, and more.
However, it’s important to find a balance. Mobile devices are central to the way almost all users work today, and it’s impossible to turn back the clock. Your users are constantly checking emails; accessing records; submitting expenses; sharing reports, links, and documentation; and making audio or video calls—all from their mobile devices.
That’s why you need a mobile security solution that lets users get their work done and won’t get in the way while keeping all your assets safe. Plus, you need to make sure your solution scales up to keep management simple even when you have thousands of users and devices.
With a cloud-based, intuitive, and centralized management console, Check Point Harmony Mobile helps you prioritize mobile security and keep your organization safe against evolving and ever more sophisticated threats without slowing your users down.