
I Tracked Myself With $170 Smartphone Spyware that Anyone Can Buy - JackPoach
https://motherboard.vice.com/en_us/article/i-tracked-myself-with-dollar170-smartphone-spyware-that-anyone-can-buy
======
rloc
So in order to track the phone he had to:

1) Get physical access to the phone and be able to unlock it.

2) Manually disable the Android setting so that non verified apps can be
installed (the setting is enabled by default on almost every Google Android
phone to protect users). By doing so a clear message warns the user that the
phone will become vulnerable to attackers.

3) Install an obscure apk on the phone (side load or via link) outside of the
Play Store.

I would call this just installing an app that is designed to track you. Such
an app is trivial to code.

When you decide to set your OS free to make it possible to install anything
then obviously you can install anything on it, including a spyware.

It makes no sense to compare this to iOS because iOS doesn't allow 2) (walled
garden). Android leaves it up to you and thus provides more "freedom" to
users. Freedom comes with additional risks. The equivalent is jailbreaking on
iOS (unofficial).

I like to compare this with someone being locked in a room. This person is
obviously less likely to die from a car accident than a free one. But does
that mean you want to live locked in a room ?

~~~
id122015
What you said is exactly what I watched on youtube.

But my question is about desktop app, is it true that any app could contain
malware ? Even popular apps like Transmission have been infected, how about
those that are not popular and the antivirus doesnt know about ?

~~~
rloc
Yes.

Xcode was hacked not so long ago. The malware could remain invisible even to
the creators of the app. Although it's less likely to remain unnoticed with
open source projects due to the visible nature of it.

On desktop, Mac OS and Windows now provides official stores where apps are
verified and signed.

On Android I remember Google added an app scanner in order to detect infected
apps even when the security setting is disabled. On windows there is defender.

At the end of the day it's all about trust. Be very careful regarding where
you download the software from.

------
hrodriguez
My first thought was how easy my wife could get this on my phone (or vice
versa) - as the article points out. How easily the app could be installed by
law enforcement, airport security, etc when they demand access to the phone
and walk away with it.

Secondly, I thought how easily someone (boss, co-worker, spouse, etc) could
use this as a surveillance device. Just leaving the phone lying around and
remotely turn on the mic and camera. (I'm aware of other apps that have this
functionality).

Thirdly, I thought it could be useful if my phone was ever lost or stolen. But
at the same time, I would be enabling a backdoor into my phone. Trusting a
company that develops spyware is a huge leap too.

Fourthly... and actually this was my first thought: Many have already given
the Operating Systems they use daily carte blanche to do the very things these
spyware apps are able to do. Toss in data-mining and even worse... data-
sharing and these spyware apps look like amateur attempts at spyware.

There are a number of use cases but most seem to be pretty bad. Even their
followup article[1] is scary (hard to remove even after a factory reset, best
to use another phone).

[1] [https://motherboard.vice.com/en_us/article/how-to-protect-
yo...](https://motherboard.vice.com/en_us/article/how-to-protect-yourself-
from-creepy-phone-snooping-spyware)

------
diego_moita
So, since in the U.S., Canada and many other countries you are required to
provide to border and customs agents both physical access to your
phone/computer and the password to access it, this means that you just can't
trust any device that has been through customs.

Is it there any software or means to reset/clean a phone or computer? Is it
possible to backup all your data and accounts into external storage, wipe the
device clean and, after customs, reset it again?

~~~
Semaphor
You can do a nandroid backup, format the phone and reinstall the nandroid
backup. Formatting is probably not even needed as restoring the nandroid
backup will overwrite everything. At least for the laughingly trivial case the
article presents that would be enough.

Not sure how much of the above is possible on an unrooted phone.

~~~
diego_moita
Thank you. It seems that Flashify and Flashfire can also do this.

I will root my phone next month and start playing with them.

------
lultimouomo
This is basically a remote admin tool that has to be installed manually having
phisical access to the unlocked device. Just like androidlost or similar legit
software, only obviously not bound to your Google account so that once
installed it can be used without knowing your account credentials. Nothing too
interesting IMO.

------
aaronpk
At the end, the author mentions that this type of software is available for
iOS as well. My understanding of iOS is that this kind of thing is virtually
impossible, because 1) apps must be distributed through the app store, and
will be removed if found to be spyware, and 2) app developers have much less
ability to do things in the background, especially using the microphone and
camera. Is there anything written about actual examples of this kind of
spyware on iOS yet?

~~~
WhitneyLand
No. It's misleading to say it works on iOS. There are some companies who sell
spyware that works by using the iCloud password you provide to get certain
data from there.

But there is no easy service you can buy to start monitoring cameras and
microphones.

In general it's more secure than Android.

~~~
StavrosK
Your entire comment is misleading. To install things from an APK on Android
you have to go into the settings, disable security, download the APK and click
through multiple prompts.

On iOS, you can't disable security at all (yay freedom), but you can just
jailbreak the phone and install whatever you want. If the attacker has
physical access to the phone, security on both platforms is comparable, i.e.
zero.

~~~
valine
Jailbreaks have been much harder to come by since iOS 10. There actually
hasn't been a publicly available jailbreak of the current version of iOS since
ios 9.3.4. The only way to have a jailbroken phone on 10 was to know ahead of
time to stay on iOS 10.1.1. By the time the 10 jailbreak was available Apple
had already patched the vulnerabilities and made it impossible to downgrade.
It's not something you can do on the spur of the moment. Either you spend an
ungodly amount of time writing your own jailbreak, or you monitor reddit like
a hawk trying to anticipate which version of iOS is most likely to be hacked
in the future.

On top of that there is no such thing as an unteathered jailbreak for iOS 10.
The best you can hope for is a semi teathered jailbreak which requires you to
manually run an app every time your phone restarts.

------
andai
What can be done to protect against attacks like this?

I'm considering switching from Android to iOS since I've heard good things
about the security and privacy.

~~~
ianpurton
The attacker needed access to the phone.

It's generally game over for any device if the attacker has physical access.

~~~
blakesterz
>> The attacker needed access to the phone.

Yeah, he clearly says he had to side load that thing, and yet near the top of
the story he says this:

 _' With a single SMS message, this spy had remotely activated the microphone
in my smartphone, turning it into a portable and surreptitious eavesdropping
device.'_

That kind of implies that is how this thing was installed, but that's not
really how it worked.

~~~
serg_chernata
Well, he says it was "activated" via sms, not installed.

------
M_Grey
Is it _really_ news that physical access is king?

------
fbarriga
is sad to see this kind of article on hacker news...

------
01Michael10
> My first thought was how easy my wife could get this on my phone (or vice
> versa)

That was your first thought? I guess it's time get a divorce lawyer.
Regardless, it's really that easy? Why don't you have your phone locked?

~~~
hrodriguez
She can go through my phone anytime she wants. But maybe I don't want her to
see me tell a user to go fuck himself... hard:) because he decided to
_project_ his SJW personal issues or warped interpretations onto a single
sentence from a benign comment covering a number of real-world use cases.

Right now, this was my first thought.

