I found this article very shallow. It covers only spyware that are installed when a device is physically compromised.
I was hoping it would cover spy/malware that install remotely through many more infection vectors like clicking text messages. I guess NSO/Pegasus malware has this capability.
I barely use any apps and would gladly settle for a flip phone... I value privacy more than the ability to order food through my phone.
I was hoping it would raise the alarm regarding Google and Apple's overreaching, always-on data collection practices. 99% of people don't need to worry about an attacker gaining physical access to their unlocked device and installing an application. We as a society do need to worry about tech giants amassing enough data on us to gain an insurmountable AI-training-data advantage which makes them too useful as tools of the state to be regulated by said state.
The irony of pointing out how to spot a "spyware" app disguised as a WiFi icon when the dozen Big G apps pictured alongside are collecting the same data...
You would think the panic over TikTok spying would illuminate the problem with apps having carte-blanche access to your personal data 24/7. There is nothing that the TikTok app does that any other app cannot also do. It seems nobody wants to make that connection.
There should be real protections for consumers to prevent ANY application from slurping up this data, and I don't mean just a disclosure or system setting to hamstring the application into uselessness. I mean, there should be regulations preventing the collection of this data in the first place, with hefty fines and punitive damages.
Most privacy advocates probably do plenty of things I would be perfectly happy to see made illegal, but we don't just ban them because we don't want a complete dictatorship of one segment of the population over everyone else, and because it seems the people realize it would cause problems for some people, and we need to be careful to find suitable replacements before we ban things.
A lot of the tech I imagine you are referring to has been life changing for me, and if it cost normal SASS prices would not be affordable.
Regulations and disclosures are good, but a straight ban would (depending on how it was written) quite likely affect services that inherently require mass data collection, like Tile trackers, and might make other services have to do subscriptions and become unaffordable for many.
If there was a state sponsored Pine64 style company that could do all of what Google does for the same price without spying, it would be great. But at the moment, the FOSS community does not have true equivalents, or the budget or interest to do so, nor the marketing power to do the stuff that only works if everyone else uses it, and the non-spy commercial solutions have many of the same issues and cost too much for low income people.
<< A lot of the tech I imagine you are referring to has been life changing for me, and if it cost normal SASS prices would not be affordable.
I think part of the issue is that it is too affordable. The whole free content, free email, free infrastructure got us into current mess to begin with and since advertising was the only place that paid, now it is a part of the landscape. But on that front, pendulum may be swinging the other way.
And privacy itself is one of those terms that can easily led into a very broad discussion unless it is not clearly defined from the outset.
<< we need to be careful to find suitable replacements before we ban things.
Nah, as a society we were very permissive for the past two decades at least. It is time for tech to grow up and join the rest of the mature industries.
<< But at the moment, the FOSS community does not have true equivalents,
Sadly true. I am currently on Pine ( postmarketos ) since my main phone died. I absolutely love the idea and I keep trying to support it when I have a chance, but it is still not ready for prime time ( and I am not good enough to contribute in code ).
<< and the non-spy commercial solutions have many of the same issues and cost too much for low income people.
And this is why spying - ekh, totally voluntary data collection - should just be verbotten. We have seen where this road leads and it is not fun long term.
Well, I sure don't ever want to losing half my day to forgetting things, being constantly lost, and losing my keys and wallet constantly.
As far as effects on me, getting rid of modern tech would already be getting close to the authoritarian nightmare they talk about, far more than basically any of the laws other people complain about.
If the effects are harmful enough to regulate, it's the same kind of conversation as cigarettes and gas engines and a million other things that we put varying levels of restrictions on but don't ban.
Going after spy tech with more force than we go after everything else just seems like government enforced luddism.
<< Going after spy tech with more force than we go after everything else just seems like government enforced luddism.
You do have a point especially if I examine my thoughts on cigarettes, alcohol and so on to determine what makes spy tech more of a target in my life. I think the difference is that even without regulations and restrictions, I can escape both cigarettes, gas engines and so on if I so choose.
With spy tech, even if I take just about every step there is to take, even full blown luddism does not get me the world that was. These days, being a private person takes real money ( vide FB Zuckerberg buying property to ensure privacy on his real estate ).
You do have a point nonetheless, which brings me to this: what is an acceptable restriction on it to you?
I'm not actually sure what the "maximum viable policy" would be for me. While privacy is a right, so is free speech and observation. Even something like "You can't spy whatsoever without consent" goes too far, because CCTV cameras are important, and legalizing secret recordings could deter many kinds of abuse.
One thing that definitely seems uncontroversial is protection for spaces that have an expectation of privacy. Obviously no democratic state has any business allowing AirBNB bathroom cameras, since basically nobody aside from criminals wants that to exist, and by extension any space that specifically claims to be private should have the same protection.
Requiring a "Facebook moderators may access these chat logs under some conditions" notice at the beginning of everything someone might otherwise think was private seems reasonable.
What I have more of an issue with is defining new spaces with that expectation.
The government should probably have stricter rules than everyone else on privacy, since they are the main group who both can and possibly might want to actually make use of data to harm an average person.
Digital search warrants and subpoenas have solved real problems, so I wouldn't want to get rid of those entirely, but there could be a central logging facility where you can get access to any data they have on you, get notified instantly (Or within a time limit that expires if you are arrested, if there's a need to temporarily seal it to prevent tipping off a murderer) of any new accesses, and appeal the decision that allowed them to access it, so they can't just rubber stamp give it to everyone without any transparency.
Encryption should be permanently made a right, along with anonymity networks like Tor, and Cryptocurrency in general(Although maybe not proof of work, and I sure wouldn't want to become an everyday thing we all have to deal with).
The big problem with spying is that it's just observing people and telling others what you saw, you can't fully eliminate spying without eliminating an important part of free speech.
In general, the GDPR seems to get things mostly right, but I still think the best solution is actually having private alternatives people actually would use by choice, and making sure those are legally protected.
What do you mean by "Most privacy advocates probably do plenty of things I would be perfectly happy to see made illegal"? Can you give some examples of what you mean by things you want to see made illegal?
Most privacy advocates I know revolve around the concept of "informed consent". The idea isn't to ban technologies because they can be abused, it's to stop the abuse.
The guiding principle for when that line is crossed is whether or not the affected person was completely and accurately informed about what is going to happen, and that they have affirmatively given their consent for it to happen.
The GDPR goes a little farther than that though, because it makes consent revokable even after the fact, and disallows consent as a requirement to access a service, and some privacy advocates seem to think that's still not enough.
The ability to revoke consent is an essential part of consent, in my view.
> some privacy advocates seem to think that's still not enough.
I am one of them. I think the GDPR is inadequate in many ways, but it's certainly a huge improvement over the nothing that existed prior, and it's much better than anything we have here in the US.
But the things I think are inadequate about the GDPR still revolve around consent. I will admit that "consent" is a very broad term, though, and includes a whole lot of intricacies and nuances. It's a bit like "freedom" in that sense.
To me, it's just like any other data, licensing it to someone is no different than licensing the source code to something you wrote, if it's revokable the whole concept doesn't make sense, and you don't really own it so much as it's held in trust by the state.
But it seems like some people see it as something really personal and special that inherently shouldn't be treated like any other commercial asset, (Possibly because they've got more interesting lives than mine!) and there doesn't seem to be any compromise that doesn't make someone unhappy.
Revocability does make a lot of sense and I can think of a lot of very good use cases for that right, but also some ways it impairs P2P.
I think the only real solution is for private tech to achieve real parity with nonprivate tech, at least as much as is possible (Tech is almost never private compared to no tech at all, it can always be hacked), but I have no idea how that would be possible.
Technically it could happen, socially FOSS devs would rather work on minimalist stuff.
> To me, it's just like any other data, licensing it to someone is no different than licensing the source code to something you wrote, if it's revokable the whole concept doesn't make sense, and you don't really own it so much as it's held in trust by the state.
We live in a world where “buy this movie” on a streaming site gives you no kind of ownership, merely a temporary license to rent the data until the company decides they don’t want you to have it any more - treating personal data the same way doesn’t seem bad by comparison...
> To me, it's just like any other data, licensing it to someone is no different than licensing the source code to something you wrote
I agree with this. It's your data, you're free to license it out in any way you choose.
> if it's revokable the whole concept doesn't make sense, and you don't really own it so much as it's held in trust by the state.
I don't understand this. How does your ability to revoke a license you've issued mean that it's held in trust by the state? Revocability underscores that you own the data and can control what happens to it in the future.
By the way, almost all licenses are revocable.
> But it seems like some people see it as something really personal and special that inherently shouldn't be treated like any other commercial asset,
And those people aren't wrong. They're exerting their rightful control over their data as they see fit. If I choose to license my data out, I am also exerting my rightful control over my data as I see fit. There is no contradiction here -- in both cases, it's about consent.
It's a basic human right, same as right to free speech. Encryption and anonymity technology should be strongly protected and respected, and I support most of what the GDPR is doing.
It's just completely banning the choice to use nonprivate services I have an issue with.
> I value privacy more than the ability to order food through my phone.
I know you didn't mean it like this, but I find it funny that it reads like we've abandoned the idea of calling a restaurant and just talking to a person to order takeaway.
Not necessarily. The delivery apps set up proxy numbers to pass calls through, taking a lead fee. So you can't just search "sub shop near me" and call, as it might not be their actual phone number. Your best bet if you want to save the local place fees from the apps is walk in the first time, then call the number off the paper menu from then on.
I know a couple of small restaurant owners. Even ones that don’t go through UberEats or GrubHub that use SaaS restaurant software that also come with a white labeled restaurant specific app that accepts Apple Pay (standard credit card fees - not 30%) and other payment methods. They actually prefer it.
Weird. The small places here (I'm thinking chinese take-out, for example) take cash only, order tickets are on paper, they don't deliver, and seem to be thriving. Have the Uber Eats and other tech middlemen started taking such a big slice of the profit that it's not worth it?
Having worked in a restaurant, if someone took 30% of my gross it certainly would have been all of my profit and then some.
> New York, like many cities, put a limit on third-party delivery fees during the pandemic to help restaurants that had come to depend heavily on the service. Last August, it became one of the few jurisdictions to make the emergency measure permanent ... Last year, it passed a first-of-its kind law that would force delivery providers to share more customer data with restaurants.
I just said the opposite. Restaurants apps do not pay 30% even when going through the App Store. It’s a physical good and even if they do accept Apple Pay, they get charged standard credit card processing fees - $0.25 + 2-3% of the amount.
I said they do not use GrubHub. They have their own system run as SaaS. The company they use takes care of the POS system, merchant accounts, and a white labeled app just for their store.
They also offer a white labeled website. Once you have a website, creating an “app” that’s just a web view that provides notifications for delivery and or when your table is ready is relatively easy. Of course it’s more about branding than anything else. They can also just send text messages
What feudal tax? The SaaS system that provides servicing and support for the point of sales system, merchant accounts, online ordering, designs web pages, and optional apps, optional hardware for pagers when someone’s table is ready or a text messaging notification system?
Or are you referring to the app in the Apple Store that optionally supports Apple Pay (not in app purchasing) where the merchant is charged the standard credit card processing fee - $0.25 + 2-3% of the price?
Would it be better if the person running the restaurant had to do all that themselves?
I’ve seen a mom and pop pizza shop that had all of the technology of a papa Johns thanks to all of the SaaS offerings available
The difference is that GrubHub has high fixed costs and high variable costs for drivers. A SaaS model has fixed costs for developers, sales, support etc. But marginal costs to add new customers is minimal.
Revenue may be in the billions. But they are all losing money. The smaller companies can easily be “lifestyle businesses” that hire in low cost of living areas and go after “enterprise devs” who are very happy to make $135k - $165K and don’t expect “equity”.
I spent most of my entire career as an “enterprise dev” working with SaaS companies in the bill payment space, field services, and health care.
I’m in $BigTech now working in the cloud consulting department working with a lot of the same types of companies.
The sad thing is that even if you do that, the restaurants are now almost guaranteed to use your phone as unique identifier and use that data for, hopefully, their own purposes ( hopefully, because the lure of selling data might be too much ).
Oh here, let me run it down real quick. You don't even need to be an expert.
Tracking cookies, browser fingerprinting, and ISP-level monitoring logs everything you do.
Various consumer database warehouses hoover up the data for resale/targetting by ad companies
Hint: once a business has it, at a minimum the FBI/CIA/Government has it. Likely, they've been hacked by China and Russia too.
In addition, the CIA/FBI run ISP-level and DC-level monitoring/hoovering.
Finally, there is no oversight. Either the FBI will cookie cutter whatever request they need after the fact to the rubber-stamp-anyway kangaroo oversight "Court", or they won't even bother. The CIA doesn't even need to care. The only limitation of widespread abuse is some sense of patriotism in the CIA/FBI, and of course that is pretty simple to frame/justify as needed.
The bottom line is that there is a 100% turnkey total information awareness infrastructure for any authoritarian regime that takes over the US government (see: Iraq war, false flag attacks, McCarthyism, etc). They know everyone you communicate with, your political views, your buying habits, and they will soon have AI software to maximize usitlization of the firehose for profiling, reeducation camps / gulags, and the like. The US government can deny you civil rights by declaring a US citizen an enemy combatant, and are more than willing to setup concentration camps for immigrants, and therefore "terrorists".
Exactly three years ago I would have laughed at you, but three years of COVID has taught me that the powers that be in our society — which include journalists, academics and moderators of online forums — will happily help tear down essential liberties for perceived, small, and temporary safeties.
The abuses stemming from a lack of privacy have not been realized because of political convictions, but because of technical limitations. The advent of advanced AI models will remove many of these technical limitations and allow corporations and governments to quickly build detailed profiles of every citizen that touches the internet.
It is interesting how this is something people only "wake up" to now on a generational basis. Obviously the government wants this to happen, each generations' specific communication modes are presented as "safe" but in reality each generations' social network apps du jour is a new opportunity for even better "total information awareness".
This has been apparent since "Carnivore" was revealed to not be a conspiracy theory, but an actual system in THE LATE NINETIES, and ECHELON since the 1960s. And since then I would roughly say computing power is 20-40x more powerful (5x the gigahertz, 8x the cores), and storage is probably 1000x more scalable (40GB/280$ vs 14TB/200$).
I have no idea how old you are, but three years ago, heck that is well past the point you should have been aware of this. Look:
That was revealed in 2006. Basically, the crux of it was that there were "secret rooms" like that in EVERY SINGLE telco. Well, except apparently Qwest, which blew my mind at the time because they were the worst regional telco of them all, so the fact they stood their ground was a total anomaly in their usual monopoly extraction sociopathy.
One big sign of this is Tiktok. Tiktok is an attempt by the Chinese to subvert the normal monopoly the FBI has with social networks, since the US/EU governments are working with US/EU companies for facebook, twitter, etc. But Tiktok is Chinese.
So Tiktok looks like just another social network to a typical social network junkie, but then you read all these headlines where congress and the EU wants to ban it, seemingly strangely up in arms over just another video social network, and .... that's because the Chinese are doing what the US/EU have done for 25+years. The US government has ITS toys, and doesn't want the Chinese to take them.
That should clue you in to how much the government likes have total information access to social networks that are US/EU based.
A lot of this could be swallowed if the US exhibited healthy signs of a functioning democracy, instead it is another sign of an emerging postmodern totalitarian state. The last hope of this was our judicial branch, which has been so thoroughly compromised by 30 years of partisan nominations (read: pro-elite in all cases) and Iraq war case law that it will never go back.
I would stay quiet, but by the time I realized what was going on I had 10+ years of data on me. It doesn't matter anymore.
Flip phones are available. SBF has been issued with one under his latest conditions of release.
Remember though, privacy comes at a cost. Thousands of parasitic "startups" that live off of VC, produce nothing for sale, have no profits and rely on surveillance to demonstrate speculative "value" might suffer or even "go out of business", "Big Tech" might not rake in billions per quarter for selling ad services, "tech jobs" might be lost. It could be catastrophic. The entire economy could crash. It could put an AI-driven utopian future at risk. All because of the desire to maintain privacy. This is not just another HN comment conatining only FUD or hype-based predictions with zero factual support. "We take privacy seriously." It's threat to what we do. As an "industry" it's vital that we maintain peoples' trust while we surveil them. /s
"Business" is normally defined generally as sales and purchases made for profit.
What if a company has no profits.
What if a company's product or service is "free". Is that sales.
What if a company has sales, i.e., online advertising services, but in its communications with employees and the public it continually suggests its "business" is something else. Why would it do that.
In any event, there is a question IMO of whether a "tech" company is even "in business" if it can only ever pay its employees and other expenses with investment rounds. Is it possible to "go out of business" if the company was never "in business" (assuming we accept the usual definition of a business).
We already know how VC and "tech" companies would answer these questions. Anyone who questions what they are doing is always wrong. We know that. We have heard it before. But VC and "tech" companies do not have a history of being honest. There is a credibility issue. Not to mention that trying to discredit people who ask questions is silly.
This thread titled "What happens when your phone is spying on you" is about (free) "smartphone apps" that collect data about people below peoples' awareness, strategically avoiding the issue of consent. Why is this even happening. Did VC and "tech" companies have anything to do with it. No, of course not. Performing such hidden data collection is exactly what they consider a "business". It seems that some folks would prefer not to be spied on even when it is essential to someone else's "business".
I probably failed because the quoted words were not actually quotes. I could understand a word like “value” being quoted sarcastically without a specific quote in mind, but the quoting of many other words and phrases were mystifying.
Try to replace OPs quotes with an appositive like so-called or so to say. "Big tech" = so-called Big Tech, "industry" = so-called industry etc. This way, the irony does make sense, especially when you read OPs earlier comments.
This seems like a sarcastic reference to "startup-speak": phrases that are somewhat overused by people from the startup industry. Corporate slang and a sign of belonging of sorts that might feel a little overblown for those outside the tech world.
I'm just a hobbyist geek, though, so I may heavily overinterpret things (and the OP) here. :)
It's academic research, so this thread here expressing disappointment about the article is weird. We should probably just replace the press release with a link to the study itself.
From the abstract:
. In this work, we perform an in-depth technical analysis of 14 distinct leading mobile spyware apps targeting Android phones. We document the range of mechanisms used to monitor user activity of various kinds (e.g., photos, text messages, live microphone access) — primarily through the creative abuse of Android APIs. We also discover previously undocumented methods these apps use to hide from detection and to achieve persistence.
All of it is a bit silly to trust companies with things like this when there are standard techniques which have stood the test of time and are *far* simpler - tar.zst.gpg or squash.gpg, luks-encrypted qemu images, etc.
Things done locally are just inherently better, because it's far simpler tech, and you actually know what's happening rather than just blindly trusting some sketchy company.
Most spyware is installed by the user themselves. It's typically called "security software" from your company, or the VPN they provide (which also includes additional software that backdoors your entire device).
Something happened to me the other day, I started drafting a text using the regular text messaging app on my android phone, I was sending it to a friend, but I got distracted by a call and never sent the text. Later I went to finish it and send it but he had gone in and put some smart-alec comment in the text of the message I was drafting. I was shocked. He refuses to tell me how he did it. I went through all the settings, scans permissions and so on. He says he can't do it now but still refuses to tell me how he did it. Scary. I wish I could find out what it was he did. Any HN'ers have any ideas?
Sounds to me like physical access is most likely. Your friend, or someone who knows them saw the message on your phone because you left it unlocked somewhere, and added it that way.
Option 2:
Autocomplete randomly added some weird stuff to your message without you noticing it, and your friend took credit for it, because that's the kind of friend they are.
Option 3:
Your draft got synced to some other phone or computer that you were logged in to that your friend had access to. Maybe you logged in on a device that they own or something, or maybe you aren't using any sort of MFA and they just guessed your password.
If you're interested in narrowing things down a bit, you could give more information about exactly which model of phone you have, what level of jailbreak that it's in, exactly which Android flavor you're running, the patch level of the OS, and exactly which text messaging app you're using (different carriers and manufacturers ship different default SMS apps). Also relevant would be the message you were trying to send, and exactly what got injected.
I also changed my pin because I suspect he saw me entering it, but when this occurred he was at the other end of town so it would have had to have been some sort of remote access. I am thinking maybe phone link, which I had been using with my laptop, I disabled that.
It was definitely not autocomplete because he said something that only he would have know regarding the message I was typing.
He is being kind of a dick about it but I think will probably tell me if I push it but I guess part of it is I don't want to appear as stupid as I guess I am and want to at least get an idea of what it was.
I also turned on face recognition so that people will not see me putting in my pin.
I do not think he went through my laptop because it was turned off at the time.
It has been making me crazy. I will probably have to buy him a bottle of wine or something to get him to confess :)
UI Verion 5.1
Android Version 13
Kernel 5.4.219
Android Security patch level March 1, 2023
The app is called Messages, it's the default app and it's version 14.1.30.19
It was a half typed message, something like this:
I put in: "Hey Dan, are you going to the comedy club Friday " but was going to put night and is anyone else going. but took a call. then he somehow put in the text area where i was typing "yeah, Jan and Steve are going too but you are buying me drinks if you want to know how I did this."
So I knew it was him, I never hit send. So, he was in my phone I think.
You should not buy him anything. You should cut him out of your life entirely. This is an egregious trust violation. I’d forgive a teenager of such thoughtlessness but if they’re an adult then they’re going to abuse you in other ways. They don’t care about you.
I had something like this happen. My friend is a massive prankster, and I let it escalate to the point, where they weren't just pranks.
One day he came in with a bunch of goons and they seized every piece of IT equipment I had, including the fridge with the large screen. On the way in they shot the dog and tossed a smoke grenade into the crib, which was fortunately empty since baby was at my baby mama's house. Since my child support was based on my IT salary, I owed her $12500 monthly in child support. Court does not care that I'm unemployed now, and they're seizing custody.
Lesson learned, do not let these pranks escalate unanswered. It can make you lose your dog, your kid, and/or make you a deadbeat dad.
Be courageous, and say goodbye to your potentially horrendous friend while you can.
Maybe this isn’t what happened. But I was specifically referring to the ability to pair a computer with your Android device to send/receive messages without your phone: https://messages.google.com/web/authentication
It’s actually quite handy.
because they could be viewing all their private communication/media on their device and that causes a lot of anxiety cause they won't confirm or deny if they have access.
All of the above, plus, maybe, don't let people see you put in your pin.
don't take security for granted. Be careful.
I guess the lesson I learned is you need to pay attention to security.
Type the message you sent again into a random text message window and see if it changes to the smart alec comment again.
My guess is that at an earlier time he had access to your phone unlocked (when you stepped away perhaps) and changed the autocorrect for a common word or phrase to be something else as a prank.
Do you mean your friend edited your draft sms? Did he had physical access to your phone? Are you using stock android app or anything special? What make model is your phone?
By definition he should not see "your" draft on "his" phone.
hmmm, could be, but at the time it happened he was on the other end of town but I wonder if will we were in close proximity he could have connected a BT device somehow and planted something.
After replacing a damaged Moto with a (presumably) identical one, several months later, before leaving for work, I invoke my trusty old VPN for its maiden journey on my new device. But it won't connect. Because 'Why?', I'm not certain, but the permission dialogue for initial use wasn't appearing, while the VPN was requesting that I grant it permission... but I couldn't manually do so, because...
I then examine my network settings, and a queer surprise rears its absence -- The VPN setting/option is simply missing. Not there. AWOL.
I tuck in to hasty research (what's watching?) and find that I'm not alone. But I've insufficient time to troubleshoot. I go to work.
After work I resume, though find that the VPN now works and the options under network settings now includes 'VPN'.
Automagically fixed. Although I had rebooted the device several times that morning, it had not rebooted since - I know this do to examining Running Services, some of which I manually stop after every reboot, and were still inactive.
I connect to ADB and peruse the logs. Not knowing exactly where to look, I find nothing relevant.
Some of these employee/child “monitoring” apps rival Remote Access Trojans (RATs) that used to wreak havoc in the early days of Windows, before Windows Defender and detailed permissions level access prompts were brought to the attention of the user (Windows UAC (User Account Control prompts).
I feel like mobile operating systems have been stuck in the early Windows “undetectable RAT era” for far too long, only recently getting basic UI prompts for oversight/control of OS-level permissions settings per app.
I believe it was Apple that forced this privacy angle on the smartphone space and Android was forced to comply, since Android and Google’s business model is to track, profile and harvest user generated data for targeted advertising. AdTech is too profitable and has pervase incentives to keep spying on users.
With all that said, I really respect the approach the EU takes to safeguard privacy and enforce compliance from big corps.
There are surreptitious ways to achieving covert monitoring on iOS. To say this applies to Android only is simply untrue.
You can do things via MDM on iOS for example and install spyware “monitoring” apps/set OS level permissions that are invisible to non tech saavy users.
Also if you have access to the device and the iCloud password/device pin (e.g. abusive partner scenario, etc.) then non tech saavy people don’t stand a chance against being secretly monitored.
TFA:
We focus on Android-based spyware because most of the mobile spyware market appears to be focused there. Since curated app stores like Google Play do not permit the sale of such apps, in practice they must be side-loaded off-store, a process that Apple does not support. As a result, consumer mobile spyware only operates on “rooted” iPhones. Rooting an iPhone can be a technically involved operation (one popular guide to jailbreaking the iPhone involves 41 distinct steps [17]) and one that can take significant time to complete — both requirements at odds with the broad, non-technical customer base such apps are marketed to. We also focus on leading spyware apps as they are the apps that more people are exposed to and they are more likely to be innovative (new features could potentially bring them more customers).
And you think the Google Play Store (or the App Store) for that matter could even know what apps are doing? With iOS, the protection comes from its tighter permissions model and sandboxing
Are those two really significantly different in sandboxing and permission model?
Should also point out that neither app store is perfect and both have let malicious app slip through. Thanks to the Epic lawsuit we also know that they have tried to hide major incidents ( as in 500M installs of potential malware) from consumers.
Yes, there is no API on iOS that allows most of the things listed in the article that apps can use even it tried to use non documented APIs.
> After installation, they covertly record the victim’s device activities — including any text messages, emails, photos, or voice calls — and allow abusers to remotely review this information through a web portal
And the “malware” that was installed was because people were using hacked XCode versions that didn’t come from Apple and they still didn’t escape the sandbox.
Didn’t I just say that? Both App Store review processes are far from perfect. But even when app developers were inadvertently delivering malware to the App Store because of third party download of XCode, the blast radius was much more limited because Apple had sense enough to know that it might be a bad idea to let random third party apps intercept your text messages and phone calls
> To say this applies to Android only is simply untrue.
To be fair, this particular issue — the creative abuse of Android APIs by "stalkerware" apps — applies to Android only.
Also, MDMs on iPhones can't do the kinds of covert monitoring that this paper discusses. They can't access texts, emails, photos or other personal messages or data within apps on a device.
well, thanks to the EU, it's going to apply to Apple real soon too. This is one of the things app store review and fully enforcable permissioning prevents (prevented).
So much for the "app store is like 1984" marketing spin that Epic put out lol. Now you have the freedom to have spyware installed on your phone... which is what I and many others have been saying all along. Not just abusive spouses but Facebook and others will be all over this.
As I said previously... Facebook and others already have this sort of spyware ready to go, because they were already using their developer credentials to get users to sideload it for data mining. Now it won't be optional/"we'll give you a gift card", it'll just be mandatory if you want to use Facebook on a ios device. Sorry this device is not supported via web, please install the native app.
honestly all they need to monitor people is built into Apple products out of the box. Sync a dummy iCloud enabled AppleID, and clear all the prompts and emails that the device was added to the account.
You now have access to everything via iCloud and FindMy app for location tracking. You can even sign into another device and have real-time iMessage and other private data without installing any spyware apps. I will admit this is outside the scope of the paper, but arguably harder to mitigate if you are not ever checking your iCloud settings.
Even with someone’s iCloud password and physical access to your phone, a normal app can’t access your phone logs, your camera while running in the background, record your screen etc, even with an MDM.
Thank you for saying this. I agree with OP concerning the article. I work in finance and if people knew just how clueless even we are when it comes to devices being compromised they would never use an app or website for banking again. Even if we can tell it wasn’t the account holder it’s extremely hard to do much more than that. No one knows what to tell the poor person either. I take a hit and get in trouble for my hour call giving instructions but rather that than see someone suffer.
Also bad for people with stalkers/abusive partners. I don’t know why everyone says it’s so hard to compromise a device/number (either platform) when it’s not. Or maybe I’m just in a position where I see it more often and overall it is hard? My day job minimum of 2 a day, confirmed not counting otherwise. Volunteer work, its not as frequent but also don’t deal with same volume of people. It is creepier though and no one knows what to do. One case working w a big agency as it involves a high dollar amount and is ongoing and THEY can’t seem to give advice that works either. Person at this point went to a flip phone.
Reset the phone? Didn’t work. Abandon all accounts, reset phone, cool. Didn’t work. K now all of the above and dump the number, and/or replace entire phone, latter usually works but not always. Sorry this is long here is my point in commenting. I wish someone with knowledge would take the time to do a solid write up for people with zero tech knowledge not just how to protect themselves but how to determine if/how they are compromised, log proof if possible (court etc) get rid of it and move forward safely, or as safe as possible for both android and IOS, a comprehensive write up. They would be a super hero. Literally help countless.
It would help people like the 83 y/o grandma who got cleaned out THREE TIMES and cried to me begging for help on how to stop it, the women whose abusive exes show up at shelters because they have accessed sms or location despite the women using precautions given to them as the precautions are not up to date with what’s possible. Forgive me, it gets to me some of the most vulnerable people are dealing with this at an alarming rate and the people they are told to get help from genuinely don’t know what to do, while I know some it’s not enough to truly be of help say if someone has a well versed ex determined to hunt them down. These people could care less about the Gov knowing all, they just want to be safe.
This quote in the article seems overly optimistic:
> "While Google does not permit the sale of such apps on its Google Play app store, Android phones commonly allow such invasive apps to be downloaded separately via the Web. The iPhone, in comparison, does not allow such “side loading” and thus consumer spyware apps on this platform tend to be far more limited and less invasive in capabilities."
> "After confirming forensic traces of Pegasus on Nour’s iPhone, we identified the presence of additional spyware, which we attribute with high confidence to Cytrox. We further conclude with high confidence that it is unrelated to Pegasus spyware."
Once an iPhone is jailbroken, yes — anything goes. The paper describes an Android attack that just requires an app install that "[does] not require specialized technical know-how to deploy or operate".
or more generally when you're going up against nation-state level actors, such as in your link. In that case yeah all bets are off, NSA and Mossad (and places commercializing technology developed for them) are gonna get in your phone if they want to.
But this is still qualitatively different from android where the threat model is "connect USB cable and run ADB command", if even that much.
At the end of the day, tech-illiterate people are gonna get spyware onto their Android phones much more easily. If a website tells them to download some app directly and ignore any warnings about it being untrusted, they'll do it.
>They collect a range of sensitive information such as location, texts and calls, as well as audio and video.
This sentence ruins the credibility of the article because Android doesn't let you do this. The camera, microphone, can only be used when an app is in the foreground. For location data being tracked in the background it will have a persistent notification telling the user that an app has your location. For an app to read your call log or SMSs it has to be set as the phone's default phone or SMS app.
This combined with androids reminders to review the permissions for apps that have dangerous permissions and Play Protect which can detect and remove spyware this article is giving Android much less credit than it deserves.
There's a whole section in the paper (3.3) about how they accomplished this.
For example, with respect to the camera, they documented a "standard" way to abuse Android APIs to do it (create a Preview, which unlocks the camera, but hide it in a 1x1 or transparent element), and two "new" ones --- raw frame access with `SurfaceTexture`, and creating a 1x1 WebView.
When you see articles like these at university sites, they're virtually always announcing a paper that got accepted somewhere, and you need to read the paper and ignore the press release.
> The camera, microphone, can only be used when an app is in the foreground.
This is not true. This may be partially true on the latest Android, but you can still set permissions to use e.g. GPS all the time, for things like weather or GPX recording apps.
But it's also important to remember that the vast majority (easily 90%) of devices out there are running EoL'd Android versions, nevermind Android 12 and 13.
>you can still set permissions to use e.g. GPS all the time
It requires you to manually go into the settings to grant this permission. And as I mentioned it has a persistent notification. This is a part of Android 11.
>But it's also important to remember that the vast majority (easily 90%) of devices out there are running EoL'd Android versions
This is unfortunate. If want to have a secure device it's important to be using one which is still supported and is getting security updates. Else if a vulnerability exists an attacker can install spyware by using the vulnerability despite Android's security model.
> But it's also important to remember that the vast majority (easily 90%) of devices out there are running EoL'd Android versions, nevermind Android 12 and 13
In January 2023 78% of Android devices were on Android 10-13.
Note that (1) this was right before Samsungs rollout of Android 13, (2) this is worldwide and things look very different in West.
For one to use WhatsApp to make calls, for example, one would need to provide it with permission to view the call logs without making WhatsApp the default app for calling.
TLDR; purchase an device that pairs with your phone, follow a hunch that it's doing a lot more then what it advertises it does.
A week ago I purchased a bluetooth device that takes some measurements. You require an Android or iOS application. The first thing the iOS app did was request permission for your location. Immediate fired up MITMproxy [1] running in transparent `--mode wireguard` and installed it's certificate in the iOS trust store. It was sending a whole bunch of data to China and HK. Since I don't have a jailbroken iPhone, it's off to Android.
For BLE scanning, Android does require permissions for location, but this application is using a Chinese branded tracking SDK and sending encrypted blobs (within already encrypted TLS). So it's time to start reversing and instrumenting the runtime.
Well - not so easy, they used a commercial packer that encrypts their compiled bytecode and decrypts and I think executes it within C++ library that might be an actual interpreter. I managed to pull the Dalvik bytecode out of memory using Frida[2] after the packer had decrypted the base application and converted it to java bytecode with dex2jar[3] then into decompiled java with jadx [4].
Since the developer relied on the packer to hide/obfuscate their software, it's quite easy to follow the deobsfucated code. The libraries that do the location tracking on the otherhand are obfuscated so now I'm at the stage of identifying where to hook before the encrypted blobs are sent to servers in China.
Here it would be nice to have a call flow graph generated based on the static decompiled java code - can anyone recommend anything?
I've sunk about 8 hours into this so far. The message here is that to understand what some applications on your phone does you need to really invest time and effort. The developers increase the cost to the consumer to know what their application is doing by obfuscation, encryption and packing. It's asymmetric. Also note: the play store and apple store state the app does not send data, which is demonstrably false.
I can also see that the tracking SDK has what looks like functionality to dynamically invoke code - which would break the terms and conditions of the app stores.
At some point I will reimplement it's primary BLE functionality and release it as opensource to the public and perhaps write a blog post.
This topic is intriguing. Could you please provide more information about the device and application? I'd appreciate the opportunity to examine them more thoroughly.
Wow amazing write up, start a consultancy and start charging to audit the privacy of apps, imagine getting paid to do this on every App Store update of Tik Tok and the like for agencies or companies auditing their apps, etc.
You are really talented, now get paid for it or open source some automated tools for getting the trail to see behind the curtain for these apps that force you to enable permissions to use them.
We need more privacy conscious talented tech folks like yourself to do the work without shortcuts. I think you should start a company doing this work with like minded folks and sell the service!
I would actually like to install a tracking/remote-control app on my own phone in case it gets stolen, but can't seem to find any app that satisfies my requirements.
I need it to be open source, not require Google Play Services and not connect to a hardcoded service, but allow me to phone home to an IP address/URL that I specify myself.
Basically, an SSH server configured with reverse tunneling, that instead of just giving me a shell, gives me a control panel to configure high-level features of Android.
A non answer / misdirection here may be to not go for tacking on malware detection to an already malware prone / hostile operating system, and rather start in a better position by using something like grapheneos.
Having more control over what happens on the system is important to get malware in the first place.
I imagine even more secure OSes will be coming out soon based on Rust, etc but the last time I checked GrapheneOS was a decent choice.
I was hoping it would cover spy/malware that install remotely through many more infection vectors like clicking text messages. I guess NSO/Pegasus malware has this capability.
I barely use any apps and would gladly settle for a flip phone... I value privacy more than the ability to order food through my phone.