Is my phone tracked or spied?
So many people worry about their phone being tracked or spied on. Every single day we hear about hacked phones or about powerful spyware detected in the wild. And we all know someone who would just love to read our messages. Or at least get access to our bank account.
So what can you do to protect your phone from being spied on?
This is a comprehensive guide for securing your phone. It will address both Android and iOS operating systems. We will also discuss the different types of mobile spyware that threaten your privacy and security.
This guide will explain what are the mobile spyware types and how attackers use them. We will also tell how to protect your phone from almost all spyware and how to detect active spyware on your phone.
- Mobile Spyware Is A Serious Threat
- The 3 Types of Mobile Spyware
- Consumer spyware/Creepware/Spouseware
- Government Spyware – What To Do About It?
- Full List of Measures Against Mobile Spyware
- Spyware Detection
- What To Do If Your Phone Has Spyware On It
Mobile Spyware Is A Serious Threat
Mobile spyware is software that silently works in the background of your smartphone, records everything that you do and sends it to a remote server(command-and-control server) in the cloud. After logging in to the remote server, the spyware’s operator has access to all the target phone’s activities: texts, calls, browsing, locations and more.
This is a very important point worth repeating: if mobile spyware is installed on your phone, the spy has access to ALL your text messages, WhatsApp and Facebook messages, emails, places where you’ve been and in some cases even recordings of your phone calls.
Mobile spyware is a very serious risk for your privacy and security.
The 3 Types of Mobile Spyware
There are three types of mobile spyware that could possibly infect your smartphone.
What is Consumer mobile spyware
There are multiple online vendors who are happy to sell mobile spyware to anyone with a working credit card. That’s why I call their products “consumer spyware”. Other, possibly more descriptive names are “spouseware” and “creepware”.
The best known ones are mSpy and Flexispy. Both sell relatively inexpensive spyware that costs $200-$300 a year. Once a customer completes their payment, they receive an app to download and install on the victims’ phone, and credentials for accessing the online control panel. In this control panel they will be able to view anything that the spyware has exfiltrated out of the phone: SMS messages, call logs, WhatsApp texts and everything else.
Consumer mobile spyware vendors operate in a gray legal area. In order to preserve a veneer of legality, they describe usually their products as parental control or employee monitoring software. Most of these vendors also don’t sell the most blatantly illegal features, like call recording or room bugging. However, the vendors who sell the most expensive commercial spyware, include even these capabilities.
Consumer spyware is typically installed surreptitiously by a spouse, by a private detective or by somebody in the workplace. It can also come pre-installed on a brand new phone which is later “gifted” by the spy to the target in the classic Trojan horse fashion.
Consumer mobile spyware is incredibly common and poses a potential threat for everyone! We estimate the number of infections as being around 50000 monthly (based on the traffic to consumer spyware vendors which is around 3-4 million monthly visits).
Government-grade mobile spyware
It’s been known for a while that government intelligence and LEA(law enforcement agencies) use mobile spyware to monitor persons of interest. The leading government-grade spyware vendor is the Israeli NSO Group, whose spyware apps are known as Pegasus for iOS and Chrysaor for Android. But NSO Group is not the only one vendor, and it’s safe to assume that whatever country you live in, that government’s security agencies use some kind of spyware.
However, chances of infection by government spyware are extremely low, because total costs of its deployment approach a six-digit number just for one device. If your data is that valuable, you should probably hire a dedicated security expert to protect it.
What distinguishes government-grade mobile spyware from its inferior consumer counterparts is the installation procedure. Unlike consumer spyware, government spyware can be installed remotely using unpublished OS exploits (zero days). In other words, they don’t have to physically have your phone in order to infect it with spyware.
Government-grade and consumer mobile spyware can be used against you by people who have interest in you specifically. Generic spyware is distributed in a drive-by fashion by hackers in order to steal banking passwords and accounts. The hackers are not interested in you specifically.
They just infect any phone that they can.
Some generic spyware/malware snoops on banking passwords, some just wants to steal Facebook accounts and some wants to use your smartphone as a part of their commercial botnet. Trust me, you don’t want to become part of a botnet.
The good news is that generic spyware is distributed passively. You’re not specifically targeted. The way to catch it is usually to install an infected APK or browse to a drive-by download website. Protection from generic spyware is just common sense, and we will discuss it below.
People who worry about being spied on, usually have someone particular in mind.
They might worry about a spouse, another family member or someone else close to them spying on their texts and calls.
These worries are in many cases justified.
There are multiple commercial spyware products on the market today. Some of them are just simple scams, exploiting the gullible wannabe spies.
But some of them do more or less what they promise in the sales copy. The most known ones are mspy and flexispy, which are the more “mature” spyware products on the market.
On the lower end there are dozens of spyware products, normally following the (somethingsomething)spy.com naming convention and developed on the cheap. Some of the advertised features will work(for a while), some won’t and the software naturally will be of a low quality.
How Widespread is Consumer Mobile Spyware?
Since the human appetite for controlling others is insatiable, commercial spyware is surprisingly popular.
I have looked up the traffic statistics for all the major consumer spyware vendors on Similar Web and the results are simple staggering.
|Vendor||Monthly visits||Monthly installs||Traffic Origins|
|mSpy||1,400,000||~14000||US, India, France|
|Flexispy||725,000||~6000||US, Turkey, Spain|
|ikeymonitor||147,000||~1400||US, India, Brazil|
|TheTruthSpy||1,500,000||~5000||India, US, Pakistan|
|Spyera||187,000||2000||Turkey, US, Australia|
|Mobistealth||100,000||5000||US, Philippines, Pakistan|
|Spystealth||145,000||1000||Eritrea, US, India|
|Appmia||100,000||800||US, Netherlands, India|
|Highster Mobile||20,000||200||US, Argentina, Turkey|
Spyware vendors cleverly use standard online advertising to promote their products. Ironically, even on stories that denounce spyware.
That’s like advertising Absolut Vodka on a TV documentary about alcohol addiction.
Overall, mobile spyware vendors receive more than 3 million visits to their websites every month. Let’s assume that just 1% of these visitors will end buy purchasing and using the spyware. It makes for 30,000 spyware downloads every month!
Unlike government spyware, consumer spyware is inexpensive. It costs $150-$350 a year, with cheaper monthly licenses available. And if the wannabe spy is not competent enough to install the thing, spyware vendors even offer online assistance sessions. For additional $40-$50 a competent service tech will install the spyware using a remote access software tool.
How Is Consumer Spyware Installed?
To protect yourself from being spied on with commercial spyware, let’s put ourselves in the attacker’s shoes for a moment. How do these potential amateur spies are supposed to utilize their shiny $199 spyware subscriptions? Unlike government-grade spyware, consumer spyware cannot be installed remotely.
There are four different scenarios.
1. They will take hold of the victim’s phone while the victim is away, in the shower, asleep, etc. and install the spyware by themselves or with online assistance.
2. They will buy a brand new phone, install the spyware by themselves or with online assistance (yes, spyware companies offer that as well) and gift the phone to their intended target.
3. They will hire a private detective who will purchase the spyware, install it using one of the listed options and maintain surveillance remotely.
4. If their victim uses an iPhone, they will configure mSpy with the associated Apple ID credentials. Of course, this will only work if they actually know the credentials. Once configured, mSpy will try to download iCloud backups every 24 hours and present the contained data nicely on the dashboard for the attacker to see.
After the spyware is installed, all the attacker needs to do is just to login to their online control panel and see all the targeted phone’s activities: texts, calls, photos, location and anything else.
Measures Against Consumer Spyware
1. Always lock your phone. Never share your pin code / lock pattern and use something which is hard to guess.
3. As with scenario 2., be situationally aware. Don’t leave your phone out of your sight and keep it locked with a complicated password/pin code/pattern.
4. If you use an iPhone, don’t share your Apple ID credentials with anybody. If you suspect that someone know them, change the Apple ID password immediately. Use a hard to guess password.
Government Spyware – What To Do About It?
According to (sources) infecting a single phone with spyware costs the government up to $100,000.
Government spyware is incredible expensive! Cybersecurity vendors that sell it to governments make a killing, and it’s good for us. It means that governments can buy just a small number of licenses, so the risk of being infected by one of them is extremely low.
Of course, it’s different if you’re a known anti-government activist or a journalist. For an average person there is no risk of being spied on by an expensive spyware product, especially when cheap mass surveillance programs are already in place.
Trying to avoid government spyware with security measures brings up another challenge, depicted below by the XKCD comic:
At the end of the day, the relevant government agency can just force you to give away the data.
Typical Government Spyware Infection Methods
What differentiate government-grade spyware from the cheap garden-variety one is remote installation. Spyware vendors who develop these products spend a lot of money either on researching OS exploits or buying them from a third party. The exploits give them a way to install their spyware on a smartphone silently, without going through the usual app installation procedures. This is why they can charge their clients so much.
According to various reports, the method of choice for infecting a device with this type of spyware is making the victim click a link to a website, which will initiate an auto-download of the spyware. Targets are socially engineered (manipulated, in other words) to click these links that arrive in an attention-drawing email or a text message.
Here is a typical scenario: a journalist receives an email from an alleged whistleblower. The email tells a story and invites the journalist to click on a link to download leaked documents. Instead of the documents the journalist phone will be infected with spyware.
Other, less digital, methods are in use as well:
- Target being detained by police for a short period of time. While in detention, their phone is confiscated and spyware is installed. After an hour, the target is let go. “Sorry, a misunderstanding”.
- Target is invited to the mobile operator’s service centre. “Free phone upgrade” might be promised. Government tech installs spyware in the backroom under the guise of servicing the phone.
- Target attacked by random muggers on the street. Phone is stolen and returned after a short while by a helpful police officer.
Measures Against Government Spyware
It’s hard to protect yourself from a determined and resourceful attacker such as a government agency. Still, sound security measures are always helpful.
- Don’t click on suspicious links, especially if sent by a stranger.
- Always keep your OS updated. Keep an eye on security updates. If you cannot update your device to the newest OS version it’s a huge red flag
- Never trust your phone to a stranger. If the phone was stolen or taken for service, assume that it’s bugged. Restore factory settings and update the OS.
- Alway Lock your phone with a strong password or pin-code.
- Run a good real-time malware scanner on your phone, for example Lookout.
Full List of Measures Against Mobile Spyware
These measures are the basis for protection against all kinds of spyware.
- Never click on links sent in a strange email or an SMS message.
- If you use an Android phone, never download and install APK files. Never accept APK downloads offered by a website. Only install apps from the Google Play store or another reputable app repository (like Amazon or F-Droid).
- Disable “installation of apps from unknown sources” in Android security settings.
- Enable “Verify apps” in Android security settings, so that you get a warning when a spyware or other malware is being installed on the phone.It’s under Security settings in older Android versions and under Personal->Google->Services->Security in Android 6 (Marshmallow)
- Always run a security scanner on your phone. It tests all the apps installed on your phone and warns if an infected app is being installed.We recommend Lookout for both iOS and Android- it has excellent reputation. The Free version is sufficient.
- Keep your OS updated to the latest versions so that all the known security vulnerability are patched.
- Always keep your phone locked with a hard to guess password or code. Lock patterns are too simple. Someone close to you could easily find out your pattern, so it becomes useless.
- Make sure that the phone locks automatically after sleep, and sleep timeout is brief (1 minute or less). Otherwise, an attacker can install a spyware on your unattended phone.
- Keep your Apple ID credentials private. Some spyware vendors offer a “no jailbreak” spying on iPhones, which means they download your data from the iCloud backups. If someone knows your Apple ID password, they can use it to spy on your backed up data. Use a hard to guess password for your Apple ID. If you suspect that your password is known to somebody, change it.
- If you receive a phone as a gift or buy a second-hand one, perform a factory reset on it and then update the OS to the latest version (if available). This will remove potential spyware on the phone.
How can you know if your phone is being spied on? What are some signs of spyware running on your phone? Here are some things you should look for:
- Check your browsing history. To install consumer spyware on your phone, the attacker has to visit a spyware download site.
See if you have any websites in your browsing history that you cannot recall. The more sophisticated spyware products will wipe the browser history after installation, precisely to avoid this detection scenario. If your browser history is inexplicably wiped without you doing so, it also might be a sign of clever spyware infection.
- Check your applications list. See anything unusual? If there are any apps that you cannot recognize, google their names and see if it’s anything malicious. This only works if your phone is NOT rooted or jailbroken, because spyware can hide its icon and itself from the application list on a rooted/jailbroken phone.
- Make sure that your phone is not rooted or jailbroken. Unless you have done it yourself, of course. To test for root on an Android phone use the free Root Checker app.On an iPhone look for the presence of an app called Cydia – it’s an alternative app store which is installed during a jailbreak. If you can find this app on your iPhone (using spotlight search), then your iPhone is jailbroken.
- On an Android take a look at your security settings. If “installation from unknown sources” is enabled it is a huge red flag. Enabling this option is a necessary step before installing spyware on your phone.
- On an iPhone, if you know that a new iOS has been released, yet you don’t see the update option in your iPhone settings
If no software update is available despite you knowing that it is, it means that spyware is tricking the operating system. After an OS upgrade the spyware will get erased, so it must trick the operating system into thinking that no upgrades are available. Another reason for iOS spyware to prevent software updates is that newest versions of iOS cannot be jailbroken. It takes time, typically a few months, until a jailbreak for a new iOS version is released. Without jailbreak, iOS spyware is mostly useless.
- Is your phone behaving strangely? All kinds of unusual behavior are a telltale sign for the presence of spyware:
- Because spyware is always active in the background it tends to use up a lot of battery charge. If you notice that your battery drains quicker than usual, or the phone tends to get hotter than usual, you might have spyware running in the background.
- Spyware is often controlled remotely with codes sent in SMS. If you receive strange SMS messages with gibberish, it can mean that somebody is sending remote commands to the spyware app on your phone.
- Advanced spyware apps are able to let an attacker intercept your phone calls as they happen. They connect the attacker as the third party of a “conference call”, allowing them to listen to your conversation. If you often hear strange noises, clicks and other random stuff in your phone calls, someone might be spying.
What To Do If Your Phone Has Spyware On It
First of all, if you’re sure that your phone has spyware installed on it, you have to back up all your data and perform factory reset.
The next and the most difficult thing is to change all your important passwords. Spyware logs all your passwords and makes them known to the attacker. Even after you’ve removed the spyware from your phone, an attacker will be able to simply login to your email, Facebook and other important accounts. That’s why you have to change all your passwords and make sure new passwords are hard to guess. Use a password manager to create completely random passwords without memorizing them.
Mobile spyware is a very widespread security threat. Governments spying on citizens tend to be in the limelight, but consumer spyware and generic malware are much more common threats. Everybody has to understand how his devices can be infected with this threat, and protect them accordingly.
Have questions about this guide? Please share your feedback in the comments.