A Plague Against Privacy – A Deep Dive Into Spyware

This information can be relayed to a number of different entities. Very often, these are advertisers or big data companies. In more malicious cases, it could be sent to private servers belonging to a lone hacker, or hacking group.

At times, the definition of Spyware can tread a line between morally black or white. Employee monitoring software, for example, while installed for innocuous reasons, can be considered a form of Spyware. Every form of Spyware has the potential to be abused or twisted for truly malicious purposes.

When it comes to hackers or hacking gangs that deploy spyware, the purpose is very often to steal credit card numbers, banking information, or passwords. With passwords, Spyware may act as the initial stage of a larger breach into a network, such as a corporate network hack.

One special category of spyware that is unfortunately becoming more common is known as stalkerware. This spyware is secretly installed onto a smartphone by ex-partners or jealous spouses, can can track the physical location of the victim. More sophisticated strains intercept emails and texts, and can record phone calls. Worryingly, there has also been an increase of individuals who are on child abuse registers using stalkerware.

Spyware leaves a much smaller footprint than its malware siblings such as Ransomware. Thus, it can be more difficult to detect. Those who have a keen familiarity with their device may notice a slow down in processing power or network connection. For mobile devices, data usage and battery usage often spike when Spyware is installed.

Some spyware can be blunt in announcing its presence. For example, some strains will change the default browser to one more easily monitored, which is also a feature of adware. If you notice your browser has been changed, this is a clear sign you are infected with spyware or adware.

Like other forms of malware, Spyware is deployed using a range of attack vectors. It can hide in apps, websites, and most commonly, in a phishing email.

Truly sophisticated spyware can be devastating to an individual or business. With enough personal information gathered, identity theft can happen, as well as siphoning of bank accounts. This information is usually sold on to third parties, especially buyers on the dark web.

Like Ransomware, advanced Spyware can make modifications to firewall settings, which can allow additional payloads – As mentioned previously, Spyware is often the first in a barrage of cyberattacks. It can sometimes be considered as an attack in a reconnaissance stage.

Spyware has many variations – Stalkerware, adware, keyloggers, trojans, browser hijackers, and more.

Adware are usually bundled with free software, shareware, and very often with utility software pretending to be ‘cleaners’ and the like. Adware is the most common form of malware, and many internet users have had some interaction with it. At its core, Adware involves showing the user intrusive ads over and over. It has become harder to detect with the advent of Windows 10 and desktop notifications, which adware can easily masquerade as.

Keyloggers, above all other spyware, straddle the malicious/innocuous line the most. Keyloggers track what has been typed on a keyboard or mobile device. There are many legitimate companies who develop keylogging software and sell it to businesses, to install on worker laptops. It is so common that employees who are given a device, especially a laptop, from work should assume that there is keylogging software installed. It is also used by parents as well as law-enforcement agencies. Of course, it has an obvious malicious use too. A user with a keylogger may be typing in all kinds of sensitive information, unaware it is being siphoned to a hackers server.

In this article, we’ll look at some of the biggest Spyware stories that have occurred in recent months.

IM5 Spyware Used By Domestic Violence Offenders

In recent weeks, authorities in Australia arrested a man charged with developing and selling a spyware tool named Imminent Monitor (IM5), which was used to spy on victims’ devices remotely.

​IM5 was sold to 14,500 individuals across 128 countries. Of particular worry is that a large portion of the buyers are on a register of domestic violence offenders.

“A statistically high percentage of Australia-based PayPal purchasers of IM RAT (14.2%) are named as respondents on domestic violence orders. Additionally, one of these purchasers is also registered on the Child Sex Offender Register,” reads a press release by the authorities.

“Of the 14 individuals, 11 bought the RAT during the active period of their domestic violence order (DVO) or within two years a DVO was issued.”

IM5 first hit the digital shelves in 2013, and it is believed the man behind the spyware made nearly half a million AUD from the illicit sales. He faces six charges with a maximum penalty of 20 years imprisonment.

IM5 was first marketed across hacking forums, as well as on a dedicated website.

The spyware was sold as a remote administrator tool which could be purchased for as little as $25 for a lifetime license, which included customer support.

The website seemed as if the product it was selling was a legitimate tool, and not illegal. The man behind it promoted the tool under the alias ‘ShockWave’

In April 2019, a member of the hacking forum that IM5 was advertised on advised other posters that ShockWave had gone missing, and was likely arrested. This caused a panic amongst buyer, who feared they would face legal action due to their use of the spyware.

Months later, Europol announced the seizure of over 430 devices that were involved in the IM5 operation, and the seizure of the website itself. The domain has since been sold on to a Vietnamese news aggregation company.

During the operation, Europol cut the IM5 servers, and arrested 13 of its most active users. Search warrants were also used to arrested a developer and another IM5 employee in Belgium.

It is believed that the Australian Police were aided by cybersecurity researchers from Palo Alto Unit 42.

Process Manager, The Spyware Hiding in Plain Sight

In recent months, cybersecurity researchers identified a new Android-based spyware known as ‘Process Manager’. Interestingly, Process Manager shares the same infrastructure used by Russian state-sponsored hackers Turla. Turla, over the years, have been known to target American and European networks for the purposes of espionage.

Though it is not fully clear at present how Process Manager is distributed, it does use a novel approach for cover. The .APK itself uses a gear-shaped icon, and pretends to be a system component on the victims device.

For those who are perhaps a little more cautious about app permissions, including those that appear to be a system component, suspicion may be raised when the app prompts permission for a number of access points. The list is quite extensive, as follows:

• Access location
• Access network state
• Access WiFi state
• Camera
• Foreground service
• Internet
• Modify audio settings
• Read call log
• Read contacts
• Read external storage
• Write external storage
• Read phone state
• Read SMS
• Receive boot completed
• Record audio
• Send SMS
• Wake log

Within the context of this article, it is clear that this list of permissions is excessive, but in day-to-day life many smart users given apps permissions without a second thought. To give any app this many permissions is effectively a death sentence on device privacy – It would allow the app to view location, send and read texts, access storage, control the camera, and record audio.

Worse yet, Process Manager may be capable of abusing Android Accessibility services and granting itself all these permissions, while bundling the prompts into one simple prompt for the user.

In a subtle move, after receiving permission, the icon for Process Manager will vanish from the users phone. There will occasionally be notifications stating ‘Process Manager is running’, which would seem normal to many smart phone users.

This is a somewhat strange move. Many strains of spyware strive to be completely hidden within a device. However, the developers behind Process Manager seems to keen to be ‘hidden within plain sight’

The information collecting by Process Manager includes lists, logs, SMS, recordings, and event notifications. These are sent in JSON files to the C&C server, which is located in Russia.

As stated, the attack vector is unknown. However, if the developers are indeed Turla, it is likely a mix of social engineering and phishing, as well as watering hole attacks.

Researchers at Lab52 found that Process Manager is also able to additional payloads to the infected device. In one case, they found the app downloading an app directly from the Play Store. The app in question is named “Roz Dhan: Earn Wallet cash”. The app is popular, with over ten million downloads, and features a money-generating referral system. It’s ties with Process Manager of course casts some doubt over its legitimacy.

This fact also suggests that Process Manager may be part of a larger, shared attack campaign.

At the end of their report, Lab52 did have doubts about the connection with Turla.

“So in this report, we want to share our analysis on the capabilities of this piece of malware, although the attribution to Turla does not seem possible given its threat capabilities,” explain the Lab52 researchers.

A Flurry Of Attack Campaigns

Researchers at Kaspersky uncovered a number of large-scale, linked spyware campaigns that target industrial enterprises. It is believed the campaigns are being run by a single entity. In each stage of the campaign, the threat actor has used off-the-shelf, Malware-As-A-Service tools. However, each tool has only been employed for a very limited time, as a means to evade detection.

Some of the spyware tools used in the campaign include AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot.

In their report, Kaspersky called the spyware attacks ‘anomalous’ due to their flash-in-the-pan lifespan, compared to what is regular in the spyware space.

Each tool is used for 25 days, approximately. The majority of spyware campaigns use the same tools for months, and very oftentimes years – As seen with IM5 earlier the article, which last nearly a decade.

The threat actor is clearly cautious. The attacks in each campaign are always limited to a number below one hundred. Half of these attacks are against ICS (integrated computer systems) machines deployed in industrial environments.

Researchers pointed out that the hackers use stolen employee credentials they acquire via spear-phishing to dig deeper into the network.

Additionally, they used previously compromised corporate mailbox as C2 servers to new attacks, making detection a challenge.

“Curiously, corporate antispam technologies help the attackers stay unnoticed while exfiltrating stolen credentials from infected machines by making them ‘invisible’ among all the garbage emails in spam folders.”, said researchers.

Kaspersky identified at least 2,000 corporate email accounts abused as temporary C2 servers. A further 7,000 email accounts were used in other ways.

These credentials are a hot commodity on the dark web, and are often sold to other threat groups. This can make tracking attacks difficult, as the credentials may change hands several times.

Very often, the buyers are Ransomware operators, who use the credentials to deploy their payloads.

Typically, these listings trigger the interest of ransomware actors who use RDP access to deploy their devastating malware.

Apple has issued a warning to US Department of State employees stating that their iPhones were hacked by unknown attacks in order to deploy Pegasus Spyware. Pegasus was developed by Israeli surveillance firm NSO Group.

According to the Washington Post, the attacks hit at least 11 US officials. The officials were based in, or focused on issues concerning Uganda.

NSO has since canceled the customer accounts behind the attacks, and promised to investigate. NSO declined to name the suspended customers.

“On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have,” an NSO spokesperson separately told reporters.

“To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case.”

The attacks come just after the US sanctioned NSO Group, as well as companies from Russia and Singapore for spyware development, and selling spyware tools used for state-sponsored hackers.

“Specifically, investigative information has shown that the Israeli companies NSO and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers,” reads a ruling from the Department of Congress.

Last year, Apple separately filed a lawsuit against NSO for spying on Apple users.

Apple have since notified any of its users that were targeted by Pegasus Spyware.

Spyware Masquerading As Lifestyle Apps

An ongoing spyware campaign, dubbed ‘PhoneSpy’, continues to target South Korean users via a range of lifestyle apps. These apps nest within the device and quietly exfilitrate data.

The spyware is capable of stealing sensitive information, as well as taking over the phone’s microphone and camera.

Researchers at Zimperium discovered the spyware campaign, and reported their findings to both US and South Korean authorities.

PhoneSpy wears plenty of masks, and can come disguised as a yoga app, the Kakao Talk messaging app, an image gallery browser, a photo editing tool, and more.

Researchers identified 23 PhoneSpy apps in total, all which run in the background, spying on the users.

To do so, PhoneSpy asks for a number of permissions, which only cautious users would see as a sign of trouble.

When PhoneSpy has infected a device, it can carry out many actions, including:

• Fetch the complete list of the installed applications
• Uninstall any application on the device
• Install apps by downloading APKs from links provided by C2
• Steal credentials using phishing URLs sent by C2
• Steal images (from both internal and SD card memory)
• Monitoring the GPS location
• Steal SMS messages
• Steal phone contacts
• Steal call logs
• Record audio in real-time
• Record video in real-time using front & rear cameras
• Access camera to take photos using front & rear cameras
• Send SMS to attacker-controlled phone number with attacker-controlled text
• Exfiltrate device information (IMEI, Brand, device name, Android version)
• Conceal its presence by hiding the icon from the device’s drawer/menu

PhoneSpy uses many attack vectors, but mostly phishing. These phishing campaigns mimic login portals for Facebook, Instagram, Kakao, and Google.

The hijacked apps themselves are not uploaded to the Google Play Store.

It is believed that infected devices are used for SMSishing, as PhoneSpy can access a users contacts. This leads to follow-on infections, and the amount of devices infected can increase exponentially.

Though PhoneSpy seems limited to South Korea, several similar campaigns are often seen within the US and Europe, and the wider world.

FakeCop, one of the most infamous strains of Spyware, has a new variant which was spotted by cybersecurity researchers in Japan. Researcher Yasuke Osumi warns that the distribution of the malicious APK is growing exponentially.

A new variant of the Android info-stealer called FakeCop has been spotted by Japanese security researchers, who warn that the distribution of the malicious APK is picking up pace.

The spyware variant is being distributed via phishing campaign which impersonates KDDI, a Japanese telecommunications company.

Worryingly, the malware is only detected by 22 out of 62 Antivirus platforms on VirusTotal, showing a sophistication behind its design.

Cybersecurity firm Cyble found the spyware to be masquerading ‘Anshin Security’, which is a popular Antivirus in Japan.

Cyble listed the features of the spyware in their report as follows:

• Collect SMSs, contacts, accounts information, and apps list
• Modify or delete SMSs in the device database
• Collect device hardware information (IMEI)
• Send SMSs without the user’s knowledge

Because these permissions are requested by what looks to be an Antivirus, users are more likely to accept them.

The hackers behind the malware also use a custom packer to conceal the actual behavior of the app, which is also used to evade detection.

FakeCop also scans the device app list, and if an antivirus is found, it pushes a notification requesting the user uninstall it.

The hardcoded Antivirus solutions that malware will prompt users to remove include Anshin Security, McAfee Security, and the Docomo Anshin Scan.

Cyble found the most common attack vectors were SMSishing and email phishing.

Spyware Prevention

Though we live in an age where digital privacy has taken a spotlight, Spyware is without a doubt on the rise. Not only is it popular with non-hackers, more and more strains have become so sophisticated that detection can be extremely difficult.

Due to the increase of infections, the US National Counterintelligence and Security Center (NCSC) and Department of State released a joint statement regarding Spyware earlier this year. The purpose of these guidelines was to defend against spyware infections, especially those that use over-the-counter commercial tools.

“Companies and individuals have been selling commercial surveillance tools to governments and other entities that have used them for malicious purposes,” the two US government agencies said.

“Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools, which allow malign actors to infect mobile and internet-connected devices with malware over both WiFi and cellular data connections.”

“In some cases, malign actors can infect a targeted device with no action from the device owner. In others, they can use an infected link to gain access to a device.”

The two entities listed measures to prevent Spyware attacks:

• Regularly update device operating systems and mobile applications.
• Be suspicious of content from unfamiliar senders, especially those which contain links or attachments.
• Don’t click on suspicious links or suspicious emails and attachments.
• Check URLs before clicking links, or go to websites directly.
• Regularly restart mobile devices, which may help damage or remove malware implants.
• Encrypt and password protect your device.
• Maintain physical control of your device when possible.
• Use trusted Virtual Private Networks (VPN).
• Disable geo-location options and cover cameras on devices.

Infection can always happen, no matter what steps are taken. However, it is critical that individuals and businesses take a best-practice approach to mitigate as much risk as possible.

SaferNet, our cybersecurity-focused VPN, was created to mitigate risks around threats such as Spyware, as well as other malware types like ransomware and remote-access-trojans. While many popular VPNs focus purely on location spoofing, at SaferNet we believe that this is not the full potential of what a VPN can do, and so we developed our platform to provide our users with best in class, 24/7 protection.