Mobile surveillance apps and programs remain prevalent in the free apps we use every day. This problem mainly affects Android users, however jailbroken iPhones are victims as well. As of this writing, Android represents about 85% of all mobile smartphones sold worldwide. A much larger attack vector for bad actors.
First, Some Background
The main difference in Android and iPhone apps lies in the marketplaces. Google allows third party marketplaces while Apple iPhones use a store controlled by Apple (called a walled garden). All apps coming through the iTunes Store has to be approved by Apple. This has pros and cons depending on who you ask, but without doubt it gives Apple more control over the security in the apps.
A jailbroken iPhone is where the owners perform an unapproved action to unlock the phone from Apple's control. This allows unapproved third party marketplaces and apps to be installed.
Many Google users love the open architecture of the Android and its ability to use multiple sources for apps and content. This very openness is what opens those phones up to more security risks.
Back to the Spying
While at Blackhat this week I attended a lot of sessions on privacy and surveillance. This does not directly apply to our company but I very interested in this personally. I also spend a lot of time working with parents on protecting their kids online.
There are a large number of cyber security people that are also interested in privacy. The short reason is that when you share data, use social media, allow location tracking, and allow access to your data you open yourself up to more security risks. You are creating a larger attack surface for someone to steal your ID, manipulate you, be the victim of a phish, or worse. So to me, privacy and security are related.
Free apps often come with a large price tag. The ToS, also known as the Terms of Service, often give the app makers access to your private data and other information you may not be aware of. One example is Angry Birds. This popular app collected so much information that government agencies just hacked Rovio instead of hacking users to get information on private citizens, and why not? The plethora of data Angry Birds collected was impressive, all while you were shooting birds at green pigs.
Some of these "free" apps can also come with surveillance software bundled in behind the scenes, secretly stealing even more information. After extensive research into current surveillance packages on the market. Here is what attackers can get from your Android phone:
- Turn on Microphone and Record Audio
- Track Device Location (Current and Historical)
- Record Screen Through Applications Like What's App
- Drop Calls From Blacklists
- Get Device Information (IMEI, Phone Number, Battery Life, Storage usage, Etc)
- Record Keystrokes (to steal passwords)
- Access Videos and Music
- Read and Delete Text Messages
- Retrieve Contacts
- Get Further Instructions
So how is all this possible on an Android phone? You allow it. The phones prompt you when launching the app to give it access to this information. most users just click Yes or Okay. So to reiterate that point, this software is not an exploit. You are allowing it.
Why do they get this data? So they can sell it. That is how the pay for the apps. You are not a customer, you are the product. They are selling you and your identity. So next time you want to grab a free app, think carefully.