The Spyware that Flies Under the Radar

Credit: Antoni Shkraba via Pexels

While government spying grabs headlines, apps that secretly eavesdrop on and track victims are an ongoing issue. What’s more, these apps are poorly made and managed, leaving targets data exposed.

The Vulnerability Common Across Several Stalkerware Apps

Stalkerware, also known as spyware, is a type of app marketed for consumers who want to secretly track someone online, often a spouse or child. It needs to be physically installed on the target device to monitor the behaviour of the user who is being spied on. A victims and survivors support group was launched in 2019 and stalkerware was banned from the Google Play Store in 2019, with mixed results.

TechCrunch found some 400,000 user’s private data was exposed through the flaw when it conducted a worldwide investigation spanning several months. Highly sensitive user data was exposed through a security flaw in several spyware apps including browsing history, photos, location data, text messages, records of phone calls and call recordings.

An application program interface vulnerability can exist when there are few or no safety protocols in place. The issue is explained by Carnegie Mellon University. “The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.”  

An IDOR flaw can leave user’s personal data open to exploitation on the developer’s data center. While IDORs are easy to fix at the server level, the spyware apps in question are poorly managed and badly built. Not only do they share the same code and web dashboards, but they are also routed through the same infrastructure.

Why Server Storage is a Vulnerability

A server controlled by 1Byte, based in Vietnam, was found to be the common link in the nine related spyware apps. Because the apps share the same server, they also have the same exposure. TechCrunch revealed efforts to resolve the security flaw was ignored by both the web host for the spyware apps and the back-end server operations.

One of the key features about ChatMail encrypted phones is our proprietary approach to data storage. Your messages are stored on your encrypted phone. We never store your sensitive information on our servers. The only data we keep is your username, account activation date, and expiry date.

How To Protect Yourself from Coding Vulnerabilities

The impact of an IDOR is wide reaching. “An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.”

Having an encrypted device designed from the ground up to maximize privacy ensures protection against this type of vulnerability. Myntex products are deliberately incompatible with third-party apps because of the various security risks they introduce.

Most apps ask for an excessive number of permissions, and users often grant this permission without much examination. Third-party apps may sell user data to other affiliates, as outlined above. They may also store information insecurely on servers, which is also what happened here.

Is There Spyware on Your Phone?

TechCrunch couldn’t reveal specific details about the vulnerability because it would further risk compromising people who are currently unaware that their phones have been breached. The spyware is designed to be covert, not appearing anywhere on your home screen.

Change your setting on Google Play to prevent any further data theft, though this won’t address any information already stolen. Also, check your accessibility settings to see if they’ve been tampered with or altered.

Accessibility features rely on wide access to your phone by design. If you don’t recognize downloading a service in the accessibility options, delete it. You may need further research to clarify how to do these processes since spyware is designed to be difficult to identify and remove.

The safest thing you can do is avoid using a phone with these vulnerabilities in the first place. The most secure open communication platforms let you use them without stress about information breaches or take the time necessary to become an expert on tracking and removing spyware.

Installing spyware requires the perpetrator to have physical access to their victim’s phone. Anybody is liable to leave their phone unlocked or use a weak password. Myntex phones have a notebook lock screen with a customized pin.

Everything Needs to Be Encrypted

On the surface, 1Byte looks like a normal software start-up. They have a Facebook group showing people, supposedly employees, sharing team dinners and other activities colleagues typically engage in. They went to elaborate lengths to hide their own identities and the connections between various apps that are all essentially the same spyware.

The many obfuscating layers between the spyware creators put in place only reinforce how necessary it is for every aspect of the phone to have military-grade encryption for messages, phone conversations, and even pictures.

Legal Gray Area

Technically, possessing spyware is not illegal, so the government has its hands tied. The US government has taken rare action against people who illegally plant spyware solely for intercepting a person’s communication because they break national wiretapping laws.

However, enforcement powers are severely limited because global spyware operators are out of their jurisdiction. Eliminating these types of risks isn’t as simple as flicking a switch, even if everyone agrees it’s a flagrant privacy violation.

The hackers and data thieves are usually one step ahead of law enforcement and at least two steps ahead of ordinary, unsuspecting people just trying to use their phones. It may seem counterintuitive since everyone agrees that privacy invasion is a type of theft that ought to be illegal, but law enforcement doesn’t have many tools at their disposal.

It’s understandable that most people associate data theft and privacy breaches with the high-profile stories about spyware created by governments and sold to other governments worldwide. Cyber and digital election interference also draw a lot of eyeballs. Many people in diverse fields like journalism, politics, business, and activists need to protect themselves from every privacy threat, even the ones that fly under the radar.