Malware and Stalkerware Pandemic
The threat of malware, spyware and ransomware are all likely familiar to most tech-savvy UK users. With over 78% of UK adults now owning a smartphone, the treasure troves of personal data that these devices hold, is strangely underappreciated.
When taking into consideration that 77% of all UK workers have never received any form of information security training from their employer, it’s unsurprising that the threat of cyber security attacks not only jeopardise the confidentiality, integrity, and accessibility work-place information, but also the that of users’ personal information. Malware is a persistent threat that can affect every aspect of our digital lives.
Malware is hardly a new threat and has been developed and utilised by hackers, opportunists and cyber-criminals for decades, though what’s changed recently is the consumer availability of so-called ‘Stalkerware’.
Stalkerware is a type of spyware designed to allow the perpetrator access to the targets most private and supposedly secure information. Often sold on the open market under the partial pretence of being designed for ‘parent-child monitoring’ or other relatively innocuous purposes, the opportunity for misuse has not gone unnoticed within the information security community.
Over an eight-month period, cyber security company Kaspersky identified over 500,000 cases of stalkerware on users’ devices, or attempts to install it. Representing a 373% increase from the same time period in 2018, the prevalence of such software has even prompted the ire of hacker groups.
In the last few years, several of the companies responsible for the distributing of this spyware have been actively targeted by anonymous hacking groups in attempts to disrupt the unethical business practices of those profiting from the surveillance of partners, spouses and other non-consenting parties.
Surveillance and Security
Unsurprisingly, these companies that disregard privacy as a business also don’t place a huge amount of emphasis on protecting the ill-gotten information whilst it is in their possession. In one attack, hackers reportedly managed to gain access to thousands of users’ data, as well as managing to delete massive amounts of data from the company’s servers.
The idea of not only having your personal information and communications monitored, but also having that data insecurely stored online, is obviously a deeply disturbing thought for any user. It’s at this point you may be asking, how is this legal?
The Market for Spyware
You’ll be glad to hear that as of now, spyware is prohibited by most major app stores (including Apple’s and Google’s), though as mentioned, many examples of this type of software are marketed as ‘security’ products.
Earlier this month, the American Federal Trade Commission (FTC) announced that has been barred from selling its monitoring product, unless they take action to ensure their apps are used only for legitimate purposes. How they would do so, remains unclear.
“You are solely responsible for how you use the software, & for complying with all relevant laws”
Flexispy - Terms of service.
In terms of legality, within Europe the gathering of personal data without explicit consent is illegal under the GDPR, and thus, to covertly install any of this monitoring software would potentially result in serious in serious jail time for the offender. Though to what extent that deters would-be digital stalkers is ambiguous, especially considering the relative ease with which stalkerware can be purchased.
How Stalkerware Works
Like any software, different developers take different approaches, the stalkerware market being no exception. When it comes to these data privacy nightmares, there are three main methods that are used to spy on targets.
Firstly, and perhaps the most legitimate, is the installation of a visible app that captures basic information such as location, data usage and call logs. Though this would obviously be a gross invasion of privacy when a non-consenting party is the victim, this method is at least a believable method for concerned parents keeping an eye on their children.
Secondly, the most ‘low-tech’ of options, is to compromise a victims iCloud account and monitor only the information being remotely backed up. Often with this method, attackers remove 2FA to minimise the chances of detection and is again, a serious invasion of privacy.
Finally, is the far more invasive method by which the nefarious party gains physical access to the victim’s phone in order to ‘jailbreak’ the device. Thereby replacing the iOS (Apple only) with a variation that may look the same but allows stalkerware to siphon off data from messaging applications, call logs, photographs and much more.
Even allowing for the possibility of remotely monitoring the victims microphone, this option is the most dangerous, as it not only steals a victim’s data, but fundamentally weakens the device’s security, opening the doorway to further attacks.
The Basics of How to Avoid Malicious Software
The following methods for stalkerware avoidance are not only applicable to this category of malware but can be used to improve the information security practices of any individual, in both their personal and professional lives. And though not an exhaustive list of precautions, all will help to reduce the chances of malware infection.
Password Security – Passwords and login information to sensitive accounts should not be shared with anyone. Passwords should also be sufficiently complex, novel and stored in a secure password manager. When available 2FA should also be used to help maintain account integrity.
Security Apps – If you think you are at particular risk, malware detecting applications are available that will alert users to any unwanted programs being run on the device or any compromising security issues.
Device Security – As well as keeping your device password protected, it’s advisable to keep your device secure and on your person as much as possible. Not only effective for theft prevention, this also limits the opportunity for anyone seeking to install malicious software.
If you’d like to know more about malware, password best-practices and a variety of information security issues see our blogs or get in touch below.
*It should be noted that if you suspect that your devices are being monitored, this should be treated with all due seriousness. As a criminal offense, you should take all available evidence of electronic surveillance to law enforcement authorities.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
How can simulated phishing attacks improve your organisation's security awareness? Blog from information security awareness training provider Hut Six.
The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.
Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security
In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.
Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.
Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.
Spear phishing is one of the most effective ways of gaining sensitive information. These highly targeted attacks use your personal information against you.
Human Rights and the Growing Surveillance Economy: Surveillance capitalism can mean your information being sold to the highest bidder. Blog by Hut Six
HP firmware issue: The technology manufacturer Hewlett Packard has announced a firmware issue that could affect thousands of enterprise users. SSDs sold by the company are at risk.
How is a spear-phishing email created? Cybersecurity blog from information security awareness training provider Hut Six Security.