Digital Espionage: Understanding the Value of Smartphones and Apps

The CyberPrivacy Brief:

By Marilia Wyatt

  • As desktop security matures, mobile devices could become prime targets for attackers looking for access to valuable data and influence.
  • Executives could be uniquely at risk for mobile espionage attacks because they have access to the crown jewels of their company.

Mobile Phones Are Used as a Primary Attack Platform

A January 2018 report by mobile security firm Lookout and the Electronic Frontier Foundation revealed that spyware installed on mobile phones apparently stole troves of confidential data including personal data from thousands of unsuspecting victims’ phones spanning more than 20 countries. They called the campaign: ‘Dark Caracal.’

Source: Lookout/Electronic Frontier Foundation, 2018

Not only was Dark Caracal able to cast its net wide, it was also able to gain deep insight into each of the victim’s lives. It did this through a series of multi-platform surveillance campaigns that began with desktop attacks and pivoted to the mobile device. Stolen data was found to include personal messages and photos as well as corporate and legal documentation. In some cases, screenshots from its Windows malware painted a picture of how a particular individual spent his evenings at home.

Dark Caracal Cyber-espionage at a Global Scale, 2018

Social Engineering Was a Major Component in Dark Caracal Campaign

Attackers reportedly lured their victims to download the fake apps by sending spear phishing attacks via fake Facebook personas and popular communication apps targeting specific people to go a phony app store-like page (watering hole) where the malicious Android apps were and the attackers controlled. The watering hole distributed a malware called Pallas through the trojanized apps.

Figure 16. Shows Dark Caracal’s watering hole – the page looks like a regular page, but it’s phony and contains malicious apps controlled by the attacker.
Source: Lookout/Electronic Frontier Foundation, 2018

No Exploits Were Needed to Steal Mobile Data

Attackers compromised phone devices and accounts by exploiting unwitting user participation to download fake Android apps. Attackers retrieved the confidential data by exploiting the app permissions or privileges unsuspecting users granted when they installed the malicious spoofs of privacy and messaging apps Signal and WhatsApp.

The Victims Could Not Tell They Were Under Attack

The malicious spoofs of apps installed on the mobile devices worked like the legitimate ones by sending and receiving messages but provided functionality to retrieve photos, audio, location data and more. 

Smartphones Have Diverse Capabilities Attackers Can Exploit to Their Advantage

  • Flexibly carried everywhere and can be used to gather intelligence on company processes, sensitive data, and relationships to influence competitive advantage.
  • Smaller screens provide less real estate to spot attacks, determine what is real or fake, see if links are malicious and verify the authenticity of who is sending an enticing message over email, social media and communication app.
  • Sensors such as microphones and cameras and data exposed by RF signals (cellular, WIFI, and GPS) can be used to piece together information
  • Authenticate essential accounts and receive two-factor authentication (2FA) tokens if compromised, the layered security utility of 2FA will increase the risk of compromise.

Executives should think of their smartphones as attack platforms, tiny supercomputers with vast access to their personal and corporate lives which require robust security and proper app governance. 

Marilia Wyatt, CyberPrivacy

Mobile Devices Can Be Compromised in Two Ways

  • Legally through apps, untested code of unknown origin, cellular service provider contracts, and device/OS manufacturer agreements where executives accept the terms and conditions allowing sharing of data, tracking, and monitoring.
  • Illegally through attackers physically or remotely compromising smartphones with malware or where unsuspecting victims install trojanized apps and their devices which can reveal account credentials, personally identifiable information (PII), intellectual property, and even relationships in executives’ calendar to further a rival’s competitive advantage.

Commercial Intrusion and Spyware Trade Growing

While mobile-malware as a means to gather information from victims has existed for some time, in 2013 Citizen Lab security researchers detailed a growing industry for providing commercial intrusion and malware tools to spy on companies and individuals, according to their research report. They added that once only available to a few nation states, the commercial intrusion and monitoring tools are now being widely sold around the world for a cheap buck.

The use case of these products extends spying on competitive industries and companies to extract valuable information but also to chill dissent where oppressive governments target smartphones of journalists, human rights defenders, and to monitors citizens, Citizen Lab researchers said. These spyware tools raise serious privacy and security for executives and society in general, as people may lack awareness of their use and knowledge about ways to defend themselves. In Dark Caracal, for instance, attackers used FinFisher – a tool which is installed in various ways including, fake software updates, malicious email attachments and fake security updates from popular software.  

Commercial spyware companies have also incorporated in the design of their products certain techniques that involve spoofing legitimate companies—for example, by packaging their spyware alongside legitimate software such as Adobe Flash Player—in order to deceive a target, enhancing the likelihood of target infection and spyware persistence. The result is not only the infection of targeted individuals’ devices, but also the undermining of security of the wider digital ecosystem. Spyware companies have profited, while civil society and legitimate ICT businesses have borne the costs of foreseeable misuse of spyware products and services.

Citizen Lab, 2017

Suggested Further Reading:

Software Meant to Fight Crime Is Used to Spy on Dissidents, 2012

Surveillance Company Says It Sent Fake iTunes, Flash Updates, 2011

Accountability in the Commercial Spyware Trade: Coordinating a Holistic Response, 2017

Please leave us a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s