Viry a Červi

Android commercial spyware

Kaspersky Securelist - 1 hodina 28 min zpět

There’s certainly no shortage of commercial spying apps for Android, with most positioned as parental control tools. In reality, however, these apps barely differ from spyware, with the exception perhaps of the installation method. There’s no need to even resort to Tor Browser or other darknet activity either – all you need to do is type something like “android spy app” into Google.

They are called ‘commercial’ because anyone can buy an app like this for just a few dollars.

Kaspersky Lab mobile products detect this sort of commercial Android spyware as not-a-virus:Monitor.AndroidOS.*. According to our telemetry, the popularity of these apps has been growing in recent years:

Unique users attacked by not-a-virus:Monitor.AndroidOS.*, 2016-2017

That’s why we decided to take a closer look at this controversial type of mobile software.


Almost all commercial spyware apps are installed by manually accessing the target’s phone, and this is the only big difference between these apps and classic malicious spyware like DroidJack or Adwind. Customers have to download the app, install it and enter credentials that are received after purchasing. After that, the spying app becomes invisible on the phone. Installation usually only takes a couple of minutes.

Regular installation process (

Some of these tools use device admin features to gain persistence and self-protection on the target’s phone.

So what does the customer get? Features may vary, but some of them are present in almost all these kinds of apps:

  • Stealing SMSs
  • Stealing calls (logs/recordings)
  • GPS tracking
  • Stealing browser data (history/bookmarks)
  • Stealing stored photos/videos
  • Stealing address books (with emails and even photos sometimes)

And if you’re still not impressed, then check out the actual feature lists (in addition to the above) of some popular commercial spyware for Android. We have added the infamous Pegasus APT and Droidjack spyware to our comparison table below to show the difference in features between them and monitoring apps. Pegasus is an advanced persistent threat, created by NSO Group. Droidjack is an RAT that was sold some time ago for a $210 lifetime license. This tool is more akin to TrojWare, because of features such as remote installation and customization of your own C&C server. However, even after several users in European countries were arrested, malware author Sanjeevi claimed that Droidjack is “very useful for users who use it legally”. He stated that “Droidjack is a parental tool for remote Android administration. It is strictly meant for that and no other reasons”. Anyone who breaks these rules, adds Sanjeevi, will have their license revoked.

Stealing emails Stealing surrounding voice Stealing scheduled tasks/ calendar/ notes Stealing social media/IM data Backdoor behavior (e.g., remote control) Photo/ video/ screenshot capture Keylogging Stealing clipboard Pegasus + + + + + + + – DroidJack – + – + + + – – TiSpy + + + + – + + + Exaspy + + + + + + – – iKeyMonitor + + – + – + + + Mobistealth + + + + – + + – mSpy + – + + + – + – iSpyoo + + + + + – – – SpyHuman – + – + + + – – TheftSpy – + – + + + – – TheTruthSpy – + – + + – + – OneSpy + + – + – + – – Highster Mobile + – – + – – – – Spymaster Pro – – – + – + – – DroidWatcher – – – + – + – –

This comparison table shows that the difference between known sophisticated spyware and some commercial monitor apps is not that great and, in some cases, monitor applications can even grab more private user information.

Exaspy is an especially interesting case. This is a classic monitor application with a regular manual-access installation method (you have to enter license credentials after installation to start spying):

However, after news about a high-profile victim – a senior executive at a company – this monitor app is considered illegal for now. Note that there are a lot of similar apps that can result in cases like this.

Some special features (spying on social media apps, for example) only work on a rooted device, but the list is still impressive. The ‘Stealing social media/IM data’ feature is particularly important. It means that the spyware is able to attack other social media or messenger apps (depending on the specific product), for example, Facebook, Viber, Skype, WhatsApp, etc. As a result, an attacker can observe messenger conversations, feeds and other personal data from the victim’s social media profile.

These products use the same techniques as standard malicious spyware to steal data, and sometimes on a bigger scale. For example, here is a fragment of code from a commercial application called OneSpy with a list of external attacked applications:

As you can see, the commercial app is interested in all popular social media apps and messengers.

It’s ‘legal’

Above we mentioned that some commercial Android spyware apps like Exaspy were recognized as illegal after investigations. But many commercial spyware applications are still considered legitimate because, according to their sites, they were created “for everyone who needs a helping hand in protection of their loved-ones, their children, family and employees”.

Some of them claim that their products are ‘100% undetectable’. This may be true for the naked eye, but definitely not for our products.

But why do we think commercial spyware poses a danger and why do we detect it? There are several reasons:

  • Almost all commercial spyware is distributed from its own site and landing pages. This results in vendors prompting users to enable the “Allow install of non-market applications” setting. This setting is very important for device safety because enabling it makes an Android device vulnerable to malware installation. For security reasons this method of distribution is contrary to Google policy.
  • Source:

  • Because some spying features only work on a rooted device, many vendors recommend rooting the targeted device. This opens the door for potential malware infection, and moreover, device rooting is contrary to Google policy.
  • Source:

  • Not every vendor can guarantee the safety of personal data, and that applies not only to hacker attacks but also to simple methods of product security.

The last point is very important and our concerns aren’t baseless. I analyzed one commercial spyware app, investigating the vendor’s main site and C&C server. I soon found lots of files that had been uploaded to the server and that turned out to be users’ personal data collected by the app. Private files were stored on the server without any protection and could be accessed by anyone.

uh… security?

Many users of spyware apps who want to monitor the private lives of their relatives simply don’t understand that they may not be the only ones who will have access to such information.

To sum up, installing such apps, even on your child’s device, is a risky step that could lead to malware infection, data leaks or other unpleasant consequences. In our products we use a special technology for Android OS that helps detect dangerous apps capable of violating a customer’s data privacy. There is one simple and very important tip for everyone – always protect your phone with a password, PIN or fingerprint, so an attacker won’t be able to manually access your device.

To fix Intel's firmware fiasco, wait for Christmas Eve or 2018

The Register - Anti-Virus - 4 hodiny 26 min zpět
And cross your fingers: 'TBD' is the scheduled date for hundreds of PC fixes

The world's top PC-makers have started to ship fixes for the multiple flaws in Intel's CPUs, but plenty won't land until 2018.…

Kategorie: Viry a Červi

Samba needs two patches, unless you're happy for SMB servers to dance for evildoers

The Register - Anti-Virus - 5 hodin 27 min zpět
Big Linux distros have pushed their fixes, but let's not assume everything auto-patches, OK?

It’s time to patch Samba again - or turn off SAMBA 1, which is never as easy as it sounds.…

Kategorie: Viry a Červi

Devs working to stop Go math error bugging crypto software

The Register - Anti-Virus - 7 hodin 46 min zpět
Programming language makes some fuzzy big numbers

Consider this an item for the watch-list, rather than a reason to hit the panic button: a math error in the Go language could potentially affect cryptographic libraries.…

Kategorie: Viry a Červi

What we know about Uber (so far, anyway) [VIDEO]

Sophos Naked Security - 22 Listopad, 2017 - 19:28
Uber is the data breach story of the week that looks set to become the saga of the month/quarter/year/decade. Here's the story so far...

HP to Patch Bug Impacting 50 Enterprise Printer Models - 22 Listopad, 2017 - 19:22
HP said dozens of enterprise-class printer models will receive a patch for an arbitrary code execution vulnerability sometime this week.
Kategorie: Viry a Červi

Black Friday shopping? “A little delay goes a long way!”

Sophos Naked Security - 22 Listopad, 2017 - 17:16
Want to chase those bargains on Black Friday? Here's how to do it without falling over yourself in haste...

Permissionless data slurping: Why Google's latest bombshell matters

The Register - Anti-Virus - 22 Listopad, 2017 - 17:09
Are you in control?

Comment  According to an old Chinese proverb: "When a wise man points at the Moon, an idiot looks at his finger." Google may have been hoping that you were examining a finger, not reading a Quartz story yesterday, which reveals how Android phones send location data to Google without you even knowing it.…

Kategorie: Viry a Červi

VB2017 paper: Beyond lexical and PDNS: using signals on graphs to uncover online threats at scale

Virus Bulletin News - 22 Listopad, 2017 - 16:57
At VB2017 in Madrid, Cisco Umbrella (OpenDNS) researchers Dhia Mahjoub and David Rodriguez presented a new approach to detecting infected machines using graphs to detect botnet traffic at scale. Today we publish both Dhia and David's paper and the recording of their presentation.

Read more
Kategorie: Viry a Červi

You're such a goober, Uber: UK regulators blast hushed breach

The Register - Anti-Virus - 22 Listopad, 2017 - 16:15
MP: Funny, you managed to contact customers when TfL put your licence on hold…

Brit regulators, security agencies and MPs have slammed Uber for covering up the massive data breach of 57 million customer and driver records.…

Kategorie: Viry a Červi

Google and Twitter turn their backs on Russian media over fake news

Sophos Naked Security - 22 Listopad, 2017 - 15:28
Russia Today and Sputnik swear up and down they're legitimate news sources. The FBI, and former employees, beg to differ.

Possible cut to British F-35 order considered before Parliament

The Register - Anti-Virus - 22 Listopad, 2017 - 14:05
MoD claims it's still committed but warns of 'uncertainty'

Rising costs might force the UK to reduce its order of F-35 fighter jets, the House of Commons has been told.…

Kategorie: Viry a Červi

Chromebook exploit earns researcher second $100k bounty

Sophos Naked Security - 22 Listopad, 2017 - 12:43
A year on from Google's last $100,000 bug bounty payout, the same researcher has found a second critical persistent compromise of Chrome OS.

Apple served with warrant for Texas mass killer’s iCloud data

Sophos Naked Security - 22 Listopad, 2017 - 12:19
Texas police are looking for any data stored by gunman Devin Patrick Kelley, who was found with an iPhone after he killed himself.

Loake Shoes admits: We've fallen victim to cybercrims

The Register - Anti-Virus - 22 Listopad, 2017 - 11:18
Hold on to your laces, email server was compromised

Miscreants, hackers – call 'em what you will – have pilfered email addresses from an unknown number of Loake Shoes customers.…

Kategorie: Viry a Červi

Once more unto the breach: <i>El Reg</i> has a go at crisis management

The Register - Anti-Virus - 22 Listopad, 2017 - 10:43
And you can probably guess how that turned out

Hacks played representatives of a hacked company in an incident response exercise run by F-Secure this week.…

Kategorie: Viry a Červi

Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners

The Register - Anti-Virus - 22 Listopad, 2017 - 09:01
Ad giant has malware detection in its script-hosting service... but Coin Hive isn't flagged

Crypto-jackers using Coin Hive code to secretly mine Monero via computing power supplied by the unsuspecting have found Google Tag Manager to be a convenient means of distribution.…

Kategorie: Viry a Červi

Apple: Sure, we banned VPN iOS apps in China, but, um, er, art!

The Register - Anti-Virus - 22 Listopad, 2017 - 07:02
iGiant didn't want to aid censorship, but $10bn in revenue is $10bn in revenue

Apple has told the US government it cooperated with China's demands to block VPN services so it could get other concessions from the Middle Kingdom on human rights.…

Kategorie: Viry a Červi

Uber Reveals 2016 Breach of 57 Million User Accounts - 22 Listopad, 2017 - 06:40
Uber CEO said a 2016 data breach that exposed 57 million Uber user accounts and a subsequent payment of $100,000 to a hacker to delete data and keep it a secret is inexcusable.
Kategorie: Viry a Červi

Iranian military hacker fingered for 'Game of p0wns' HBO leak

The Register - Anti-Virus - 22 Listopad, 2017 - 04:58
Dept. of Justice lamely says 'winter is coming' for Behzad Mesri, aka 'Skote Vahshat'

The United States' Department of Justice has identified a suspect in July's attack on Home Box Office, naming an Iranian national, Behzad Mesri, in an indictment unsealed Tuesday, November 21.…

Kategorie: Viry a Červi
Syndikovat obsah