The spyware maker’s founder, Bryan Fleming, said pcTattletale is “out of business and completely done,” following a data breach.
© 2024 TechCrunch. All rights reserved. For personal use only.
pcTattletale’s website was briefly defaced and contained links containing files from the spyware maker’s servers, before going offline.
© 2024 TechCrunch. All rights reserved. For personal use only.
Several hotel check-in computers are running a remote access app, which is leaking screenshots of guest information to the interne
© 2024 TechCrunch. All rights reserved. For personal use only.
Consumer-grade spyware apps that covertly and continually monitor your private messages, photos, phone calls and real-time location are a growing problem for Android users.
This guide can help you identify and remove common surveillance apps from your Android phone, including TheTruthSpy, KidsGuard and other apps.
Consumer-grade spyware apps are frequently sold under the guise of child monitoring or family-tracking software, but are referred to as “stalkerware” and “spouseware” for their ability to also track and monitor partners or spouses without their consent. These spyware apps are downloaded from outside of Google Play’s app store, planted on a phone without a person’s permission and often disappear from the home screen to avoid detection.
Stalkerware apps rely on abusing in-built Android features that are typically used by companies to remotely manage their employees’ work phones or use Android’s accessibility mode to snoop on someone’s device.
You may notice your phone acting unusually, running warmer or slower than usual, or using large amounts of network data, even when you are not actively using it.
Checking to see if your Android device is compromised can be done quickly and easily.
It’s important to have a safety plan in place and trusted support if you need it. Keep in mind that removing the spyware from your phone will likely alert the person who planted it, which could create an unsafe situation. The Coalition Against Stalkerware offers advice and guidance for victims and survivors of stalkerware.
Note that this guide only helps you to identify and remove spyware apps, it does not delete the data that was already collected and uploaded to its servers. Also, some versions of Android may have slightly different menu options. As is standard with any advice, you follow these steps at your own risk.
Make sure Google Play Protect, a security feature in Android phones, is enabled. Image Credits: TechCrunch
Google Play Protect is one of the best safeguards to protect against malicious Android apps by screening apps downloaded from Google’s app store and outside sources for signs of potentially malicious activity. Those protections stop working when Play Protect is switched off. It’s important to ensure that Play Protect is switched on to ensure that it’s working and scanning for malicious apps.
You can check that Play Protect is enabled through the Play Store app settings. You also can scan for harmful apps, if a scan hasn’t been done already.
Stalkerware relies on deep access to your device to access the data, and is known to abuse Android’s accessibility mode which, by design, requires broader access to the operating system and your data for screen readers and other accessibility features to work.
Android users who do not use accessibility apps or features should not see any apps in their Android settings.
If you do not recognize a downloaded service in the Accessibility options, you may want to switch it off in the settings and remove the app. Some stalkerware apps are disguised as ordinary looking apps and are often called “Accessibility,” “Device Health,” “System Service” or other innocuous-sounding names.
Android spyware often abuses in-built accessibility features. Image Credits: TechCrunch
Much like the accessibility features, Android also allows third-party apps to access and read your incoming notifications, such as allowing smart speakers to read alerts out loud or your car to display notifications on its dashboard. Granting notification access to a stalkerware app allows for persistent surveillance of your notifications, which includes message and other alerts.
You can check which apps have access to your notifications by checking your Android notification access settings under Special app access. Some of these apps you may recognize, like Android Auto. You can switch off notification access for any app that you do not recognize.
Spyware taps into notifications access to read user messages and other alerts. Image Credits: TechCrunch
Other features commonly abused by stalkerware are Android’s device admin options, which have similar but even broader access to Android devices and users’ data.
Device admin options are usually used by companies to remotely manage their employees’ phones, such as wiping the phone in the event of device theft to prevent data loss. But these features also allow stalkerware apps to snoop on the Android display and the device’s data.
An unrecognized item in your device admin app settings is a common indicator of phone compromise. Image Credits: TechCrunch
You can find the device admin app settings in Settings under Security.
Most people won’t have a device admin app on their personal phone, so be aware if you see an app that you don’t recognize, named something similarly obscure and vague like “System Service,” “Device Health” or “Device Admin.”
You may not see a home screen icon for any of these stalkerware apps, but they will still appear in your Android device’s app list.
You can view all of the installed apps in Android’s settings. Look for apps and icons that you don’t recognize. These apps may also show as having broad access to your calendar, call logs, camera, contacts and location data.
Spyware apps are designed to blend in with generic-looking names and icons. Image Credits: TechCrunch
Force stopping and uninstalling a stalkerware app will likely alert the person who planted the stalkerware that the app no longer works.
If stalkerware was planted on your phone, there is a good chance that your phone was unlocked, unprotected or that your screen lock was guessed or learned. A stronger lock screen password can help to protect your phone from intruders. You should also protect email and other online accounts using two-factor authentication wherever possible.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Read more on TechCrunch:
Apple sent threat notifications to iPhone users in 92 countries on Wednesday, warning them that they may have been targeted by mercenary spyware attacks.
The company said it sent the alerts to individuals in 92 nations at 12 p.m. Pacific Time Wednesday. The notification, which TechCrunch has seen, did not disclose the attackers’ identities or the countries where users received notifications.
“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,” it wrote in the warning to affected customers.
“This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously,” Apple added in the text.
The iPhone maker sends these kind of notifications multiple times a year and has notified users to such threats in over 150 countries since 2021, per an updated Apple support page.
Apple also sent an identical warning to a number of journalists and politicians in India in October last year. Later, nonprofit advocacy group Amnesty International reported that it had found Israeli spyware maker NSO Group’s invasive spyware Pegasus on the iPhones of prominent journalists in India. (Users in India are among those who have received Apple’s latest threat notifications, according to people familiar with the matter.)
The spyware alerts arrive at a time when many nations are preparing for elections. In recent months, many tech firms have cautioned about rising state-sponsored efforts to sway certain electoral outcomes. Apple’s alerts, however, did not remark on their timing.
“We are unable to provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future,” Apple told affected customers.
Apple previously described the attackers as “state-sponsored” but has replaced all such references with “mercenary spyware attacks.”
The warning to customers adds: “Mercenary spyware attacks, such as those using Pegasus from the NSO Group, are exceptionally rare and vastly more sophisticated than regular cybercriminal activity or consumer malware.”
Apple said it relies solely on “internal threat-intelligence information and investigations to detect such attacks.”
“Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack and should be taken very seriously,” it added.
Tools that allow government hackers to break into iPhones and Android phones, popular software like the Chrome and Safari browsers, and chat apps like WhatsApp and iMessage, are now worth millions of dollars — and their price has multiplied in the last few years as these products get harder to hack.
On Monday, startup Crowdfense published its updated price list for these hacking tools, which are commonly known as “zero-days” because they rely on unpatched vulnerabilities in software that are unknown to the makers of that software. Companies like Crowdfense and one of its competitors, Zerodium, claim to acquire these zero-days with the goal of reselling them to other organizations, usually government agencies or government contractors, which claim they need the hacking tools to track or spy on criminals.
Crowdfense is now offering between $5 million and $7 million for zero-days to break into iPhones; up to $5 million for zero-days to break into Android phones; up to $3 million and $3.5 million for Chrome and Safari zero-days, respectively; and $3 million to $5 million for WhatsApp and iMessage zero-days.
In its previous price list, published in 2019, the highest payouts that Crowdfense was offering were $3 million for Android and iOS zero-days.
The increase in prices comes as companies like Apple, Google, and Microsoft are making it harder to hack their devices and apps, which means their users are better protected.
“It should be harder year over year to exploit whatever software we’re using, whatever devices we’re using,” said Dustin Childs, who is the head of threat awareness at Trend Micro ZDI. Unlike Crowdfense and Zerodium, ZDI pays researchers to acquire zero-days, then reports them to the companies affected with the goal of getting the vulnerabilities fixed.
“As more zero-day vulnerabilities are discovered by threat intelligence teams like Google’s, and platform protections continue to improve, the time and effort required from attackers increases, resulting in an increase in cost for their findings,” said Shane Huntley, the head of Google’s Threat Analysis Group, which tracks hackers and the use of zero-days.
In a report last month, Google said it saw hackers use 97 zero-day vulnerabilities in the wild in 2023. Spyware vendors, which often work with zero-day brokers, were responsible for 75% of zero-days targeting Google products and Android, according to the company.
People in and around the zero-day industry agree that the job of exploiting vulnerabilities is getting harder.
David Manouchehri, a security analyst with knowledge of the zero-day market, said that “hard targets like Google’s Pixel and the iPhone have been becoming harder to hack every year. I expect the cost to continue to increase significantly over time.”
“The mitigations that vendors are implementing are working, and it’s leading the whole trade to become much more complicated, much more time-consuming, and so clearly this is then reflected in the price,” Paolo Stagno, the director of research at Crowdfense, told TechCrunch.
Do you know more zero-day brokers? Or about spyware providers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Stagno explained that in 2015 or 2016, it was possible for only one researcher to find one or more zero-days and develop them into a full-fledged exploit targeting iPhones or Androids. Now, he said, “this thing is almost impossible,” as it requires a team of several researchers, which also causes prices to go up.
Crowdfense currently offers the highest publicly known prices to date outside of Russia, where a company called Operation Zero announced last year that it was willing to pay up to $20 million for tools to hack iPhones and Android devices. The prices in Russia, however, may be inflated because of the war in Ukraine and the subsequent sanctions, which could discourage or outright prevent people from dealing with a Russian company.
Outside of the public view, it’s possible that governments and companies are paying even higher prices.
“The prices Crowdfense is offering researchers for individual Chrome [Remote Code Execution] and [Sandbox Escape] exploits are below market rate from what I have seen in the zero-day industry,” said Manouchehri, who previously worked at Linchpin Labs, a startup that focused on developing and selling zero-days. Linchpin Labs was acquired by U.S. defense contractor L3 Technologies (now known as L3Harris) in 2018.
Alfonso de Gregorio, the founder of Zeronomicon, an Italy-based startup that acquires zero-days, agreed, telling TechCrunch that prices could “certainly” be higher.
Zero-days have been used in court-approved law enforcement operations. In 2016, the FBI used a zero-day provided by a startup called Azimuth to break into the iPhone of one of the shooters who killed 14 people in San Bernardino, according to The Washington Post. In 2020, Motherboard revealed that the FBI — with the help of Facebook and an unnamed third-party company — used a zero-day to track down a man who was later convicted for harassing and extorting young girls online.
There have also been several cases where zero-days and spyware have allegedly been used to target human rights dissidents and journalists in Ethiopia, Morocco, Saudi Arabia, and the United Arab Emirates, among other countries with poor human rights records. There have also been similar cases of alleged abuse in democratic countries like Greece, Mexico, Poland, and Spain. (Neither Crowdfense, Zerodium, or Zeronomicon, have ever been accused of being involved in similar cases.)
Zero-day brokers, as well as spyware companies like NSO Group and Hacking Team have often been criticized for selling its products to unsavory governments. In response, some of them now pledge to respect export controls in an effort to limit potential abuses from their customers.
Stagno said that Crowdfense follows the embargoes and sanctions imposed by the United States — even if the company is based in the United Arab Emirates. For example, Stagno said that the company wouldn’t sell to Afghanistan, Belarus, Cuba, Iran, Iraq, North Korea, Russia, South Sudan, Sudan, and Syria — all on U.S. sanctions lists.
“Everything the U.S. does, we are on the ball,” Stagno said, adding that if an existing customer gets on the U.S. sanctions list, Crowdfense would abandon it. “All the companies and governments directly sanctioned by the USA are excluded.”
At least one company, spyware consortium Intellexa, is on Crowdfense’s particular blocklist.
“I can’t tell you whether it has been a customer of ours and whether it has stopped being one,” Stagno said. “However, as far as I am concerned now at this moment Intellexa could not be a customer of ours.”
In March, the U.S. government announced sanctions against Intellexa’s founder Tal Dilian as well as a business associate of his, the first time the government imposed sanctions on individuals involved in the spyware industry. Intellexa and its partner company Cytrox was also sanctioned by the U.S., making it harder for the companies, as well as the people running it, to continue doing business.
These sanctions have caused concern in the spyware industry, as TechCrunch reported.
Intellexa’s spyware has been reported to have been used against U.S. congressman Michael McCaul, U.S. senator John Hoeven, and the president of the European Parliament Roberta Metsola, among others.
De Gregorio, the founder of Zeronomicon, declined to say who the company sells to. On its site, the company has published a code of business ethics, which includes vetting customers with the goal of avoiding doing business “with entities known for abusing human rights,” and respecting export controls.
Ad blockers might seem like an unlikely defense in the fight against spyware, but new reporting casts fresh light on how spyware makers are weaponizing online ads to allow governments to conduct surveillance.
Spyware makers are reportedly capable of locating and stealthily infecting specific targets with spyware using banner ads.
One of the startups that worked on an ad-based spyware infection system is Intellexa, a European company that develops the Predator spyware. Predator is able to access the full contents of a target’s phone in real time.
According to documents seen by Israeli news outlet Haaretz, Intellexa presented a proof-of-concept system in 2022 called Aladdin that enabled the planting of phone spyware through online ads. The documents included a demo of the Aladdin system with technical explanations on how the spyware infects its targets and examples of malicious ads: by “seemingly targeting graphic designers and activists with job offers, through which the spyware will be introduced to their device,” Haaretz reported.
It’s unclear if Aladdin was fully developed or was sold to government customers.
Another private Israeli company called Insanet succeeded in developing an ad-based infection system capable of locating an individual within an advertising network, Haaretz revealed last year.
Online ads help website owners, including this one, generate revenue. But online ad exchanges can be abused to push malicious code to a target’s device.
Delivering malware through malicious ads, often referred to as malvertising, works by injecting malicious code into the ads displayed on websites on computer and phone browsers. Much of these attacks rely on some interaction with the victim, such as tapping a link or opening a malicious file.
But the global ubiquity of online advertising vastly increases the reach that government customers have to target individuals — including their critics — with stealthy spyware.
While no phone or computer can ever be completely unhackable, ad blockers can be effective in stopping malvertising and ad-based malware before it ever hits the browser.
Ad blockers — as the name suggests — prevent ads from displaying in web browsers. Ad blockers don’t just hide the ads, but rather block the underlying website from loading the ads to begin with. That’s also good for privacy, since it means ad exchanges cannot use tracking code to see which sites users visit as they browse the web. Ad-blocking software is available for phones, as well.
Security experts have long advised using an ad blocker to prevent malvertising attacks. In 2022, the FBI said in a public service announcement to use an ad blocker as an online safety precaution.
“Everyone should block ads,” tweeted John Scott-Railton, a Citizen Lab senior researcher who has investigated government spyware, in response to the Haaretz report. “It’s a matter of safety.”
Founded in 2017, Atoms Lanka Solutions is a provider of IT consulting and software development services. Throughout the company’s history, we have worked with over 160 customers from 5+ countries..
