In this article from Forbes.com, the writer discusses a Defcon presentation by Michael Robinson. He tested a number of common “spy” apps and reveals many ways they can be detected.
Espionage software isn’t just for Chinese intelligence agents and Eastern European identity theft rings. A miniature spyware industry also serves jealous spouses, worried parents, even overbearing bosses. Luckily for the targets of those small-time spies, however, it turns out that consumer-grade snoopware is much, much shoddier than the professional variety. In a talk at the Defcon hacker conference this weekend, forensics expert and former Pentagon contractor Michael Robinson plans to give a talk on how to detect a range of commercial spyware, programs like MobileSpy and FlexiSpy that offer to let users manually install invisible software on targets’ phones to track their location, read their text messages and listen in on their calls, often for hundreds of dollars in service fees. Robinson tested five commercial spying tools on five different devices–four Android devices and an iPhone. In most cases, he found that uncovering the presence of those spyware tools is often just a matter of digging through a few subdirectories to find a telltale file–one that often even specifies identifying details of the person doing the spying. “I was shocked to find so many glitches, and so much data that allowed attribution,” says Robinson. “If I’m going to be spying on someone, I don’t want them to know my email address and phone number.” Here’s a rundown of each of the tools and devices Robinson tested and the spyware giveaways he found. Though he used a collection of multi-thousand dollar forensic software–UFED Physical Analyzer, Microsystemation XRY and Paraben’s Device Seizure–to find these clues, a user without those tools can check for the same evidence in most cases. I contacted all the companies that provided any sort of contact information and will update the story if I hear back from them. Robinson installed Spy Bubble, a program that markets itself as “the world’s most advanced cell phone tracking and monitoring system” on an LG Optimus Elite. He first found that it left behind an installer file called “radio.apk” in the subdirectory “/mnt/sdcard/Download.” But Robinson also learned that the user doing the spying is meant to dial a PIN on the victim’s phone to change the program’s setting, and despite the software’s claims that the code would be deleted from the phone’s call log, it still appeared in the log of the phone he tested. The default PIN to access those settings is #999999*, but even if it’s changed, the number will start with a hash symbol and end with an asterisk. Even more glaring evidence existed in a subdirectory called “data/data/com.radioadv,” where Robinson found a collection of folders that contain files called “secret.txt,” the PIN number used to change the spyware’s settings, and “buddy.txt,” the cell phone number that’s used for the spyware’s remote control. Robinson put Mobistealth, “the ultimate cell phone spy software,” on a LG Optimus V, and found that it left behind the conspicuously named file “mobistealthv2.apk” in the download directory of the phone’s SD card. The software’s guts, however, were better concealed in a folder called “LookOut.secure,” seemingly an attempt to hide under the name of the popular smartphone security software Lookout, under the directory “data/data.” In that folder Robinson found a “loggedpictures.ser” file that collects all the photos Mobistealth uploads to the spy, as well as a “configuration.xml” file that includes the spy’s FTP credentials, a potential giveaway to his or her identity. Robinson says the most cringingly glitchy of the spyware programs that he tested was also one of the most expensive, with a $350 fee per year. When he installed Flexispyon an HTC Wildfire that had been rooted, per the software’s installation instructions, it left behind a file called “FSXGAD_2.03.3.apk” on the SD card’s download folder, as well as a cached image of its registration page in a subdirectory called “bookmark_thumb1.” But things quickly got much more obvious. Robinson says his phone running Flexispy periodically showed a message warning that “unknown” had gained “superuser access.” And when the text messages he sent the phone to issue Flexispy commands weren’t deleted as Flexispy had advertised, he says he learned from the software’s customer service that the stealth text message feature only works on GSM carriers like AT&T and T-Mobile, not CDMA ones like Verizon and Sprint, where the messages appear for any user to see. Mobilespy, which Robinson ran on a Samsung Galaxy Prevail, left behind a file called “ms5-‐2.1-‐above.apk” in the phone’s SD card download folder. But the real breadcrumbs are in subdirectory “/data/data/”, where a folder called “com.re=na22.ms6″ includes a file non-stealthily named “MobileSpyData6.0.xml.” That file includes the email address where the spy is receiving updates. The only spyware that didn’t present obvious clues visible to the average user was Spyera, running on an iPhone. The real difficulty in detecting the software stemmed not from its stealthiness, but from the difficulty of accessing the file directory on an iOS device. Using his forensic software, Robinson found a folder called “Logs” including a file called “ownspy.log.” But he couldn’t suggest an easy way for the average user to definitively check for the program’s presence without his expensive tools. “On this one, without forensic software you’re probably hosed,” says Robinson. One hint, however, is that Spyera requires the phone be jailbroken. So if the user can find evidence of jailbreaking such as the app Cydia or other tweaks to the OS, it may be a sign someone has tampered with the phone to allow spying. When in doubt, simply restore the phone from a backup or upgrade its firmware to un-jailbreak it. And then try not to let your phone out of your sight.