Amid the ongoing outcry over the use of Pegasus spyware for surveillance upon hundreds of high-profile individuals, there looms a threat that can be even more menacing for enterprises. An attacker only has to plant spyware on a device to pave the way for larger corporate espionage or intellectual property (IP) theft. In this article, cybersecurity experts explain how spyware — the most popular type of malware, can be used against organizations and how IT can watch out for the warning signs of surveillance. Â
In January 2020, a United Nations (UN) probe found that then Amazon CEO Jeff Bezos’ smartphone was targeted by spyware, and several megabytes of data was exfiltrated from it over months. The UN reportOpens a new window pointed the finger at Pegasus, spyware created and sold by Israel-based NSO Group, which was found on the phones of hundreds of people in another investigation conducted by Amnesty International’s cybersecurity team.Â
The use of spyware to keep an eye on a person of interest is not new. What is alarming is that attackers are getting better at covering their tracks and avoiding detection by anti-virus solutions. According to a July 2020 report by cybersecurity firm Avast, the use of spyware increased 51% QoQ by June 2020. Though the report doesn’t divulge details about how many business heads were targeted, a June 2020 reportOpens a new window by Atlas VPN found 46% of C-level executives were targeted by spyware just before the pandemic started.Â
Spyware is one of the most popular types of malware. It was the third most popular malware used in attacks against organizations in Q1 this year, and the second most used type of malware in attacks on individuals (seen in more than a quarter, 28% of such attacks), shows a Q1 2021 reportOpens a new window by Positive Technologies, a cybersecurity firm.Â
Dmitry Galov, Security Researcher at Kaspersky, a cybersecurity firm, explains that spyware is not the type of malware used en masse. While APT actors may be interested in specific individuals – diplomats, activists, government workers – corporate espionage is more focused on gathering valuable data from the company’s networks.Â
“Generally, it is employed in a targeted manner; a network gets infiltrated and information gathered. There is always a risk that spyware can lead to loss of some corporate data from a device of one of the employees, but it is far more likely that the compromised employee will be used as an entry-point into the corporate network, which contains more interesting information,” said Galov.
Learn more: Penetration Testing in Action: A Step-by-Step Guide to Get It Right
What is Spyware?
Kaspersky defines spyware programs as malicious software/apps (malware) that are secretly installed to monitor and track device activity. Unlike a virus which, after inserting itself into a host program, starts replicating to spread through the entire networks, spyware sits undetected on devices they infect to monitor every information and communication quietly. Some malware can even install a permanent backdoor on the device for future access.
Typically, spyware allows attackers to remotely access their victim’s device as if they are holding it in their hands. They can be used to read messages, listen to phone calls, access photos and browsing history and capture and transfer audio and camera recordings in real-time.Â
These apps run in the background in invisible mode and use advanced obfuscation techniques to not show on the app drawer or installed apps list. As a result, even when they are under surveillance, users remain unaware of their presence.Â
So how does spyware spread? According to Galov, spyware, just as any other malware, is most often spread via phishing emails, sometimes very carefully made. Often perpetrators create very convincing stories and sometimes may spend weeks communicating with employees – for instance, pretending to be a contractor before actually sending a malicious attachment.Â
“Another way of infiltration is waterholing attacks when a specific website that targets a very specific audience (say, a site with content for accountants) is infected,” said Galov.Â
The more advanced spyware programs such as Pegasus belong to a category of “zero click” attacks that do not count upon users’ gullibility to click on malicious links or attachments. Instead, they exploit zero-day vulnerabilities in popular apps or operating systems that the developer or OEM may not be aware of at the time. For instance, in 2019, attackers exploited the buffer overflow vulnerability in WhatsApp’s VOIP stack to install spyware on 1400 phones.Â
In April, the U.K.’s National Cyber Security Centre (NCSC) issued an advisoryOpens a new window about fast-spreading spyware called FluBot that has affected several Android devices. The spyware spreads through SMS- messages about a missed delivery package. Targeted users are urged to install a tracking app through a link in the message, which installs the spyware to steal sensitive data such as passwords. It also steals contact details to send out more such text messages. Â
Types of Spyware
According to Avast, spyware can be classified into the following categories:Â
Adware: Though less malicious than something like Pegasus, adware also secretly installs itself on a device and spies on users’ browsing history to show them more targeted ads.
Keylogger: This spyware is designed to record all the keyboard input by users on their devices. The input is then saved in an encrypted log file.
Info stealers: They go beyond keylogging and harvest everything from browsing history, documents, emails, messages and camera rolls.Â
Red Shell spyware: These are furtively installed during installations of PC games and are used to track gamers’ online activities to improve gaming experience and targeted campaigns.Â
Tracking cookies: These cookies are regarded by many experts as spyware as they monitor all online browsing activities, compile browsing history and record login attempts.Â
Rootkits: Part of the more menacing category of spyware, Rootkits exploit security vulnerabilities or use a Trojan horse to infiltrate a device and gain remote admin rights.Â
Learn more: How Continuous Monitoring Can Help Businesses Manage Risks
How Spywares Can Put Enterprises at Risk
Though spyware attacks enable spying on individuals, their underlying objective is often more nefarious, like breaking into a company’s network and stealing their intellectual property (IP) assets. Usually, hackers are only trying to get hold of the IPs to sell them to the highest bidders on Dark Web. However, in many instances, governments or Intelligence agencies are behind these attacks. The stolen IPs are shared with local companies which do not have the same R&D capacity as large global MNCs.
In 2020, the Federal Bureau of Investigation (FBI)Opens a new window revealed they were investigating over 1,000 cases of theft of U.S.-based technologies and China’s suspected involvement.Â
IP thefts have cost U.S. companies billions of dollars. The Commission on the Theft of American Intellectual Property estimated the annual cost of IP thefts to be between $225 billion and $600 billion.Â
“Positive Technologies research finds that in Q1 2021, acquisition of data remained the top motive for attacks on both organizations and individuals. Attackers’ main targets are personal data and credentials, and attacks on organizations are also aimed at stealing intellectual property,” said Ekaterina Kilyusheva, head of the Information Security Analytics Research Group at Positive Technologies.Â
“Spyware can lead not only to the leakage of a company’s data but also, depending on the information received, allow an attacker to perform other malicious actions, like steal funds and develop an attack on the company’s partners or clients,” added Kilyusheva.Â
It’s not just large organizations that are at risk. Startups that are often founded on a unique idea or IP are also on the radar of threat actors. “Last year, we reported on DeathStalker, a mercenary group that targeted small and medium businesses and spied on them. They did not use advanced tools but updated their toolkits regularly and still managed to reach their goals,” warned Galov.Â
Learn more: Black Hat USA: Supply Chain Security Remains a Key Puzzle That’s Tough to CrackÂ
How To Identify Spyware
Despite having several layers of security tools in place to protect their systems, networks, and IP assets, attackers have successfully exploited technical loopholes or human errors to get what they want. Since spyware can be planted through legitimate software, as was evident in WhatsApp and iMessage, users need to be extra cautious. In addition to using one of the highly-rated anti-virus tools, they can also look for telltale signs.Â
Here are some of the warning signs as listed by Kaspersky:
- Devices become sluggish and take too much time to load apps
- The battery drains faster than usual
- Difficulty or unexpected delay in logging into secure sites
- A sudden increase in data usage as spyware use the device data to transfer files
- Mobile settings that allow installing an app that isn’t in the Google Play Store will be enabled
“Even a well-informed person can be successfully targeted if they do not use modern tools to detect attacks. Although spyware uses various techniques for hiding, they can be detected using special tools, such as sandboxes with the ability to check the behavior of software in a virtual environment, as well as during the analysis of network traffic when stolen information is transmitted,” cautions Kilyusheva.Â
Final Thoughts
 Spyware has become a lot more sophisticated and can even infiltrate a device without help from unsuspecting users. Once they are in, they use obfuscation techniques to hide while giving unfettered access to the attackers to every activity on the device. However, they have specific giveaways, and users should watch out for them. Once detected, the spywares can be removed using spyware removal tools.Â
Do you think spywares is a grey area for organisations? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you