Shining a light on spyware -- how to keep high-risk individuals safe
With elections across the world, there is a tremendous amount of attention placed on the threat posed by AI and digital misinformation. However, one threat we need to have more focus on is spyware.
Spyware has already been used by nation states and governments during elections to surveil political opponents and journalists. For example, the government of Madagascar has been accused of using the technology to conduct widespread surveillance ahead of its elections.
Spyware has become such as threat that in April Apple notified individuals in 92 countries that their iPhones were likely to be under active threat from an unidentified ‘mercenary’ threat actor. Apple has since warned users in 98 countries of additional spyware attacks.
With increasing evidence of politically targeted spyware around the world, there’s an urgent need for high-profile individuals and businesses to understand how spyware is deployed, and more importantly, how to defend against it.
How spyware is deployed to monitor targets
Spyware is a malware that covertly monitors an individual’s device and their activities by gathering information from a variety of common sensors -- such as the camera or microphone – and sending it back to the perpetrator.
In addition to politically motivated attacks, mobile spyware has been increasingly used to target business executives such as in the Jeff Bezos spyware incident, and social activists as seen in the Jamal Khashoggi’s family incident. It has also been tied to likely espionage scenarios, as shown by the EU commission discovery.
Because spyware is deployed to target a specific victim, it is not the type of malware that is typically used opportunistically. In fact, we estimate than less than 1 percent of workers will experience malware on their mobile devices. However, this doesn’t make it any less of a threat.
Spyware is an extremely effective tool when it comes to high priority targets such as politicians and journalists, and it is most commonly linked to political regimes. Its covert nature means it is typically deployed through advanced methods as the perpetrators are prioritizing stealth and persistence.
Zero-day exploits taking advantage of previously unknown vulnerabilities are one of the most effective methods for infiltrating devices without detection. Social engineering tactics that trick users into downloading malware, as well as malicious apps disguised as legitimate software, are also common tactics.
Once present on a device, advanced spyware like Pegasus, one of the most notorious spyware tools, employs highly sophisticated techniques to maintain persistence and evade detection. It will look to access personal data, including messages, emails, and location information, without the user’s knowledge.
Combating spyware is challenging due to its evolving nature. Modern spyware often employs advanced evasion techniques, such as encrypting communications and using command and control servers to receive instructions and exfiltrate data. These characteristics make detection and mitigation difficult, requiring continuous monitoring and updated defenses to stay ahead of the threats.
Why spyware is a serious threat to privacy and democracy
Spyware is especially common in politically motivated surveillance. There have been a growing number of cases where spyware was deployed to infiltrate the devices of key political figures, campaign members, and journalists, aiming to gather sensitive information and sway electoral outcomes. Many known cases are believed to be the work of governmental regimes.
For instance, in Poland, an investigation is now underway into allegations the previous government used spyware to monitor opposition figures, and the Serbian government is likewise accused of attempting to spy on political opponents.
We have directly analyzed a spyware attack on a prominent human rights activist in the Middle East, with evidence suggesting the perpetrator was also behind the targeting of Amnesty International staff. In another case we investigated, spyware was used against a European journalist, exploiting the fact they used an outdated iPhone model.
Spyware can have a profound impact, undermining the integrity of the democratic process and eroding public trust. As such, it is important to understand how to counter the threat.
Techniques and tools for combating spyware
Whilst spyware represents an insidious threat, the risk can be mitigated with the right combination of proactive security measures.
Collecting and analyzing mobile device telemetry is one of the most critical steps in combating spyware, as these inputs help a trained team to identify anomalies and compromise indicators.
Telemetry data, which includes system logs and network traffic information, provides the necessary inputs to identify potential threats, including zero-days. This data is used by security experts to trace the origin and behavior of spyware, enabling them to respond effectively.
Implementing mobile threat defense (MTD) solutions enable organizations to establish a secure foundation by bringing together configuration vulnerability management, malware protections, and anti-phishing capabilities to defend against common attacks.
MTD tools integrate threat intelligence, behavior analysis, and automated response capabilities to prevent known threats from impacting worker productivity. These solutions not only detect and neutralize malware but also provide ongoing monitoring and analysis to prevent future attacks.
Adding additional network monitoring tools to track unusual traffic patterns can aid in the early detection of spyware by adding critical detection capabilities for command-and-control servers and data exfiltration. Network-based policy can also aid in blocking malicious activities in real-time, particularly when attackers reuse previously identified methods and infrastructure.
Conducting regular security audits can also help ensure that devices are compliant with the latest security standards. Our research has found that around 40 percent of mobile devices are operating with known vulnerabilities, providing attackers with an easy way in.
Finally, for organizations with security analysts or outsourced investigations teams, we recommend implementing threat hunting programs to stay ahead of the advanced persistent threats, such as spyware, that are being discovered more frequently. Monitor mobile device telemetry, system events, crash logs, and other data sources to look for anomalies that could be indicative of a targeted attack.
Good cyber hygiene and native OS features make a difference
Alongside specific security tools and strategies, it’s important to make the best of native device features that can reduce the risk.
Keeping devices updated with the latest OS and software patches is crucial in defending against spyware. Regular updates ensure that vulnerabilities are patched, reducing the risk of exploitation by malicious actors. Users should also ensure their device is fully supported – as seen with the European journalist case we analyzed, outdated and unsupported phones are a serious risk.
iOS in particular offers several security features to protect against spyware. Lockdown Mode, which restricts device functionality to limit potential attack vectors, is specifically designed for protecting high-risk individuals. That said, Lockdown Mode has limitations, such as reduced usability and lack of visibility into organizational targeting.
Getting ahead of the spies
Spyware remains a significant threat, particularly during critical times like elections, targeting high-value individuals such as politicians and activists. By understanding how it is deployed and employing advanced detection techniques, organizations can bolster their defenses.
Maintaining updated devices, leveraging iOS security features, and implementing security measures to detect malicious activity will help mitigate the threat. Proactive steps and a robust cybersecurity posture are vital for both organizations and individuals to effectively defend against spyware and safeguard both their own privacy, and democratic processes at large.
Michael Covington is VP of Strategy at Jamf.