Android phones playing “I spy” at home and at work

Kindsight, now an Alcatel-Lucent suite of solutions, has been releasing a quarterly Security Labs Malware Report since May 2012. Much like the 9900 WNG network analytics enables us to discover mobile data usage trends, Kindsight leverages network-based security analytics to reveal the latest trends on security threats to fixed and mobile networks. The Q2 2013 Kindsight Security Labs Malware Quarterly Report is now available; the rise in the number of mobile spyware applications discovered this quarter warrants a closer look.

Source: Kindsight Security Labs Malware Report - Q2 2013

A third of the top 15 security threats are now spyware related, up from only 2 spyware instances the last quarter. MobileSpy and FlexiSpy were already in the top 15 list, but SpyBubble moved up to take the #4 spot while SpyMob and PhoneRecon appeared for the first time, ranking #5 and #7 respectively.

Until now mobile spyware has been aimed at the consumer market, with the promise of being able to track your loved one’s every move through their phone. But locating teenagers and a straying spouse are only one part of the story.

Mobile spyware in the “Bring Your Own Device” (BYOD) context poses a threat to enterprises because it can be installed surreptitiously on an employee’s phone and used for industrial or corporate espionage.

But how real is the possibility of a cyber-attack launched against a company or government department? And what are the factors to consider?

What can Spyware do?

Typical features for existing commercial spyware products include:

• Tracking the phone’s location

• Log phone calls made and received

• Record text messages sent and received

• Monitor e-mail

• Monitor social media activity

• Monitor browsing activity

• Access to photos and contact information

It is surprisingly easy to add a command and control interface to allow the attacker to control the device remotely, activating the phone’s camera and microphone without the user’s knowledge. This enables the attacker to monitor and record business meetings from a remote location. The attacker can even send text messages, make calls or retrieve and modify information stored on the device – all without the user’s knowledge.

The mobile phone is a fully functional network device. When connected to the company’s WiFi, the infected phone provides backdoor access to the network and the ability to probe for vulnerabilities and assets. With these features, an ordinary smart-phone becomes the perfect platform for launching advanced persistent threats (APT).

In the hands of professionals with state-of-the arts tools, enabling those features is a simple matter. To demonstrate its feasibility, Kindsight Security Labs produced such spyware and will be demonstrating it at Black Hat USA 2013 Security Conference in Las Vegas, July 27 – August 1st.

How Does Spyware Get Installed On The Mobile Device?

When spyware is used to track a loved one, it is usually downloaded and installed directly onto the target’s phone by the person who wants to track them. For corporate espionage, that installation option is not very likely! Hackers had to develop mechanisms to entice the target to install their spyware.

Corporate Spyware is typically packaged as a Trojan inside a legitimate application. Phishing and other social engineering techniques are used to entice the victim to install the infected application on their phone. Most effective are targeted phishing attacks (spear phishing) where a customized e-mail is sent to the victim to increase the likelihood of the Trojan application being installed. For example, a spambot was recently enlisted to help distribute an Android Trojan. It was sending spam, encouraging the user to install a fake Flash Player update that actually installs the Trojan.

The Kindsight Security labs demonstration at Black Hat’s Security Conference shows how a spyware module can be embedded as a Trojan into just about any legitimate application. It shows how the spyware can be distributed inside a fully functioning version of the popular game Angry Birds.


Mobile devices are increasingly the targets of malware, yet few of us install an anti-virus on these computing platforms. Worse yet, even an anti-virus is not enough to catch malware. Kindsight’s network-based approach catches more malware, sooner than anti-virus. And it is an approach that only service provider can offer. Since they own the mobile broadband connection, it makes it easy for them to bundle a security service. It is hassle free and convenient for the consumer: no malware to install or update. And the mobile security service gives them instructions on how to remove the malware should they become infected.

Click here to subscribe to our Analytics Beat e-mail newsletter for the latest latest trends, data and behaviors affecting today’s advanced mobile communications networks.

Our Analytics Beat studies examine a representative cross-section of mobile data customers using the 9900 Wireless Network Guardian and the Kindsight Security Analytics solutions. They are made possible by the voluntary participation of our customers. Collectively, these customers provide mobile service to millions of subscribers worldwide.

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.