Mobile hacking and spyware – understanding the risks

Getting your Trinity Audio player ready...

Mobile hacking and spyware raise some big questions for society. Surveillance tools can turn smartphones against their users – activating microphones and cameras without permission and exploiting a host of other device features. Few people would pay hundreds of dollars for the pleasure of carrying around a tracking device, but bad actors can quickly sour a user’s smartphone experience by exploiting unpatched vulnerabilities. However, device owners can shine a light on an adversary’s capabilities by understanding the risks of mobile hacking and spyware.

The use of spyware on mobile devices blew up in a big way in 2021 when Forbidden Stories (a network of journalists), Amnesty International, and their media partners shared the findings of the Pegasus Project – an investigation into potential targets of device surveillance based on a leak of more than 50,000 phone numbers. Included on the list were ten prime ministers, three presidents, and a king – according to The Washington Post.

Digging into the details, analysts from Amnesty International’s security lab found that 37 out of 67 smartphones examined as part of a forensic study had been penetrated by spyware or displayed signs that attempts had been made to infect devices. What’s more, 34 of those mobiles were iPhones, which have a reputation – thanks to Apple’s walled garden and tight control over its devices – for powerful security capabilities.

Defending digital life

The determination of bad actors to dig into the weeds and discover vulnerabilities that are unknown to device-makers points to the treasure trove of data that our smartphones contain, which increasingly includes health information too. And one of the risks of mobile hacking and spyware is that it builds up distrust in digital life. But why should consumers have to give up improvements in how they bank, shop, buy tickets, plan their travel, and the many more benefits that have come with mobile technology?

Apple continues to strengthen the security of its products with feature updates such as ‘Blastdoor’ (introduced in iOS 14) and ‘Lockdown Mode’ (introduced in iOS 16) in response to the risks of mobile hacking and spyware. ‘Lockdown Mode’ is designed to help protect devices against what Apple describes as ‘extremely rare and highly sophisticated cyber attacks’. And Google’s Project Zero security analysts shed light on the improvements that ‘Blastdoor’ brings to iMessage integrity.

Tightly sandboxed, the ‘Blastdoor’ service parses untrusted data in iMessages and is written in Swift, which has been designed to eliminate unsafe code and features memory guards. The goal is to harden smartphones and other mobile devices against so-called 0-click attacks that infect systems with minimal user interaction – for example, by exploiting classic memory corruption vulnerabilities.

The findings of the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware shed further light on the risks of mobile hacking and spyware. They also point to ‘the diversity of origin among spyware producers’. And while there may be multiple vendors, spyware producers share a similar justification for their products, which they claim help combat terror and fight crime.

“It’s a tired rhetoric to defend surveillance activity,” Nigel Gibbons – Associate Director & Senior Advisor at NCC Group – told TechHQ. “We need to call it for what it is.” Gibbons is concerned about what happens when products are misused and fall into the wrong hands. And he’s not alone. Members of the Citizen Lab, whose research focuses on the intersection of information and communication technologies, human rights, and global security, have long been reporting on the impact of digital espionage on civil society.

Most recently, the Citizen Lab drew attention to the use of QuaDream’s spyware as well as a trio of 0-click exploit chains that it associates with NSO Group customers. And the research spotlights the cat-and-mouse nature of cybersecurity – as defenders get wise to attack methods, adversaries find other avenues to exploit.

Knowing when to ask for help

It’s unrealistic to expect everyone to become an expert in countering the risks of mobile hacking and spyware. But as general security awareness rises, attackers face more pressure to cover their tracks. Users who notice strange behaviour will know to reach out for help. The nature of cyberattacks puts payloads in the hands of victims, where malicious instructions on devices have the potential to be reverse-engineered by specialist security research labs.

And while good cyber hygiene – such as keeping firmware updated – will neutralize threats that device manufacturers have been made aware of and issued security patches for, what about users running older hardware? Second-hand devices are becoming more popular as consumers look to save money and reduce their environmental impact, but that can present security issues.

There’s data privacy to consider too, if devices have been simply reset rather than having their file storage fully erased. “Unless you write over memory locations, a lot of that data can be recovered,” Gibbons points out. “There are many areas where that data can exist.”

Hardware providers can do more to help consumers as smartphone shopping habits change – for example, by having a button to push that would automatically prepare a device so that it can be traded in without causing data security issues. Mobile phones have become a valuable part of our lives, but as their capabilities have increased, so have the rewards of mobile hacking and spyware. However, the more knowledge that users have of the risks, the harder attackers will have to try to breach rising security defenses.