Taking spyware and other mobile threats seriously

Last March, in the forward to the White House Cybersecurity strategy, the President wrote, “[W]hen we pick up our smart phones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the Internet to run a business, we need the ability to trust that the underlying digital ecosystem is safe, reliable, and secure.

He’s right. And his words especially rang true when just 26 days later (a year ago today – March 27th, 2023) when the White House announced it had found that at least 50 government employees smartphones were specifically targeted by foreign governments who installed spyware on their phones. The President took action and signed an executive order prohibiting the operational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses around the world declaring “[t]he United States has a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware that has been or risks being misused for such purposes (deployed against U.S. personnel, or by foreign governments to target opponents, curb dissent or suppress civil liberties, or target U.S. persons without proper legal authorization)” and said these ”untrustworthy commercial vendors and tools can present significant risks to the security and integrity of U.S. Government information and information systems.”

These are serious challenges, and spyware isn’t just a problem for the US.  In a story on a new “Brussels spyware bombshell,” Politico describes how surveillance software likely from state-sponsored actors was able to surreptitiously get around protections and onto EU official’s phones. While Europe has long been considered “the Wild West of spyware,” we have previously written about the significant security challenges the EU now faces created by new EU technology regulations, including how its rules to require the sideloading of software onto mobile devices could vastly exacerbate and expand threats from the unfettered use of both commercial and consumer focused spyware tools. In response to the EU’s spyware challenge, Europol is stepping up its efforts around election interference, and has long encouraged Europeans to only download apps from official app stores (as seen in this Europol infographic.)

But spyware is not just a problem in its commercial form, as the Federal Trade Commission points out, it’s also a problem when targeted at consumers, and is widely available and malicious. For example, after a several monthslong investigation, news outlet TechCrunch uncovered a massive network of consumer-grade spyware apps that are harvesting data from some 400,000 unsuspecting people around the globe. As TechCrunch points out, most of these spyware apps are designed for Android because it’s easier to sideload the apps onto the device, and iPhones have tighter restrictions on the kinds of apps that can be installed, and the kinds of data they can access. TechCrunch found nine nearly identical spyware apps, using distinctly different branding, under the names of Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. They can monitor a victim’s phone in real-time including their messages, contacts, location, photos and more. Behind each of these branded apps, is a legitimate looking but fictitious company website – going to great lengths to obfuscate who is actually behind the apps. 

In 2021, the Federal Trade Commission took action against a company whose SpyFone app could be surreptitiously sideloaded onto an Android devices which then “surveilled physical movements, phone use, online activity through hidden hack that exposed device owners to stalkers, abusers, hackers, and other threats.” According to the FTC, “[t]he company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence.” The FTC said the apps lack of basic security also exposed device owners to hackers, identity thieves, and other cyber threats. 

These are important reminders for why the President is right that every time we pick up a smartphone, we need the ability to trust that it will protect our privacy, safety, and security. Our own Trusted Future surveys demonstrate that consumers agree, they are concerned about their privacy and security, and when it comes to their mobile devices, they want their technologies to support strong privacy and security protections. 

That is why it was surprising last week, when a DOJ suit filed against a major smartphone manufacturer, seemed to downplay the importance of mobile privacy and security.  DOJ claimed that the company “wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct” and claimed that efforts to “safeguard consumers’ privacy and security interests” are merely a “self-serving” marketing and branding ploys the company used aimed at thwarting competition.

But good privacy, safety and security isn’t anti-competitive, it helps us all. As the Ninth Circuit Court of Appeals articulated in its landmark Epic v Apple case, “improving security and privacy features” differentiate products and “are plainly procompetitive rationales.”

If we want to thwart spyware, and better protect privacy, safety and security, all of us need to do better – policymakers, technology developers, and users. The National Security Agency has released a set of “Mobile Device Best Practices” which outlines a series of steps that users can take to help prevent and mitigate security threats. These are not a company’s “self-serving” marketing and branding ploys, but a necessary effort to help us better protect our national security.