The Fulcrum Platform delivers trusted, special-purpose services through a secure system architecture
Spyware (spying software) is a type of smartphone malware that is secretly installed on a targeted device to silently observe and gather information on an individual and/or their organization. Spyware capabilities vary but generally allow the operator to activate the device’s cameras and microphones, track the phone’s location, access information stored on the device and read text and email communications.
Advanced mobile spyware is most often developed by well-funded entities like commercial surveillance vendors and nation-state actors. Spyware makers look for vulnerabilities in code, focusing largely on apps for messaging and web browsing. Typically, a number of exploits are chained together, each providing a hook into the system that can be leveraged for greater access. The ultimate goal is to achieve full control over the targeted phone.
To remotely install spyware on the target’s smartphone, a threat actor may use social engineering (e.g., sending a text message containing a link that exploits the given browser’s vulnerabilities) or a zero-click attack, which doesn’t require any interaction from the target. If in geographic proximity to their target, an attacker can also employ an IMSI catcher (fake cell tower) capable of delivering spyware to the phone.
Once installed, the spyware can harvest any data from the device and transmit it back to the attacker. In the case of the infamous Pegasus spyware, access is granted to SMS messages, emails, browsing history, WhatsApp chats, photos and videos, GPS data, calendars and contacts, and operators can also activate the phone’s microphones and cameras and record calls.
The risks of spyware vary based on the individual being tracked and the organization doing the spying. Some key risks are highlighted below.
Software-based security is generally overmatched in the battle against advanced spyware. As such, we recommend that users act as if their smartphone has already been compromised. This means limiting the data ultimately available to spies. We recommend using SafeCase – our smartphone-coupled security device – to deny audio and video capture. And in instances where location privacy is warranted, we recommend using Vault, our two-in-one RF shielding and audio masking device.