What is Spyware?
October 30, 2022
Spyware can shortly be described as a virus that records all your actions and logs your location, your IP address, and various other data. Like a real spy, this virus relies on stealthiness - if it is not spotted, it can peep almost everything about you. Spyware is extremely hard to recognize without anti-malware software since it acts deeply inside your system. Moreover, it tries to conceal the majority of its activities, so even some of the antivirus programs are not able to detect it .
Sometimes, spyware hides inside of the legit program. This app may be distributed through official channels, such as publisher's websites or the Google Web store. Of course, all spyware elements in those programs are uncovered sooner or later. In some cases, programs do not contain exact spyware but the functionality that can be used as one which spyware offers. Such functions are often added unintentionally, and the developer usually removes those functions exactly after they are reported. Nonetheless, there are still a lot of questionable utilities that reportedly have spyware elements, but their developers ensure that they do not add any malicious items.
Types of Spyware
There are different types of spyware. Each gathers certain extra information:
Sometimes called system monitors, this type of spyware records your computer activity. For example, it can track your keystrokes, the websites you visit, your search history, and email correspondence. It often takes screenshots of your activity as well. Some kinds of keyloggers can also collect information from other connected computers, such as printers.
This type of spyware gathers passwords from infected computers. These include passwords stored on web browsers and login information for your PC.
Banking Trojans are a type of spyware that records credentials from banks and other financial institutions like brokerages or digital wallets. Trojans locate security vulnerabilities in browsers and tamper with web pages and transactions without the user or institution knowing about it.
This kind of spyware scans infected computers for information such as usernames, passwords, browser history, log files, documents, and media files. The software then transmits the data to another server or stores it on your PC, where hackers can access it. An infostealer tries to steal your information. More complex malware such as banking trojans (for example TrickBot) and stalkerware usually include infostealer components.
Browser highjackers quite literally highjack your browser: they allow hackers to change your browser settings and visit (fraudulent) websites you didn't ask them to visit. Though this type of malware usually falls under adware, it can also carry spyware components. Adware is an annoyance and is more or less harmless to your PCs, but if browser highjackers have spyware, they might collect your data and sell it to third parties. Malicious actors might even use it for their gain. So if you suspect you've been infected with adware, it's better to play it safe and remove it at once.
Spyware And Stealers - What Is the Difference?
Several computer viruses are used as spying tools. They are very similar on their basic level but have a lot of significant differences when it comes to final functionality. Spyware and stealers are like brothers since their final target is single - steal the valuable information and carry it to cybercriminals who control the virus. The difference is in the kinds of information those viruses are oriented on. Spyware primarily aims at general information - your location, IP address, activity hours, installed programs, computer configurations, etc. It steals this information immediately after being launched, connecting to the server controlled by its creators. To perform the connection, spyware adjusts the networking configurations, changing the corresponding registry keys and modifying the Group Policies.
Meanwhile, stealers are targeted on a certain type of sensitive data. It may hunt only on your passwords or the networking logs; it can try to get some of the files you keep on your PC. The focus of that virus decreases the overall chances of a successful attack. Sometimes, a virus cannot find where your passwords are kept. Sometimes it cannot deal with the security mechanisms that protect the credentials. In the case of valuable documents, the stealer virus may lose because you encrypted the file, for example. Even if the stealer delivers the data, it is targeted. There is no guarantee that fraudsters will be able to read it. Don't forget to use the disk encryption feature!
With the evolution of cybersecurity technologies, many spyware programs have disappeared, while other, more sophisticated forms of spyware have emerged. Some of the best-known examples of spyware include the following:
- Agent Tesla can track and collect keystrokes, take screenshots, and obtain credentials used in various system applications (eg Google Chrome, Mozilla Firefox, Microsoft Outlook, IceDragon, FILEZILLA, etc.).
- AzorUlt - Can steal banking information, including passwords and credit card details, as well as cryptocurrency. AzorUlt trojan is typically spread in ransomware campaigns.
- TrickBot - Focuses on stealing banking information. TrickBot typically spreads through malicious spam campaigns. Also, it can spread using the EternalBlue exploit (MS17-010).
- Gator - Usually bundled with file-sharing software like Kazaa, this program monitor the victim’s web surfing habits and use the information to serve them with better-targeted ads.
- Pegasus is spyware developed by the Israeli cyber-arms company NSO Group. Pegasus can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. Pegasus is reportedly able to exploit all iOS versions up to 14.6 through a zero-click iMessage exploit. As of 2022, Pegasus could read text messages, track calls, collect passwords, location tracking, access the target device's microphone and camera, and harvest information from apps. The spyware is named after Pegasus, the winged horse of Greek mythology.
- Vidar - Trojan that offers threat actors the option to set their preferences for the stolen information. Besides credit card numbers and passwords, Vidar can also scrape digital wallets. This spyware can be spread using various campaigns via exploits.
- DarkHotel - Targeted business and government leaders using hotel WIFI, using several types of malware to gain access to the systems belonging to specific, powerful people. Once that access was gained, the attackers installed keyloggers to capture their target's passwords and other sensitive information.
- Zlob - Also known as Zlob Trojan, this program uses vulnerabilities in the ActiveX codec to download itself to a computer and record search and browsing histories, as well as keystrokes.
- FlexiSpy does not even hide its real nature. That spyware is popular among individual users who wish to spy on someone.
- Cocospy - real-time tracking for iPhone or Android. It gathers the call logs, phone book, location data, and planned events in the Calendar app, and SMS from iMessage messenger. That tracking is done from the iCloud updates - in case one is enabled on the victim’s device.
- Mobistealth offer to eavesdrop on the calls, and text messages, get the location of the infected device, and remotely check the most popular social networks and messengers. Mobistealth practices the remote installation of spyware.
Cell phones became a part of our everyday lives long ago, but they became part of us only with the rise of smartphones. A small chunk of aluminum and glass contains so much about ourselves - numbers, photos, messages, dates, and even physiological measurements. It touches all aspects of our daily routine - from waking up time to workflow and an evening coffee with Mary. That’s why rascals who wish to pluck our data pay so much attention to mobile devices.
In the last few years, iOS has become much more harsh about user’s privacy. Contrary to Android, it offers much wider settings of access to private information and can show you which apps accessed those places last time. Moreover, Apple sharply restricted the number of information apps can collect about iPhone users. Facebook lost billions of dollars because of this feature, and crooks lost the ability to gather all personal data with zero risk.
Actually, spyware exists for both iPhones and Android smartphones. Rare platforms like Blackberry OS or Windows Phone were out of malware coverage since spending money for such a thin public is just unprofitable. Most spyware samples were represented as “regular” applications - at least, they looked so. You will likely install it after the advice of your friend or someone on the Internet. The biggest part of a deal is allowing it to reach any part of the system: people usually click through this part of the installation without any comprehension. But why may the calculator need to access your gallery and contacts? And where can the fitness tracker use your phone book? Those questions are rhetorical and must be asked yourself each time you see such a paradoxical demand.
Spyware for Android
Process manager that takes control of camera and mics. This thing reportedly appeared at the end of March and was described in early April 2022. It is likely related to the Russo-Ukrainian war since the IP address of its C&C server belongs to Russia. Possibly, it is the most classic example of mobile spyware - the app which tries to access too much sensitive information. In particular, this one asked for the following categories:
- Call logs
- Contact list
- GPS info
- Wi-Fi connection status
- Sending SMS
- Reading SMS on the SIM card
- Audio notifications
- Full access to the camera
Spyware for iPhone
Spyware for iOS rarely obtains the form of a rogue application. AppStore is heavily moderated. Thus adding a program with questionable or even malicious functionality is problematic. Additionally, the restrictions mentioned above for personal info collection make any attempts for “moderate” spying ineffective. The only public that remains available for such programs are people who use jailbreak - a hacked version of iOS that allows the installation of apps from third parties. Several installation ways are still available even without it, but you need to interact with the device for some time or know the credentials from the used iCloud email.
Cocospy - Spying, Tracking & Monitoring Software for Mobile
Cocospy promises real-time tracking of the chosen device. It gathers the call logs, phone book, location data, and planned events in the Calendar app and SMS from iMessage messenger. That tracking is done from the iCloud updates - in case ones are enabled on the victim’s device.
Mobistealth - Remotely Monitor For Android Mobile
Mobistealth App: Another example of a program that is not ashamed of being a spy tool. They offer to eavesdrop on the calls, and text messages, get the location of the infected device, and remotely check the most popular social networks and messengers. Contrary to Cocospy, it practices the remote installation of spyware. However, it still requires the iCloud login credentials.
FlexiSpy - Monitoring Spy Tool For Android And iPhone
FlexiSpy does not even hide its real nature. That spyware is popular among individual users who wish to spy on someone. It is distributed through third-party sites, and you must bring it to the victim’s device. FlexiSpy allows the controller to use the microphone, use the camera, log the keystrokes and monitor the conversations. That is full-fledged spyware, but you must take care of its spreading yourself.
Pegasus Spyware - Android & iPhone
Any talk about spyware will not be complete without mentioning the one which is considered the best one and the most dangerous one. Pegasus spyware, a brainchild of NSO group (a subsidiary of the Israeli government) serves as the tool to spy over persons who are considered dangerous for the Jewish state. Pegasus became a Mossad tool in the hunt for war criminals. However, the source codes of this spyware were leaked multiple times - and no one can say who did that. No one can also prove that this was legitimate Pegasus spyware code.
Pegasus is a cross-platform malware that may be launched on Android, iOS, Blackberry OS, Windows Phone, and even Linux-based mobile operating systems. The injection is much closer to the “classic” malware - it uses exploits and spear phishing. After 2020, most of the Pegasus spreading cases were related to the use of zero-click exploits. Such sophisticated tactics usually require diligent preparation for the attack, generally using OSINT.
That “government-grade spyware” was used by various countries to satisfy their needs. Generally, those needs are foreign intelligence, including the military, or even internal surveillance. The latter is generally related to dictatorships or countries with the heavy censorship in the media. In total, Pegasus was used by 27 countries from around the globe.
Where Does Spyware Come From?
There are many different ways that spyware can infect your PC. Here are some of the most common ways:
Some internet software downloads, particularly file-sharing applications, can also install spyware on your devices. This is most common with free versions of software you normally have to buy.
Links or attachments
Like most other malware, spyware can be sent in a link or an email attachment. Never click on an unfamiliar link or attachment, and don't open emails from an unknown sender. Doing so could result in spyware being downloaded and installed on your computer. Clicking on malicious links can also infect your PC with a worm. These worms are used to spread malicious software using the network your device is attached to.
In some cases, spyware is disguised as a free program. If you remove the fake free program, the spyware will remain on your computer. You'll need a strong antivirus program to detect and delete it.
A website or pop-up window automatically downloads spyware onto your device in a drive-by download. You might get a warning giving you the name of the software and requesting permission to install it, but in many cases, there is no warning.
What is the Need in Spyware?
Personal information is always a valuable thing. The price for a certain type of information may rise significantly if you are a celebrity or have access to variable valuable things. Even if you have a lot of money, fraudsters may steal your data to force you to pay the ransom to keep this information private. Sometimes, cyber burglars may take a jackpot, getting some secret information about their victims. In such cases, ransom amounts may reach tens of thousands of dollars.
However, more often is a data sell-off in the Darknet. Some confidential data, activity hours, and the list of installed programs may be pretty useful for someone. Possibly, real-life criminals may purchase that information to plan the robbery or understand if a certain person has something valuable to steal. In some cases, hackers may use spyware to spy on someone, such as a girlfriend. Hence, the virus does not carry any significant harm in these cases, but it is still unethical.
Latest Spyware Activity:
Can I See That Spyware is Currently Active on My PC?
As you can read above, spyware tries to be as silent as possible. Its efficiency is strictly correlated with its stealthiness, so if you see the spyware activity - it is a bad example of that virus. Nonetheless, that does not mean that these malware examples are harmless. The spyware activity is also hard to detect because it changes the same elements as other viruses. Hence, it is hard to understand if the sudden change of networking parameters occurred because of spyware activity or if a trojan downloader exists on your PC. There is nothing pleasant in any viruses, but the removal ways for spyware and downloader are different.
Spyware warning signs can be:
- Strange notifications
- An excessive number of pop-ups
- Browser's home page changing
- Browser spontaneously redirecting
- Computer being extremely slow to boot up or open programs
That sort of virus changes multiple parts of the system. Primarily, the most changed parts are security settings and networking parameters. For users who use Microsoft Defender, a great reason to alarm is spectating the disabled Defender. Spyware almost always uses the security breach, which allows the viruses to stop the antivirus from Microsoft without the UAC approval. Users who use the limited data plans may also see that traffic consumption rose significantly. However, Windows may consume a lot of data without any viruses while downloading the updates, for example, or uploading the telemetrics to the Microsoft servers.
The best way to determine if there is a virus is to scan your computer using anti-malware software. Such example, Gridinsoft Anti-Malware is also able to detect spyware by its behavior, even if the virus avoided detection by a regular antivirus engine. The heuristic engine is a hard-to-manage and expensive system, which allows for increasing the protection rates significantly.
Despite spyware trying to be stealthy, it takes many actions to make itself more persistent in your system. Therefore, spyware removal is not an easy process. However, removing spyware from its folder will stop it for a while, and will likely be back shortly after. The changes above in your system usually aim at making the spyware a phoenix - once you delete it, wait a bit - and it will be back again. That's why removing malware of that sort always requires the use of specific programs - anti-spyware software, in particular.
Frequently Asked Questions
Spyware is malicious software that logs and records sensitive data like passwords, login info, bank account information, credit card and debit card numbers. There are several types of spyware:
- Password stealers;
- Banking Trojans;
- Browser highjackers.
Read our full article for more information.