What is Spyware?
February 13, 2024
Spyware can shortly be described as a virus that records all your actions and logs your location, your IP address, and various other data. Like a real spy, this virus relies on stealthiness - if it is not spotted, it can peep almost everything about you. Spyware is extremely hard to recognize without anti-malware software since it acts deeply inside your system. Moreover, it tries to conceal the majority of its activities, so even some of the antivirus programs are not able to detect it.
Sometimes, spyware hides inside the legit program. This app may be distributed through official channels, such as publisher's websites or the Google Web store. Of course, all spyware elements in those programs are uncovered sooner or later. In some cases, programs do not contain exact spyware but the functionality that can be used as one which spyware offers. Such functions are often added unintentionally, and the developer usually removes those functions exactly after they are reported. Nonetheless, there are still a lot of questionable utilities that reportedly have spyware elements, but their developers ensure that they do not add any malicious items.
Types of Spyware
There are different types of spyware. Each gathers certain extra information:
Sometimes called system monitors, keyloggers records your computer activity. For example, it can track your keystrokes, the websites you visit, your search history, and email correspondence. It often takes screenshots of your activity as well. Some kinds of keyloggers can also collect information from other connected computers, such as printers.
Password stealers gathers passwords from infected computers. These include passwords stored on web browsers and login information for your PC.
Banking Trojans are a type of spyware that records credentials from banks and other financial institutions like brokerages or digital wallets. Trojans locate security vulnerabilities in browsers and tamper with web pages and transactions without the user or institution knowing about it.
Infostealers scans infected computers for information such as usernames, passwords, browser history, log files, documents, and media files. The software then transmits the data to another server or stores it on your PC, where hackers can access it. An infostealer tries to steal your information. More complex malware such as banking trojans (for example TrickBot) and stalkerware usually include infostealer components.
Browser highjackers quite literally highjack your browser: they allow hackers to change your browser settings and visit (fraudulent) websites you didn't ask them to visit. Though this type of malware usually falls under adware, it can also carry spyware components. Adware is an annoyance and is more or less harmless to your PCs, but if browser highjackers have spyware, they might collect your data and sell it to third parties. Malicious actors might even use it for their gain. So if you suspect you've been infected with adware, it's better to play it safe and remove it at once.
Spyware Activity in 2024:
Spyware And Stealers - What Is the Difference?
Several computer viruses are used as spying tools. They are very similar on their basic level but have a lot of significant differences when it comes to final functionality. Spyware and stealers are like brothers since their final target is single - steal the valuable information and carry it to cybercriminals who control the virus. The difference is in the kinds of information those viruses are oriented on. Spyware primarily aims at general information - your location, IP address, activity hours, installed programs, computer configurations, etc. It steals this information immediately after being launched, connecting to the server controlled by its creators. To perform the connection, spyware adjusts the networking configurations, changing the corresponding registry keys and modifying the Group Policies.
Meanwhile, stealers are targeted on a certain type of sensitive data. It may hunt only on your passwords or the networking logs; it can try to get some of the files you keep on your PC. The focus of that virus decreases the overall chances of a successful attack. Sometimes, a virus cannot find where your passwords are kept. Sometimes it cannot deal with the security mechanisms that protect the credentials. In the case of valuable documents, the stealer virus may lose because you encrypted the file, for example. Even if the stealer delivers the data, it is targeted. There is no guarantee that fraudsters will be able to read it. Don't forget to use the disk encryption feature!
With the evolution of cybersecurity technologies, many such programs have disappeared, while other, more sophisticated forms of spyware have emerged. Some of the best-known examples of this malware include the following:
- Agent Tesla can track and collect keystrokes, take screenshots, and obtain credentials used in various system applications (eg Google Chrome, Mozilla Firefox, Microsoft Outlook, IceDragon, FILEZILLA, etc.).
- AzorUlt - Can steal banking information, including passwords and credit card details, as well as cryptocurrency. AzorUlt trojan is typically spread in ransomware campaigns.
- TrickBot - Focuses on stealing banking information. TrickBot typically spreads through malicious spam campaigns. Also, it can spread using the EternalBlue exploit (MS17-010).
- Gator - Usually bundled with file-sharing software like Kazaa, this program monitor the victim’s web surfing habits and use the information to serve them with better-targeted ads.
- Pegasus is cyber tool developed by the Israeli cyber-arms company NSO Group. Pegasus can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. Pegasus is reportedly able to exploit all iOS versions up to 14.6 through a zero-click iMessage exploit. As of 2022, Pegasus could read text messages, track calls, collect passwords, location tracking, access the target device's microphone and camera, and harvest information from apps.
- Vidar - Trojan that offers threat actors the option to set their preferences for the stolen information. Besides credit card numbers and passwords, Vidar can also scrape digital wallets. This malware can be spread using various campaigns via exploits.
- DarkHotel - Targeted business and government leaders using hotel WIFI, using several types of malware to gain access to the systems belonging to specific, powerful people. Once that access was gained, the attackers installed keyloggers to capture their target's passwords and other sensitive information.
- Zlob - Also known as Zlob Trojan, this program uses vulnerabilities in the ActiveX codec to download itself to a computer and record search and browsing histories, as well as keystrokes.
- FlexiSpy does not even hide its real nature. That spyware is popular among individual users who wish to spy on someone.
- Cocospy - real-time tracking for iPhone or Android. It gathers the call logs, phone book, location data, and planned events in the Calendar app, and SMS from iMessage messenger. That tracking is done from the iCloud updates - in case one is enabled on the victim’s device.
- Mobistealth offer to eavesdrop on the calls, and text messages, get the location of the infected device, and remotely check the most popular social networks and messengers. Mobistealth practices the remote installation of malware.
Cell phones became a part of our everyday lives long ago, but they became part of us only with the rise of smartphones. A small chunk of aluminum and glass contains so much about ourselves - numbers, photos, messages, dates, and even physiological measurements. It touches all aspects of our daily routine - from waking up time to workflow and an evening coffee with Mary. That’s why rascals who wish to pluck our data pay so much attention to mobile devices.
In the last few years, iOS has become much more harsh about user’s privacy. Contrary to Android, it offers much wider settings of access to private information and can show you which apps accessed those places last time. Moreover, Apple sharply restricted the number of information apps can collect about iPhone users. Facebook lost billions of dollars because of this feature, and crooks lost the ability to gather all personal data with zero risk.
Actually, spyware exists for both iPhones and Android smartphones. Rare platforms like Blackberry OS or Windows Phone were out of malware coverage since spending money for such a thin public is just unprofitable. Most spyware samples were represented as “regular” applications - at least, they looked so. You will likely install it after the advice of your friend or someone on the Internet. The biggest part of a deal is allowing it to reach any part of the system: people usually click through this part of the installation without any comprehension. But why may the calculator need to access your gallery and contacts? And where can the fitness tracker use your phone book? Those questions are rhetorical and must be asked yourself each time you see such a paradoxical demand.
Let’s review the latest spyware examples for both operating systems - two for each.
Spyware for Android
Process manager that takes control of camera and mics. This thing reportedly appeared at the end of March and was described in early April 2022. It is likely related to the Russo-Ukrainian war since the IP address of its C&C server belongs to Russia. Possibly, it is the most classic example of mobile spyware - the app which tries to access too much sensitive information. In particular, this one asked for the following categories:
- Call logs
- Contact list
- GPS info
- Wi-Fi connection status
- Sending SMS
- Reading SMS on the SIM card
- Audio notifications
- Full access to the camera
Spyware for iPhone
Spyware for iOS rarely obtains the form of a rogue application. AppStore is heavily moderated. Thus adding a program with questionable or even malicious functionality is problematic. Additionally, the restrictions mentioned above for personal info collection make any attempts for “moderate” spying ineffective. The only public that remains available for such programs are people who use jailbreak - a hacked version of iOS that allows the installation of apps from third parties. Several installation ways are still available even without it, but you need to interact with the device for some time or know the credentials from the used iCloud email.
Cocospy - Spying, Tracking & Monitoring Software for Mobile
Cocospy promises real-time tracking of the chosen device. It gathers the call logs, phone book, location data, and planned events in the Calendar app and SMS from iMessage messenger. That tracking is done from the iCloud updates - in case ones are enabled on the victim’s device.
Mobistealth - Remotely Monitor For Android Mobile
Mobistealth App: Another example of a program that is not ashamed of being a spy tool. They offer to eavesdrop on the calls, and text messages, get the location of the infected device, and remotely check the most popular social networks and messengers. Contrary to Cocospy, it practices the remote installation of spyware. However, it still requires the iCloud login credentials.
FlexiSpy - Monitoring Spy Tool For Android And iPhone
FlexiSpy does not even hide its real nature. FlexiSpy is popular among individual users who wish to spy on someone. It is distributed through third-party sites, and you must bring it to the victim’s device. FlexiSpy allows the controller to use the microphone, use the camera, log the keystrokes and monitor the conversations. That is full-fledged spyware, but you must take care of its spreading yourself.
Pegasus Tool for Android & iPhone
Any talk about spyware will not be complete without mentioning the one which is considered the best one and the most dangerous one. Pegasus spyware, a brainchild of NSO group (a subsidiary of the Israeli government) serves as the tool to spy over persons who are considered dangerous for the Jewish state. Pegasus became a Mossad tool in the hunt for war criminals. However, the source codes of this app were leaked multiple times - and no one can say who did that. No one can also prove that this was legitimate Pegasus code.
Pegasus is a cross-platform malware that may be launched on Android, iOS, Blackberry OS, Windows Phone, and even Linux-based mobile operating systems. The injection is much closer to the “classic” malware - it uses exploits and spear phishing. After 2020, most of the Pegasus spreading cases were related to the use of zero-click exploits. Such sophisticated tactics usually require diligent preparation for the attack, generally using OSINT.
That “government-grade spyware” was used by various countries to satisfy their needs. Generally, those needs are foreign intelligence, including the military, or even internal surveillance. The latter is generally related to dictatorships or countries with the heavy censorship in the media. In total, Pegasus was used by 27 countries from around the globe.
Where Does Spyware Come From?
There are many different ways that spyware can infect your PC. Here are some of the most common ways:
Some internet software downloads, particularly file-sharing applications, can also install spyware on your devices. This is most common with free versions of software you normally have to buy.
Links or attachments
Like most other malware, it can be sent in a link or an email attachment. Never click on an unfamiliar link or attachment, and don't open emails from an unknown sender. Doing so could result in spyware being downloaded and installed on your computer. Clicking on malicious links can also infect your PC with a worm. These worms are used to spread malicious software using the network your device is attached to.
In some cases, spyware is disguised as a free program. If you remove the fake free program, the spyware will remain on your computer. You'll need an anti-malware tool to detect and delete it.
A website or pop-up window automatically downloads malware onto your device in a drive-by download. You might get a warning giving you the name of the software and requesting permission to install it, but in many cases, there is no warning.
What is the Need in Spyware?
Personal information is always a valuable thing. The price for a certain type of information may rise significantly if you are a celebrity or have access to variable valuable things. Even if you have a lot of money, fraudsters may steal your data to force you to pay the ransom to keep this information private. Sometimes, cyber burglars may take a jackpot, getting some secret information about their victims. In such cases, ransom amounts may reach tens of thousands of dollars.
However, more often is a data sell-off in the Darknet. Some confidential data, activity hours, and the list of installed programs may be pretty useful for someone. Possibly, real-life criminals may purchase that information to plan the robbery or understand if a certain person has something valuable to steal. In some cases, hackers may use it to spy on someone, such as a girlfriend. Hence, the virus does not carry any significant harm in these cases, but it is still unethical.
Latest Spyware Activity:
Spyware Detection. The Best Spyware Detector in 2024
As mentioned earlier, spyware aims to operate discreetly, with its effectiveness closely tied to its ability to remain undetected. If you observe such activities, it indicates a poorly designed virus. However, this doesn't imply that these malware instances are harmless. Detecting malicious activity is challenging because it alters the same elements as other viruses. Consequently, distinguishing whether the sudden change in networking parameters is due to spy activity or the presence of a trojan downloader on your PC is a complex task. While no viruses are pleasant, it's important to note that the methods for removing spyware and downloaders differ.
Warning signs of spyware include:
- Unusual notifications
- An excessive number of pop-ups
- Changes to the browser's home page
- Spontaneous browser redirects
- Significant slowness during computer startup or while opening programs
That sort of virus changes multiple parts of the system. Primarily, the most changed parts are security settings and networking parameters. For users who use Microsoft Defender, a great reason to alarm is spectating the disabled Defender. Spyware almost always uses the security breach, which allows the viruses to stop the antivirus from Microsoft without the UAC approval. Users who use limited data plans may also notice a significant rise in traffic consumption. However, Windows may consume a lot of data without any viruses, such as downloading updates or uploading telemetry to Microsoft servers.
The most effective method for identifying a virus is to conduct a thorough scan of your computer using anti-malware software. For instance, Gridinsoft Anti-Malware excels at spyware detection, performing on par with the best spyware detectors, thanks to its behavioral analysis capabilities. This means it can uncover spyware even if the virus managed to evade detection by a standard antivirus engine. The heuristic engine, though challenging to manage and somewhat costly, plays a crucial role in significantly enhancing protection rates.
Despite spyware trying to be stealthy, it takes many actions to make itself more persistent in your system. Therefore, spyware removal is not an easy process. However, removing spyware from its folder will stop it for a while, and will likely be back shortly after. The changes above in your system usually aim at making the spyware a phoenix - once you delete it, wait a bit - and it will be back again. That's why removing malware of that sort always requires the use of specific programs - anti-spyware software, in particular.
Frequently Asked Questions
Spyware is malicious software that logs and records sensitive data like passwords, login info, bank account information, credit card and debit card numbers. There are several types of spyware:
- Password stealers;
- Banking Trojans;
- Browser highjackers.
Read our full article for more information.