skip to main content

Explore Research Products in the NSF-PAR

Title: No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps

Consumer mobile spyware apps covertly monitor a user's activities (i.e., text messages, phone calls, e-mail, location, etc.) and transmit that information over the Internet to support remote surveillance. Unlike conceptually similar apps used for state espionage, so-called stalkerware apps are mass-marketed to consumers on a retail basis and expose a far broader range of victims to invasive monitoring. Today the market for such apps is large enough to support dozens of competitors, with individual vendors reportedly monitoring hundreds of thousands of phones. However, while the research community is well aware of the existence of such apps, our understanding of the mechanisms they use to operate remains ad hoc. In this work, we perform an in-depth technical analysis of 14 distinct leading mobile spyware apps targeting Android phones. We document the range of mechanisms used to monitor user activity of various kinds (e.g., photos, text messages, live microphone access) — primarily through the creative abuse of Android APIs. We also discover previously undocumented methods these apps use to hide from detection and to achieve persistence. Additionally, we document the measures taken by each app to protect the privacy of the sensitive data they collect, identifying a range of failings on the part of spyware vendors (including privacy-sensitive data sent in the clear or stored in the cloud with little or no protection).

  more » « less
Award ID(s):
1916126
NSF-PAR ID:
10470414
Author(s) / Creator(s):
; ; ; ; ; ;
Publisher / Repository:
Proceedings on Privacy Enhancing Technologies
Date Published:
Journal Name:
Proceedings on Privacy Enhancing Technologies
Volume:
2023
Issue:
1
ISSN:
2299-0984
Page Range / eLocation ID:
207 to 224
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ( , Journal of Cybersecurity)
    null (Ed.)
    Abstract Smartphone location sharing is a particularly sensitive type of information disclosure that has implications for users’ digital privacy and security as well as their physical safety. To understand and predict location disclosure behavior, we developed an Android app that scraped metadata from users’ phones, asked them to grant the location-sharing permission to the app, and administered a survey. We compared the effectiveness of using self-report measures commonly used in the social sciences, behavioral data collected from users’ mobile phones, and a new type of measure that we developed, representing a hybrid of self-report and behavioral data to contextualize users’ attitudes toward their past location-sharing behaviors. This new type of measure is based on a reflective learning paradigm where individuals reflect on past behavior to inform future behavior. Based on data from 380 Android smartphone users, we found that the best predictors of whether participants granted the location-sharing permission to our app were: behavioral intention to share information with apps, the “FYI” communication style, and one of our new hybrid measures asking users whether they were comfortable sharing location with apps currently installed on their smartphones. Our novel, hybrid construct of self-reflection on past behavior significantly improves predictive power and shows the importance of combining social science and computational science approaches for improving the prediction of users’ privacy behaviors. Further, when assessing the construct validity of the Behavioral Intention construct drawn from previous location-sharing research, our data showed a clear distinction between two different types of Behavioral Intention: self-reported intention to use mobile apps versus the intention to share information with these apps. This finding suggests that users desire the ability to use mobile apps without being required to share sensitive information, such as their location. These results have important implications for cybersecurity research and system design to meet users’ location-sharing privacy needs. 
    more » « less
  2. ; ; ; ; ; ; ; ( , The Workshop on Technology and Consumer Protection (ConPro ’19))
    It is commonly assumed that the availability of “free” mobile apps comes at the cost of consumer privacy, and that paying for apps could offer consumers protection from behavioral advertising and long-term tracking. This work empirically evaluates the validity of this assumption by investigating the degree to which “free” apps and their paid premium versions differ in their bundled code, their declared permissions, and their data collection behaviors and privacy practices. We compare pairs of free and paid apps using a combination of static and dynamic analysis. We also examine the differences in the privacy policies within pairs. We rely on static analysis to determine the requested permissions and third-party SDKs in each app; we use dynamic analysis to detect sensitive data collected by remote services at the network traffic level; and we compare text versions of privacy policies to identify differences in the disclosure of data collection behaviors. In total, we analyzed 1,505 pairs of free Android apps and their paid counterparts, with free apps randomly drawn from the Google Play Store’s category-level top charts. Our results show that over our corpus of free and paid pairs, there is no clear evidence that paying for an app will guarantee protection from extensive data collection. Specifically, 48% of the paid versions reused all of the same third-party libraries as their free versions, while 56% of the paid versions inherited all of the free versions’ Android permissions to access sensitive device resources (when considering free apps that include at least one third-party library and request at least one Android permission). Additionally, our dynamic analysis reveals that 38% of the paid apps exhibit all of the same data collection and transmission behaviors as their free counterparts. Our exploration of privacy policies reveals that only 45% of the pairs provide a privacy policy of some sort, and less than 1% of the pairs overall have policies that differ between free and paid versions. 
    more » « less
  3. ( , Proceedings of 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2023))
    Witnessing the blooming adoption of push notifications on mobile devices, this new message delivery paradigm has become pervasive in diverse applications. Accompanying with its broad adoption, the potential security risks and privacy exposure issues raise public concerns regarding its great social impacts. This paper conducts the first attempt to exploit the mobile notification ecosystem. By dissecting its structural elements and implementation process, a comprehensive vulnerability analysis is conducted towards the complete flow of mobile notification from platform enrollment to messaging. Meanwhile, for privacy exposure, we first examine the implementation of privacy policy compliance by proposing a three-level inspection approach to guide our analysis. Then, our top-down methods from documentation analysis, application network traffic study, to static analysis expose the illicit data collection behaviors in released applications. In addition, we uncover the potential privacy inference resulted from the notification monitoring. To support our analysis, we conduct empirical studies on 12 most popular notification platforms and perform static analysis over 30,000+ applications. We discover: 1) six platforms either provide ambiguous KEY naming rules or offer vulnerable messaging APIs; 2) privacy policy compliance implementations are either stagnated at the documentation stages (8 of 12 platforms) or never implemented in apps, resulting in billions of users suffering from privacy exposure; and 3) some apps can stealthily monitor notification messages delivering to other apps, potentially incurring user privacy inference risks. Our study raises the urgent demand for better regulations of mobile notification deployment. 
    more » « less
  4. ; ; ; ; ; ( , The 16th ACM International Conference on Mobile Systems, Applications, and Services (MobiSys 2018))
    Mobile devices today provide a hardware-protected mode called Trusted Execution Environment (TEE) to help protect users from a compromised OS and hypervisor. Today TEE can only be leveraged either by vendor apps or by developers who work with the vendor. Since vendors consider third-party app code untrusted inside the TEE, to allow an app to leverage TEE, app developers have to write the app code in a tailored way to work with the vendor’s SDK. We proposed a novel design to integrate TEE with mobile OS to allow any app to leverage the TEE. Our design incorporates TEE support at the OS level, allowing apps to leverage the TEE without adding app-specific code into the TEE, and while using existing interface to interact with the mobile OS. We implemented our design, called TruZ-Droid, by integrating TrustZone TEE with the Android OS. TruZ-Droid allows apps to leverage the TEE to protect the following: (i) user’s secret input and confirmation, and (ii) sending of user’s secrets to the authorized server. We built a prototype using the TrustZone-enabled HiKey board to evaluate our design. We demonstrated TruZ-Droid’s effectiveness by adding new security features to existing apps to protect user’s sensitive information and attest user’s confirmation. TruZ-Droid’s real-world use case evaluation shows that apps can leverage TrustZone while using existing OS APIs. Our usability study proves that users can correctly interact with TruZ-Droid to protect their security sensitive activities and data. 
    more » « less
  5. ( , The 2019 NDSS Workshop on Usable Security and Privacy)
    Location sharing is a particularly sensitive type of online information disclosure. To explain this behavior, we compared the effectiveness of using self-report measures drawn from the literature, behavioral data collected from mobile phones, and a new type of measure that represents a hybrid of self-report and behavioral data to contextualize users’ attitudes toward their past location sharing behaviors. This new measure was based on a reflective learning paradigm, where one reflects on past behavior to inform future behavior. Based on a study of Android smartphone users (N=114), we found that the construct ‘FYI About Myself’ and our new reflective measure of one’s comfort with sharing location with apps on the smartphone were the best predictors of location sharing behavior. Surprisingly, Behavioral Intention, a commonly used proxy for actual behavior, was not a significant predictor. These results have important implications for privacy research and designing systems to meet users’ location sharing privacy needs. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email