Surveillance 101

Mobile Surveillance Monitor records threat event data in the Surveillance Dashboard. Find a description of the threat type information displayed in the dashboard, with recommendations on how to detect and mitigate mobile phone surveillance.

WHAT IS A THREAT EVENT?

Surveillance requires an action and communication between your phone or the mobile network, and the actor collecting your information. These threat events, based on indicators of known attacks are recorded in MSM. They provide an accurate picture of targeted surveillance and enable us to classify the type of threat, and in some cases the actor or source APT behind the threat.

How We Measure and Monitor Threats

Source Country

Where possible, we provide the known country location of the group sponsoring a threat using research and known attribution techniques.

Target Country

Source Country

Target country is determined from the phone IP address when detected, or explicitly provided by the researcher or user of the targeted phone

Threat Type

Source Country

Threat Type

The nature and type of user information requested and collected by the threat determines the threat type classification.

Threat Name

Threat Event Date

Threat Type

The malware name is typically assigned by the research organization who discovered and documented its code structure and packaging

Threat Group/APT

Threat Event Date

Attribution is based on relationships between files, URLs, domains, IP addresses, and other artifacts encountered in an investigation

Threat Event Date

The threat event date is based on the detection date logged and subsequent associated attack or communication attempts

GLOSSARY

DEVICE MALWARE THREATS

SPYWARE – Spyware is designed to monitor a specific, targeted phone. It hides on a phone and records or forwards information about user activities to the installer of the software. Forwarded information may include contacts, call history, SMS messages, current or previous locations, and browsing history. The spying software can be installed directly on a target device by a 3rd party or may be remotely installed from clicking on a phishing link. The primary motive is to monitor user activity but in some cases may be monetary. This is software that spies, and is broadly distributed.

TROJAN – Trojans perform actions other than those advertised in order to perform malicious actions such as fraudulently charging a device‘s wireless bill or stealing information from devices.

ROOT ENABLER – Root enablers give users access to privileged functionality on their devices and are commonly used in phone modification communities to enable full access and control over the device.

BACKDOOR – Backdoors leave a file or program on a device that will allow other programs to access protected areas of the device‘s operating system.

Research and Investigate

We have built a Threat Workbook with research and analysis tools and visualizations showing the details behind surveillance threats. It provides the intelligence needed to investigate attacks and the actors who enable state-sponsored surveillance.

Find out more

How to Stop Malware Threats

Protecting yourself from surveillance malware requires prevention and taking an active role to reduce your risk. While protection cannot be guaranteed, there are techniques to help mitigate your exposure to these threats.

Keep your device updated – Google Android and Apple iPhone regularly release updates, and many of them are security-related. And while both provide notifications on the availability of updates, updates may be available before you receive the message so it's important to manually check. If you have an Android device, check this Android Help Page. For iPhone devices, check Apple's iOS page.
Keep your software updated – Malware is often distributed from device apps. It is therefore recommended to keep your apps updated by configuring your device to automatically update them or to regularly check for app updates. Web browsers and social media apps can be vulnerable.
Use device security and anti-virus protection – Modern mobile security software provides multiple security features such as malware detection, alerting for apps which may try to obtain your location, alert you to a known malicious website or app, or block SMS phishing attempts trying to lure you into clicking links to bad websites or virus downloads. Security software such as Device Security from Lookout shown on the right can help protect identity and your phone from surveillance malware threats.
Use caution and only click links from trusted sources – You may receive an unusual message from an old contact or even a trusted contact with an image or page link. If it seems strange, don't click on it. Simply text or call the contact to verify that they sent it.
Watch out for social media messages from unknown persons – A common technique among bad actors is to appeal to human instincts to help others. For example, someone may reach out in distress and ask for help to lure you into clicking a link or opening a file. Don't fall for it. Direct them to law enforcement or an organization who can help.
Suspicious phone behavior – Spyware and other malware is designed to be hidden. However, If your phone acts up, such as operating slowly, fast battery drain, excessive heat or an unexpected app appearing on your phone, this may be an indicator of malware.

Lookout Device Protection Malware Detection

Mobile Security & Antivirus Protection by Lookout

MOBILE NETWORK THREATS

Surveillance threats can originate from foreign mobile networks located around the world. This is made possible through mobile network messages commonly used for international roaming. Since the messages are used in mobile networks, they don't require malware or software on the victim's phone.

INFORMATION DISCLOSURE – In this type of attack, the bad actor is trying to gather information about the target phone in order to launch other attacks listed below. Generally speaking, this involves resolving a victim's mobile phone number into their mobile network identity (IMSI) to discover if the phone is live on a mobile network in a particular country to conduct a surveillance operation.

LOCATION DISCOVERY – From the mobile network, a bad actor may be able to track a victim's location down to the individual mobile cell site or even obtain GPS coordinates of the device without seeking permission from the network operators from which the information is extracted.

DENIAL OF SERVICE (DOS) – Network-originated DOS is a malicious attempt to make, temporarily or indefinitely, a victim's phone access to the mobile service unavailable by disconnecting it from the network, or disabling a service so that they are unable to make or receive calls, send/receive SMS or use data.

COMMUNICATION INTERCEPTION – In a network-originated interception attack, the objective is to intercept active calls and SMS messages in real time. This can be accomplished by faking the victim's device on another network, making the victim's home network believe that the phone is roaming in another country and thereby routing all communications to the attacker.

FINANCIAL THEFT – In a financial theft attack, an attacker will conduct surveillance on a victim's phone number and network identity, then use hacking techniques to fake the victim's IMSI from the mobile network to extract funds or make illegitimate charges on the victim's phone bill.

Learn More

View our monthly threat reports to see the latest attack trends.

Find out more

Surveillance 101

How We Measure and Monitor Threats

Source Country

Source Country

Source Country

Target Country

Source Country

Source Country

Threat Type

Source Country

Threat Type

Threat Name

Threat Event Date

Threat Type

Threat Group/APT

Threat Event Date

Threat Event Date

Threat Event Date

Threat Event Date

Threat Event Date

GLOSSARY

DEVICE MALWARE THREATS

Research and Investigate

How to Stop Malware Threats

MOBILE NETWORK THREATS

Learn More

This website uses cookies.