Mobile Surveillance Monitor
Mobile Surveillance Monitor
  • Home
  • Surveillance Dashboard
  • Threat Workbook
  • Threat Reports
  • Surveillance 101
  • About Us
  • Contact
  • More
    • Home
    • Surveillance Dashboard
    • Threat Workbook
    • Threat Reports
    • Surveillance 101
    • About Us
    • Contact
  • Home
  • Surveillance Dashboard
  • Threat Workbook
  • Threat Reports
  • Surveillance 101
  • About Us
  • Contact

SURVEILLANCE 101

Mobile Surveillance Monitor publishes threat data in the Surveillance Dashboard, with classifications called threat types. Analyzing threat types are useful because they signal the intention and tactics of a threat actor. Here we discuss the threat types in MSM and how to mitigate mobile surveillance.


WHAT IS A THREAT EVENT?

Mobile surveillance threats require communication between your phone and a network. Threat actors use the network to target and distribute malware, exfiltrate data from your phone, or send cellular signaling requests to intercept communications or track your location. Threat events recorded by MSM are based on indicators of known attack methods.  They enable us to classify the type of threat and identify the actor or source APT of the threat.  MSM has attributed threats to nearly 500 unique actors and source networks in different countries.  This attribution enables investigators to seek, analyze, and uncover the sources of threats targeting at-risk groups around the world.

How We Monitor And Measure Threats

Source Country

Source Country

Source Country

Where possible, we provide the known country of the group distributing a threat via research, partners, and known attribution techniques.

Target Country

Source Country

Source Country

Target country is determined from the phone IP address when attacked, provided by the researcher, or victim of the targeted phone.

Threat Type

Source Country

Malware Name

Threat type is known through attributes of the malware code, type of information collected, techniques, and attack operation.

Malware Name

Source Threat Group/APT

Malware Name

The malware name is typically assigned by the research organization who discovered and documented its code structure and packaging.

Source Threat Group/APT

Source Threat Group/APT

Source Threat Group/APT

Threat attribution is based on correlations in the code, URLs, domains, IP addresses, and other artifacts encountered in an investigation.

Threat Event Date

Source Threat Group/APT

Source Threat Group/APT

Threat event date is based on when the attack was logged by the phone or network detection software, or when submitted by a researcher.

SURVEILLANCE GLOSSARY

DEVICE MALWARE THREATS

MOBILE MALWARE - Mobile malware is malicious software designed to target mobile devices with the goal of gaining access to private data. The growing threat of mobile malware to steal information goes beyond surveillance to crypto and financial theft, and accessing corporate networks from personal devices.  Mobile malware can attempt to replicate itself from device to device and cause unpredictable behavior.


SPYWARE – Spyware is malware that hides on a phone and records or forwards information about user activities to the installer of the software. Forwarded information may include contacts, call history, SMS messages, current or previous locations, and browsing history. The spying software can be installed directly on a target device by a 3rd party or may be remotely installed from clicking on a phishing link. The primary motive is to monitor user activity but in some cases may be monetary. This is software that spies, and is broadly distributed.


SURVEILLANCEWARE - Surveillance applications are a subset of commercial Spyware designed to monitor a specific, targeted user phone. They hide on devices and record or forward information about user activities to the installer of the software. Forwarded information may include contacts, call history, SMS messages, current or previous locations, and web browsing history.  Advanced surveillance applications can take device screenshots, record conversations, perform geofencing to alert the actor when you enter or leave a specific geographic location, and monitor communication apps such as WhatsApp, Telegram, or Signal.


NOTE - MSM INCLUDES SURVEILLANCEWARE IN THE SPYWARE THREAT TYPE CATEGORY


TROJAN (Remote Access Trojan/RAT) – Trojans perform actions other than those advertised in order to perform malicious actions such as fraudulently charging a device‘s wireless bill or stealing information from devices.


ROOT ENABLER – Root enablers give users access to privileged functionality on their devices and are commonly used in phone modification communities to enable full access and control over the device.


BACKDOOR – Backdoors leave a file or program on a device that will allow other programs to access protected areas of the device‘s operating system.


EXPLOIT - Exploits take advantage and utilize a flaw in software or a component of a device‘s operating system, usually to gain root privileges on a device and perform privileged actions on the

device, including potentially malicious actions.


INFOSTEALER - An information stealer is a Trojan designed to gather and leak information about users and/or their device without user knowledge. The most common form of infostealer gathers login information, like usernames and passwords but may include common spyware data such as location, call, SMS, or browsing history which it sends to another system  over a network.

Research and Investigate

We have built a Threat Workbook with research and analysis tools and visualizations showing details behind surveillance threats and threat actors.  It provides the intelligence needed to investigate attacks and the actors responsible for enabling state-sponsored surveillance.

Find out more

MOBILE NETWORK THREATS

Surveillance threats can originate from actors who have gained access to foreign mobile networks located around the world.  Network surveillance is made possible through a surveillance software platform that connects to a mobile network and sends signaling command messages commonly used for international roaming.  Since the messages are used in mobile networks, they don't require malware or software installed on a victim's phone in order to extract information or intercept communications.


INFORMATION DISCLOSURE – In this type of attack, the bad actor is trying to gather information about the target phone in order to launch other attacks listed below.  Generally speaking, this involves resolving a victim's mobile phone number into their mobile network identity (IMSI) to discover if the phone is live on a mobile network in a particular country to conduct a surveillance operation.


LOCATION DISCOVERY – From the mobile network, a bad actor may be able to track a victim's location down to the individual mobile cell site or even obtain GPS coordinates of the device without seeking permission from the network operators from which the information is extracted.


DENIAL OF SERVICE (DOS) – Network-originated DOS is a malicious attempt to make, temporarily or indefinitely, a victim's phone access to the mobile service unavailable by disconnecting it from the network or disabling a service so that they are unable to make or receive calls, send/receive SMS, or use data.


COMMUNICATION INTERCEPTION – In a network-originated interception attack, the objective is to intercept active calls and SMS messages in real time. This can be accomplished by faking the victim's device on another network, making the victim's home network believe that the phone is roaming in another country and thereby routing all communications to the attacker.


FINANCIAL THEFT – In a financial theft attack, an attacker will conduct surveillance on a victim's phone number and network identity, then use hacking techniques to fake the victim's IMSI from the mobile network to extract funds or make illegitimate charges on the victim's phone bill.

How to Stop Malware Threats

Protecting yourself from surveillance malware requires prevention and taking an active role to reduce your risk.  While protection cannot be guaranteed, there are techniques to help mitigate your exposure to these threats.


  1. Keep your device updated – Google Android and Apple iPhone regularly release updates, and many of them are security-related. And while both provide notifications on the availability of updates, updates may be available before you receive the message so it's important to manually check.  If you have an Android device, check this Android Help Page.  For iPhone devices, check Apple's iOS page.
  2. Keep your software updated – Malware is often distributed from device apps.  It is therefore recommended to keep your apps updated by configuring your device to automatically update them or to regularly check for app updates.  Web browsers and social media apps can be vulnerable.
  3. Use device security and anti-virus protection – Modern mobile security software provides multiple security features such as malware detection, alerting for apps which may try to obtain your location, alert you to a known malicious website or app, or block SMS phishing attempts trying to lure you into clicking links to bad websites or virus downloads.  Security software such as Device Security from Lookout shown on the right can help protect identity and your phone from surveillance malware threats.
  4. Use caution and only click links from trusted sources – You may receive an unusual message from an old contact or even a trusted contact with an image or page link.  If it seems strange, don't click on it.  Simply text or call the contact to verify that they sent it.
  5. Don't download apps from 3rd party app stores - Many 3rd party app stores offer well-known and traditional commercial apps for free. However, many the apps for download use "Cracked" or illegally copied versions that are intentionally modified to promote other content and can include spyware code.
  6. Watch out for social media messages from unknown persons – A common technique among bad actors is to appeal to human instincts to help others.  For example, someone may reach out in distress and ask for help to lure you into clicking a link or opening a file.  Don't fall for it.  Direct them to law enforcement or an organization who can help.
  7. Look for suspicious phone behavior – Spyware and other malware is designed to be hidden. However, If your phone acts up, such as operating slowly, fast battery drain, excessive heat or an unexpected app appearing on your phone, this may be an indicator of malware.

Lookout Device Protection Malware Detection

Mobile Security & Antivirus Protection by Lookout


Copyright © 2025 Mobile Intelligence Alliance - All Rights Reserved.

Powered by

  • Mobile Dashboard View
  • Terms of Service
  • Brand Logos

This website uses cookies.

We only use cookies to analyze website traffic.  We do not store your information. Accepting the use of cookies will aggregate your data with all other user data.

DeclineAccept