Mobile Surveillance Monitor records threat event data in the Surveillance Dashboard. Find a description of the threat type information displayed in the dashboard, with recommendations on how to detect and mitigate mobile phone surveillance.
WHAT IS A THREAT EVENT?
Surveillance requires an action and communication between your phone or the mobile network, and the actor collecting your information. These threat events, based on indicators of known attacks are recorded in MSM. They provide an accurate picture of targeted surveillance and enable us to classify the type of threat, and in some cases the actor or source APT behind the threat.
Where possible, we provide the known country location of the group sponsoring a threat using research and known attribution techniques.
Target country is determined from the phone IP address when detected, or explicitly provided by the researcher or user of the targeted phone
The nature and type of user information requested and collected by the threat determines the threat type classification.
The malware name is typically assigned by the research organization who discovered and documented its code structure and packaging
Attribution is based on relationships between files, URLs, domains, IP addresses, and other artifacts encountered in an investigation
The threat event date is based on the detection date logged and subsequent associated attack or communication attempts
SPYWARE – Spyware is designed to monitor a specific, targeted phone. It hides on a phone and records or forwards information about user activities to the installer of the software. Forwarded information may include contacts, call history, SMS messages, current or previous locations, and browsing history. The spying software can be installed directly on a target device by a 3rd party or may be remotely installed from clicking on a phishing link. The primary motive is to monitor user activity but in some cases may be monetary. This is software that spies, and is broadly distributed.
TROJAN – Trojans perform actions other than those advertised in order to perform malicious actions such as fraudulently charging a device‘s wireless bill or stealing information from devices.
ROOT ENABLER – Root enablers give users access to privileged functionality on their devices and are commonly used in phone modification communities to enable full access and control over the device.
BACKDOOR – Backdoors leave a file or program on a device that will allow other programs to access protected areas of the device‘s operating system.
We have built a Threat Workbook with research and analysis tools and visualizations showing the details behind surveillance threats. It provides the intelligence needed to investigate attacks and the actors who enable state-sponsored surveillance.
Protecting yourself from surveillance malware requires prevention and taking an active role to reduce your risk. While protection cannot be guaranteed, there are techniques to help mitigate your exposure to these threats.
Surveillance threats can originate from foreign mobile networks located around the world. This is made possible through mobile network messages commonly used for international roaming. Since the messages are used in mobile networks, they don't require malware or software on the victim's phone.
INFORMATION DISCLOSURE – In this type of attack, the bad actor is trying to gather information about the target phone in order to launch other attacks listed below. Generally speaking, this involves resolving a victim's mobile phone number into their mobile network identity (IMSI) to discover if the phone is live on a mobile network in a particular country to conduct a surveillance operation.
LOCATION DISCOVERY – From the mobile network, a bad actor may be able to track a victim's location down to the individual mobile cell site or even obtain GPS coordinates of the device without seeking permission from the network operators from which the information is extracted.
DENIAL OF SERVICE (DOS) – Network-originated DOS is a malicious attempt to make, temporarily or indefinitely, a victim's phone access to the mobile service unavailable by disconnecting it from the network, or disabling a service so that they are unable to make or receive calls, send/receive SMS or use data.
COMMUNICATION INTERCEPTION – In a network-originated interception attack, the objective is to intercept active calls and SMS messages in real time. This can be accomplished by faking the victim's device on another network, making the victim's home network believe that the phone is roaming in another country and thereby routing all communications to the attacker.
FINANCIAL THEFT – In a financial theft attack, an attacker will conduct surveillance on a victim's phone number and network identity, then use hacking techniques to fake the victim's IMSI from the mobile network to extract funds or make illegitimate charges on the victim's phone bill.
View our monthly threat reports to see the latest attack trends.