SURVEILLANCE 101

MOBILE MALWARE - Mobile malware is malicious software designed to target mobile devices with the goal of gaining access to private data. The growing threat of mobile malware to steal information goes beyond surveillance to crypto and financial theft, and accessing corporate networks from personal devices.  Mobile malware can attempt to replicate itself from device to device and cause unpredictable behavior.

SPYWARE – Spyware is malware that hides on a phone and records or forwards information about user activities to the installer of the software. Forwarded information may include contacts, call history, SMS messages, current or previous locations, and browsing history. The spying software can be installed directly on a target device by a 3rd party or may be remotely installed from clicking on a phishing link. The primary motive is to monitor user activity but in some cases may be monetary. This is software that spies, and is broadly distributed.

SURVEILLANCEWARE - Surveillance applications are a subset of commercial Spyware designed to monitor a specific, targeted user phone. They hide on devices and record or forward information about user activities to the installer of the software. Forwarded information may include contacts, call history, SMS messages, current or previous locations, and web browsing history.  Advanced surveillance applications can take device screenshots, record conversations, perform geofencing to alert the actor when you enter or leave a specific geographic location, and monitor communication apps such as WhatsApp, Telegram, or Signal.

NOTE - MSM INCLUDES SURVEILLANCEWARE IN THE SPYWARE THREAT TYPE CATEGORY

TROJAN (Remote Access Trojan/RAT) – Trojans perform actions other than those advertised in order to perform malicious actions such as fraudulently charging a device‘s wireless bill or stealing information from devices.

ROOT ENABLER – Root enablers give users access to privileged functionality on their devices and are commonly used in phone modification communities to enable full access and control over the device.

BACKDOOR – Backdoors leave a file or program on a device that will allow other programs to access protected areas of the device‘s operating system.

EXPLOIT - Exploits take advantage and utilize a flaw in software or a component of a device‘s operating system, usually to gain root privileges on a device and perform privileged actions on the

device, including potentially malicious actions.

INFOSTEALER - An information stealer is a Trojan designed to gather and leak information about users and/or their device without user knowledge. The most common form of infostealer gathers login information, like usernames and passwords but may include common spyware data such as location, call, SMS, or browsing history which it sends to another system  over a network.

Surveillance threats can originate from actors who have gained access to foreign mobile networks located around the world.  Network surveillance is made possible through a surveillance software platform that connects to a mobile network and sends signaling command messages commonly used for international roaming.  Since the messages are used in mobile networks, they don't require malware or software installed on a victim's phone in order to extract information or intercept communications.

INFORMATION DISCLOSURE – In this type of attack, the bad actor is trying to gather information about the target phone in order to launch other attacks listed below.  Generally speaking, this involves resolving a victim's mobile phone number into their mobile network identity (IMSI) to discover if the phone is live on a mobile network in a particular country to conduct a surveillance operation.

LOCATION DISCOVERY – From the mobile network, a bad actor may be able to track a victim's location down to the individual mobile cell site or even obtain GPS coordinates of the device without seeking permission from the network operators from which the information is extracted.

DENIAL OF SERVICE (DOS) – Network-originated DOS is a malicious attempt to make, temporarily or indefinitely, a victim's phone access to the mobile service unavailable by disconnecting it from the network or disabling a service so that they are unable to make or receive calls, send/receive SMS, or use data.

COMMUNICATION INTERCEPTION – In a network-originated interception attack, the objective is to intercept active calls and SMS messages in real time. This can be accomplished by faking the victim's device on another network, making the victim's home network believe that the phone is roaming in another country and thereby routing all communications to the attacker.

FINANCIAL THEFT – In a financial theft attack, an attacker will conduct surveillance on a victim's phone number and network identity, then use hacking techniques to fake the victim's IMSI from the mobile network to extract funds or make illegitimate charges on the victim's phone bill.