Mobile Surveillance Monitor publishes threat data in the Surveillance Dashboard, with classifications called threat types. Analyzing threat types are useful because they signal the intention and tactics of a threat actor. Here we discuss the threat types in MSM and how to mitigate mobile surveillance.
WHAT IS A THREAT EVENT?
Mobile surveillance threats require communication between your phone and a network. Threat actors use the network to target and distribute malware, exfiltrate data from your phone, or send cellular signaling requests to intercept communications or track your location. Threat events recorded by MSM are based on indicators of known attack methods. They enable us to classify the type of threat and identify the actor or source APT of the threat. MSM has attributed threats to nearly 500 unique actors and source networks in different countries. This attribution enables investigators to seek, analyze, and uncover the sources of threats targeting at-risk groups around the world.
Where possible, we provide the known country of the group distributing a threat via research, partners, and known attribution techniques.
Target country is determined from the phone IP address when attacked, provided by the researcher, or victim of the targeted phone.
Threat type is known through attributes of the malware code, type of information collected, techniques, and attack operation.
The malware name is typically assigned by the research organization who discovered and documented its code structure and packaging.
Threat attribution is based on correlations in the code, URLs, domains, IP addresses, and other artifacts encountered in an investigation.
Threat event date is based on when the attack was logged by the phone or network detection software, or when submitted by a researcher.
MOBILE MALWARE - Mobile malware is malicious software designed to target mobile devices with the goal of gaining access to private data. The growing threat of mobile malware to steal information goes beyond surveillance to crypto and financial theft, and accessing corporate networks from personal devices. Mobile malware can attempt to replicate itself from device to device and cause unpredictable behavior.
SPYWARE – Spyware is malware that hides on a phone and records or forwards information about user activities to the installer of the software. Forwarded information may include contacts, call history, SMS messages, current or previous locations, and browsing history. The spying software can be installed directly on a target device by a 3rd party or may be remotely installed from clicking on a phishing link. The primary motive is to monitor user activity but in some cases may be monetary. This is software that spies, and is broadly distributed.
SURVEILLANCEWARE - Surveillance applications are a subset of commercial Spyware designed to monitor a specific, targeted user phone. They hide on devices and record or forward information about user activities to the installer of the software. Forwarded information may include contacts, call history, SMS messages, current or previous locations, and web browsing history. Advanced surveillance applications can take device screenshots, record conversations, perform geofencing to alert the actor when you enter or leave a specific geographic location, and monitor communication apps such as WhatsApp, Telegram, or Signal.
NOTE - MSM INCLUDES SURVEILLANCEWARE IN THE SPYWARE THREAT TYPE CATEGORY
TROJAN (Remote Access Trojan/RAT) – Trojans perform actions other than those advertised in order to perform malicious actions such as fraudulently charging a device‘s wireless bill or stealing information from devices.
ROOT ENABLER – Root enablers give users access to privileged functionality on their devices and are commonly used in phone modification communities to enable full access and control over the device.
BACKDOOR – Backdoors leave a file or program on a device that will allow other programs to access protected areas of the device‘s operating system.
EXPLOIT - Exploits take advantage and utilize a flaw in software or a component of a device‘s operating system, usually to gain root privileges on a device and perform privileged actions on the
device, including potentially malicious actions.
INFOSTEALER - An information stealer is a Trojan designed to gather and leak information about users and/or their device without user knowledge. The most common form of infostealer gathers login information, like usernames and passwords but may include common spyware data such as location, call, SMS, or browsing history which it sends to another system over a network.
We have built a Threat Workbook with research and analysis tools and visualizations showing details behind surveillance threats and threat actors. It provides the intelligence needed to investigate attacks and the actors responsible for enabling state-sponsored surveillance.
Surveillance threats can originate from actors who have gained access to foreign mobile networks located around the world. Network surveillance is made possible through a surveillance software platform that connects to a mobile network and sends signaling command messages commonly used for international roaming. Since the messages are used in mobile networks, they don't require malware or software installed on a victim's phone in order to extract information or intercept communications.
INFORMATION DISCLOSURE – In this type of attack, the bad actor is trying to gather information about the target phone in order to launch other attacks listed below. Generally speaking, this involves resolving a victim's mobile phone number into their mobile network identity (IMSI) to discover if the phone is live on a mobile network in a particular country to conduct a surveillance operation.
LOCATION DISCOVERY – From the mobile network, a bad actor may be able to track a victim's location down to the individual mobile cell site or even obtain GPS coordinates of the device without seeking permission from the network operators from which the information is extracted.
DENIAL OF SERVICE (DOS) – Network-originated DOS is a malicious attempt to make, temporarily or indefinitely, a victim's phone access to the mobile service unavailable by disconnecting it from the network or disabling a service so that they are unable to make or receive calls, send/receive SMS, or use data.
COMMUNICATION INTERCEPTION – In a network-originated interception attack, the objective is to intercept active calls and SMS messages in real time. This can be accomplished by faking the victim's device on another network, making the victim's home network believe that the phone is roaming in another country and thereby routing all communications to the attacker.
FINANCIAL THEFT – In a financial theft attack, an attacker will conduct surveillance on a victim's phone number and network identity, then use hacking techniques to fake the victim's IMSI from the mobile network to extract funds or make illegitimate charges on the victim's phone bill.
Protecting yourself from surveillance malware requires prevention and taking an active role to reduce your risk. While protection cannot be guaranteed, there are techniques to help mitigate your exposure to these threats.