SURVEILLANCE 101

MOBILE MALWARE - Malicious software designed to target mobile devices, typically to steal data, monitor user behavior, or gain unauthorized access. Mobile malware threats now extend beyond surveillance to include financial fraud, credential theft, and lateral movement into corporate networks via personal devices. Some variants are capable of self-replication or disrupting normal device behavior.

SPYWARE – A type of mobile malware that covertly monitors a device and sends stored data—such as a user's contacts, messages, call logs, browsing history, and location—to a third party. Spyware can be installed via physical access or remotely through phishing links sent via messages, fake websites, or social media apps. Its primary purpose is surveillance, though some variants are also monetized through fraud or the resale of user data.

SURVEILLANCEWARE - A commercial subset of spyware designed for persistent monitoring of targeted users. It hides on the device and captures information such as live calls and background audio, camera screenshots or video, or location. It exfiltrates device content such as app data, passwords, call logs, messages, browsing activity, and app usage. Advanced variants can trigger location alerts, remotely download apps, send text messages, or even monitor encrypted apps like Signal, WhatsApp, or Telegram.

NOTE - MSM CLASSIFIES SURVEILLANCEWARE UNDER THE BROADER SPYWARE CATEGORY

TROJAN (Remote Access Trojan/RAT) – A Trojan disguises itself as legitimate software while executing malicious hidden functions. Mobile RATs can steal information, install additional payloads, or commit billing fraud without the user's knowledge.

ROOT ENABLER – Apps that gain privileged (root) device access. While commonly available for web download and used in "modding" communities to enable certain functions, root enablers are often used by spyware threat actors to bypass security controls and gain full access to system resources.

BACKDOOR – Code or software that grants covert access to device files or apps, bypassing standard authentication. Backdoors are used to maintain persistent access or deliver follow-on malware without user consent or visibility.

EXPLOIT - A piece of code or a technique that leverages a vulnerability in the device’s operating system or software to gain unauthorized privileges. It's often used to escalate access, disable protections, or takeover certain device controls.

INFOSTEALER - A class of trojan malware designed to extract and leak information about users such as credentials, SMS messages, location, and browsing activity without their knowledge. Infostealers operate silently and transmit user information to a remote server where it's often sold on the dark web, or is part of broader criminal surveillance or fraud campaign.

Surveillance threats can originate from adversaries who gain access to foreign mobile networks and abuse global signaling protocols to target users. These attacks are carried out using surveillance platforms that covertly send signaling messages, typically designed for international roaming through telecom infrastructure. Because these messages are handled by the network itself, spyware isn't needed on the target device to extract device information or intercept communications.

INFORMATION DISCLOSURE – Adversaries send signaling requests to the victim's home mobile network to retrieve the device unique subscriber identity (IMSI) assigned by the network, confirm whether the phone is active, if it's roaming on a foreign operator network, and identify the network equipment address currently serving the device. This reconnaissance enables further surveillance operations targeting the user.

LOCATION DISCOVERY – By sending signaling requests, attackers can remotely track the device location—down to a specific cell tower or even GPS coordinates without consent of the host network operator.

DENIAL OF SERVICE (DOS) – Network-based DoS attacks can disable device services by forcing disconnection from the network or blocking access to voice, SMS, or data services to temporarily disable phone communications.

COMMUNICATION INTERCEPTION – Attackers manipulate signaling routes to hijack calls, text messages or data. This is often achieved by impersonating the victim’s IMSI on a foreign network to trick the home network into rerouting traffic through actor-controlled infrastructurer.

FINANCIAL THEFT – In a financial theft attack, the attacker uses signaling exploits to impersonate a victim’s IMSI and issue fraudulent commands, leading to illegitimate billing charges or other loss of user funds.