The CEO of a company that created the StealthGenie mobile spying app recently pleaded guilty for advertising and selling spyware. The US Department of Justice ordered Hammad Akbar to pay a US$500,000 fine and to hand over the spyware’s source code. It’s a significant result, as it marks the first ever criminal conviction surrounding the sale of a mobile spyware app.
This may not be the last mobile spyware case in the US, judging by comments made by Assistant Attorney General Leslie Caldwell of the US Justice Department’s Criminal Division. “Make no mistake: selling spyware is a federal crime, and the Criminal Division will make a federal case out if it,” said Caldwell soon after the case. “Today’s guilty plea by a creator of the StealthGenie spyware is another demonstration of our commitment to prosecuting those who would invade personal privacy.”
While the shutdown of StealthGenie is a great move for mobile privacy, it’s not the only mobile spying software on the market. Spyware such as mSpy (Android.Mobilespy) and Flexispy (Android.Flexispy) allows people with minimal technical skills to compromise their target’s mobile devices and observe all of their communications and online activity.
Many spyware authors are beginning to see the benefits of selling spying software designed for mobile devices rather than solely focusing on traditional computers. Mobile device owners typically take their phones with them everywhere, gathering geolocation information that could be valuable to malicious parties. Along with accessing email accounts and social networks through their mobile device, users also chat to others through mobile-only communication apps, such as WhatsApp, Viber, and Snapchat. This could provide valuable information for anyone who wishes to spy on the user.
Spyware for sale
Figure. How mobile spyware gives stalkers the tools to invade your privacy
Authors of mobile spyware, such as mSpy and Flexispy, attempt to make their software seem legitimate by offering them for sale on professional-looking websites. They claim to offer the software to people who wish to monitor the activities of their children and employees. Flexispy goes a step further, claiming that its software could be used to spy on the customer’s spouse. In most cases, customers need physical access to the target’s mobile device to install the software, though mSpy claims it’s possible to do so with the device owner’s iCloud credentials. Once they do this, they can remotely access a huge amount of the victim’s private information.
Mobile spyware is typically offered to customers on a subscription model, often on a monthly, quarterly, half-yearly, or yearly basis. The vendors even offer 24/7 support through chat or email for customers who have trouble installing the spyware on their target’s phone.
Additionally, the spyware providers usually offer different packages, such as basic and premium, to target customers on a budget or customers who want the full feature-set. Both mSpy and Flexispy’s basic packages let customers gain access to SMS messages, emails, internet history, call logs, photos, videos, and GPS location data. mSpy’s premium package allows customers to log keystrokes, block calls or access to certain sites or apps, remotely wipe the device, or monitor popular chat apps. Flexispy’s “extreme” package lets customers access a password cracker, listen in and record phone calls, and hijack the device’s microphone or camera.
The subscription prices vary, depending on the spyware:
- One month – $39.99
- Three months - $59.99
- One month - $69.99
- Three months - $119.99
- Six months - $149.99
- 12 months $199.99
- One month - $68
- Three months - $99
- 12 months - $149
- Three months - $199
- 12 months - $349
Is a disclaimer enough?
Both mSpy and Flexispy’s sites come with legal disclaimers, which state that the customer needs to ensure that they have permission from the person that they intend to monitor before they install the software. Indeed, mSpy claims that it’s the customer’s responsibility to determine whether their intended use of the spyware is legal in their region.
However, these disclaimers seem to be at odds with many of the features included with this type of spyware. mSpy claims to work in “discreet” mode so that it “doesn’t distract the user with pop-ups, sounds or notifications.” Meanwhile, Flexispy claims that the software will “not be detected in any way once it has been installed.” If the spyware’s customer needs permission from the person that is being monitored before installation, then why does the software need to hide its activity at all?
A simple disclaimer may not help spyware authors avoid the watchful eye of law enforcement. StealthGenie’s site also had a disclaimer saying that the software should only be used in a “lawful manner” for monitoring children and employees, but US law enforcement still successfully convicted the spyware’s creator.
Invasive and predatory
While these spyware providers attempt to make their software seem legitimate, the tools’ features imply otherwise. Their “discreet” nature and excessive monitoring capabilities practically encourage customers to install the tools on their targets’ phones without consent and gather a huge amount of personal information. This type of software is perfect for stalkers, thieves, or abusive partners who wish to monitor every aspect of their target’s life.
The conviction of StealthGenie’s creator highlights how law enforcement is cracking down on spyware, as the FBI claimed it will continue its drive to protect users from illegal spyware.
Symantec continues to examine the spyware landscape and will keep Symantec and Norton products updated to protect users from these threats. For users who wish to avoid or mitigate spyware infections:
- Avoid leaving your mobile device in places where malicious parties could access them and install malicious software. Attackers may only need a few minutes to install mobile spyware on the targeted device.
- Install mobile security software, such as Norton Mobile Security, to protect your device from malware infections
- Keep your mobile device backed up in case you need to restore it to a date prior to spyware infection
- Use a strong password to lock your mobile device and do not disclose the password to third parties.
The FBI also released an alert in September advising users of the danger of mobile spyware.