The market for mobile spyware has rapidly grown into a lucrative ecosystem, and threat actors have been quick to take advantage to execute their cyber intrusion tactics against vulnerable targets. Certain commercial spyware, such as Pegasus and QuaDream, are recent examples of how spyware has been used to exploit and break into the devices of journalists, NGO workers, political figures, and other high-profile victims. In response to this growing threat, on March 27th, the Biden Administration issued an Executive Order (EO) that bans federal agencies from using commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses globally.
The threat of spyware for malicious purposes isn’t new to government agencies and corporations. The use of mobile devices in the workforce – both in the private and public sector – has increased exponentially over the years, as they play a key role in the modernization of today’s organizations. However, mobile devices greatly enhance the effectiveness of spyware because they are always connected with users throughout their entire day, and are almost always associated with a phone number that doesn’t change regardless of where they are in the world. With this use also comes a widening attack surface available for cybercriminals to target. In fact, almost half of organizations suffered a mobile-related cyber attack in 2022, according to the Verizon Mobile Security Index report.
The Executive Order did a much-needed job of addressing the issue of spyware being used in human rights violations and acts of aggression against the United States and its allies, while amplifying the larger, more widespread issue of mobile spyware both publicly and privately. But this is not a be-all-end-all approach to the spyware problem; nor was it intended to be.
We need to go further and take into consideration the highly complex nature of the software and how ubiquitous mobile devices really are within government agencies and corporations. Let’s take a closer look and explore some ways security leaders at the state, local, or federal level – as well as CISOs and business leaders – can mitigate risk and best protect the pool of mobile devices in their ecosystem.
The insidious nature of spyware
Threat actors are constantly on the hunt for ways to steal sensitive company or agency data to make a profit or gain a geopolitical advantage. And spyware is one of the primary ways in which these adversaries are compromising employee devices. Unfortunately, this is getting easier and easier. Once there, spyware can track location, turn on or off a video or microphone, log keys, steal passwords, or perform actions from anywhere in the world. In many instances, spyware sneaks in through a successful phishing attack, where a user clicks on a malicious link that will then prompt the download of malware. But in more sophisticated forms of spyware, remote access can be achieved without any action on the user’s end. For example, QuaDream’s spyware framework – called REIGN – specialized in hacking Apple devices without any action needed on the victim’s end (called “zero-click” attacks in security parlance).
Discovering and mitigating spyware risk can be achieved, but not superficially. CISOs need visibility into which of the plethora of devices under their scope actually contain malicious applications. They also need to be able to identify spyware that comes in the form of Software Development Kits (SDKs), which are embedded within hundreds of other applications. With new variants of spyware discovered each day, it becomes an endless task of “Where’s Waldo?,” that can overwhelm security teams unless a proactive mobile security strategy is in place.
How to best address the spyware challenge head-on
Government agencies looking to mitigate risk at its root need to employ an agent on the devices they manage that analyzes applications installed and the SDKs within them; one that understands the connections the applications are making with each other and, potentially, nefarious servers. In a mobile-first world, security teams need a comprehensive, mobile-first security platform that will provide visibility into where the SDKs are connecting and will then prohibit the connection or access to an application.
In our own customer base, we constantly see instances of spyware being blocked. In 2022, our zLabs research team discovered over 3,000 different variations of spyware, so you can imagine how many devices, companies, and apps these variations are sitting on. Without a central agent tracking spyware, users have no clue it’s even on their devices.
From the user end, there are multiple best practices that prevent spyware from being downloaded on their devices. First, it’s imperative that one doesn’t connect to unsecured WiFi in public places. Second, avoid clicking on phishing links, even if it looks legit. This is where basic mobile security awareness training for government agents can go a long way. Both iPhone and Android devices are equally targeted by bad actors, but there are certain doors that can be opened to threat actors, such as turning your phone on developer mode within Android, a common activity we see that makes it virtually impossible for CISOs to track without that central agent there to help.
Next steps forward
Mobile spyware is not a threat that will lessen anytime soon. Mobile devices present an attack surface that is ripe for threat actors. Whether nation-states looking to extract top secret information or financially motivated criminals aiming to make a profit, attacks are becoming more and more sophisticated and are infiltrating modern businesses across the globe.
This Executive Order, although directly addressing federal agencies’ use of certain commercially available spyware, should also be a wake-up call for CEOs and CISOs that mobile spyware is here to stay and will open doors to widespread exploitation of sensitive information. The public and private sectors need a mobile-first security strategy that leverages an intelligent solution that will identify spyware attacks.