Commercial Spyware: How Popular Spy Programs Work and How to Protect Yourself

By Ava McKinneyOnline Safety

Commercial Spyware: How Popular Spy Programs Work and How to Protect Yourself

Trojans with built-in keyloggers and data-stealing features are among the oldest types of malware. Over the past 25 years, spyware has only evolved, gaining new anti-detection features and expanding to mobile devices. There are now trojans designed for targeted attacks. In this article, we’ll look at the most well-known commercial spyware programs and discuss how to protect yourself from them.

Why Antivirus Isn’t Enough

It might seem obvious that installing antivirus software is the best way to protect yourself from spyware. However, “obvious” doesn’t always mean “effective.” Most antivirus programs detect trojans using signature-based detection, similar to how counterintelligence agents identify real spies by their fingerprints.

There are various ways to bypass signature detection, and even heuristic analysis—behavioral analysis, sandboxing, and other tricks—aren’t foolproof. If they were, antivirus programs wouldn’t have so many false positives. In other words, even the most up-to-date protection doesn’t guarantee your safety.

Popular Commercial Spyware Programs

FinFisher (FinSpy)

FinFisher, also known as FinSpy, is a cyber-espionage tool developed by Gamma Group. It has reportedly been used for political surveillance of journalists and dissidents worldwide. In 2011, Julian Assange leaked the program to WikiLeaks, making it available for public scrutiny by security experts and others.

FinFisher can intercept social media messages, track emails, act as a keylogger, provide access to files on the infected machine, and record video and audio using the device’s camera and microphone. Versions exist for Windows, macOS, and Linux, as well as mobile versions for Android, iOS, BlackBerry, Symbian, and Windows Mobile.

The typical infection method is via email attachments disguised as useful applications or through compromised software updates. In one attack analyzed by ESET, a man-in-the-middle (MITM) scheme redirected users to a phishing site to download a trojanized version of TrueCrypt. Ironically, users trying to secure their data ended up installing spyware themselves.

FinFisher is designed to be stealthy, with anti-debugging, anti-virtual machine, and anti-disassembly features, as well as obfuscated code. It tries to avoid detection and minimize its footprint on the infected system.

How to Protect Yourself

  • Detecting FinFisher manually is very difficult. Known samples are detected and removed by popular antivirus programs, but new variants are harder to catch.
  • A well-configured firewall is an effective defense. FinFisher connects to its command server and other hosts to download components. If your firewall blocks unknown outbound connections, FinFisher can’t function properly.
  • Always download software via HTTPS and verify digital signatures to avoid trojanized installers.

Adwind

Adwind is a cross-platform program classified as an RCS (Remote Control System) or RAT (Remote Access Tool). It became widely known in 2016, though it was first identified in 2013. Adwind is also known as Sockrat, JSocket, jRat, Unrecom, Frutas, and AlienSpy—essentially different versions of the same tool.

Written in Java, Adwind targets any platform that supports Java: Windows, Linux, macOS, and Android. Its popularity is due to its SaaS (Software as a Service) distribution model, with subscriptions ranging from $20 to $300. It was easy to obtain a working, encrypted binary that could evade antivirus detection—at least until it was uploaded to VirusTotal.

Adwind provides unauthorized access to compromised machines, can take screenshots, log keystrokes, steal saved browser passwords and form data, and access the camera and microphone.

The main infection vector is email, with attachments in .JAR format or HTML code containing VBScript and JScript to silently download Java Runtime and the trojan dropper. Kaspersky Lab also reported cases where Adwind was spread via RTF documents exploiting CVE-2012-0158.

How to Protect Yourself

  • Disable or uninstall Java Runtime on your computer if you don’t need it.
  • Don’t open suspicious email attachments, especially from unknown senders.
  • If you must use Java, change the file association for .JAR files to open with Notepad instead of Java Runtime.
  • On Android, avoid rooting your device and only install apps from trusted sources like Google Play.

DroidJack

DroidJack is perhaps the most well-known commercial remote administration tool for Android, based on the Sandroid app. It consists of a client (APK file installed on the device) and a server (a Windows application for managing the device). A lifetime license costs $210.

DroidJack can transmit GPS coordinates, manage calls, record conversations, read and send SMS and WhatsApp messages, view browser history, list running apps, copy contacts, access the camera, control volume, and more.

To work, DroidJack must be installed on the device, either physically or by tricking the user into installing it. Most known samples lack stealth installation features. The tool is openly sold, but its price has led to cheaper alternatives like OmniRAT, which offers similar features at a quarter of the cost.

How to Protect Yourself

  • DroidJack and OmniRAT require many permissions during installation. Be wary if an app requests access to SMS, contacts, or other sensitive data without a clear reason.
  • Even if the spyware hides its icon, it can still be seen in the list of running processes.
  • Most modern Android antivirus apps can detect DroidJack, so regular scans are recommended.

Pegasus

Pegasus is one of the most infamous commercial mobile spyware programs for Android and iOS. Notably, Pegasus can be installed on Apple devices that haven’t been jailbroken. In several targeted attacks, Pegasus was delivered to iPhones via SMS messages containing malicious links. The spyware exploits vulnerabilities in outdated iOS versions (up to 9.3.5), but it’s unclear what capabilities newer versions of Pegasus may have. The Israeli company NSO Group is suspected of developing it.

Pegasus consists of several modules that are downloaded as needed. Its features include keylogging, taking screenshots, reading SMS and emails, copying browser history, eavesdropping on calls, and more. The program tries to remain hidden and self-destructs if it detects a SIM card change or can’t contact its command server for 60 days, indicating it’s designed for targeted attacks rather than mass infection.

Known Android samples don’t exploit vulnerabilities but instead use persistent alerts to trick users into granting administrative privileges.

How to Protect Yourself

  • iPhone and iPad users should keep their systems updated.
  • Android users should never grant administrative privileges to untrusted apps, no matter how persistent the requests.

Conclusion

Commercial spyware programs have been around for a long time and will continue to threaten users as long as there’s demand. Antivirus software is not a cure-all, so the best defense against spyware is your own vigilance and critical thinking.

  • Always scan new programs with antivirus tools.
  • Monitor which network addresses your apps connect to.
  • Keep an eye on running processes.
  • Update your operating system regularly.
  • Disable unnecessary components like Java Runtime.
  • Install all relevant security patches promptly.

Stay alert and proactive to keep your devices and data safe.

Leave a Reply