SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

All About Spyware

Posted on August 3, 2017

On today’s episode we’ll be taking a look at spyware: what it does, where it comes from, and what you can do to defend against it.

Sometimes it’s pretty obvious when you’ve got a malware infection – ransomware lets you know that your files have been encrypted and are being held for ransom, while adware spawns endless popups in your web browser. Spyware operates a bit differently, and unlike other types of malware it prefers to remain hidden on an infected system. It might come as a surprise, but some spyware is actually legal to use in certain situations. In other cases, using spyware can land you in some serious trouble.

  • Different types of spyware
  • Why do people use spyware?
  • Legality of spyware
  • Spyware for Apple devices
  • Identifying and avoiding spyware infections

Different types of spyware

In terms of capabilities and behavior, some malware is pretty straightforward: Ransomware, for example, pretty much exists to simply infect your machine, encrypt your files, and then hold them for ransom until you pay up. Other types of malware can be a bit more complex, and when it comes to spyware, the sky’s the limit as far as features and capabilities go. Spyware comes in many shapes and sizes, from commercial software products backed by professional companies to custom one-off solutions made specifically to aid nation states in spying on activists, and everything in between. Some of the most basic spyware simply logs keystrokes and stores them in a text file on the infected machine, requiring the person doing the spying to later retrieve the log file manually. On the other hand, commercial-grade spyware often contains a larger variety of capabilities and features, including the ability to take screenshots and send captured data to a remote server.

There are a lot of different types of programs that can fall under the spyware category, including keyloggers, monitoring software, and remote access tools. While some programs are specifically designed and marketed with spying in mind, others are often sold for more benign purposes and intentionally abused by end-users for illegal activities. The feature-set offered by a given piece of spyware can vary, depending on the intended purpose of the software. For example, a commercial program that is marketed as being designed for a parent to monitor their children might only keep local records on the family computer it’s installed on.

On the other hand, a piece of spyware being peddled on the dark web might tout itself as “undetectable” by the victim (even if that’s not really the case), and include capabilities to snap pictures with the webcam and send pilfered files and data to another computer. Some spyware can be as simple as a keylogger, while more advanced spyware has screen scraping capabilities to take screenshots on a regular basis. Some spyware will even keep track of activity on an app-by-app basis – so someone who was only interested in chat logs could filter out all extraneous data.

The installation methods can be different depending on the intended use of the software as well. Spyware that’s meant to be hidden from the victim and used for illegal purposes is oftentimes disguised as something else such as a game or screensaver in order to trick the victim into installing it. Other times, it’s very clear what software is being installed – there would be no reason for a commercially available piece of software meant to monitor activity in a corporate or school setting to disguise its installer as something else. Once installed on a system, behavior of the software follows a similar logic: Something intended for illegal spying generally won’t advertise its presence on the system to the intended victim, while corporate monitoring software often displays an alert message to the user or has some other way of indicating that a computer is being monitored.

Why do people use spyware?

Broadly stated, spyware is generally used for A) creepy reasons or B) non-creepy (i.e. legitimate) reasons. People who use spyware or monitoring software fall into one of a few specific categories, depending on their reasons for using those types of programs:

Let’s start out with the creeps – first up are jealous and/or jilted lovers. Toxic relationships are never a good thing, and adding spyware into the mix only exacerbates the problem. In situations where one person in a relationship is exhibiting controlling behavior, spyware might be used to extend that control to all aspects of their partner’s life. This might be done to check for evidence of perceived infidelity or to keep tabs on their partner’s online activities. In the case of a jilted ex, spyware might be used to gain access to compromising texts, private photos, or other material that can be used to “get back” at the person who broke up with them.

When an entire country is run by creeps, such as is the case with a totalitarian government obsessed with keeping tabs on its citizens, spyware can be much more widespread. With the amount of money that comes hand-in-hand with that level of power, spyware can be custom-tailored to meet specific needs. If a country wants to block their citizens from reaching certain websites and monitor what they do online, they can implement a country-wide firewall. If they wanted to target a group of dissidents or human rights activists, they can build a custom piece of spyware to do just that. Secure messaging apps and anonymized ways of browsing the web become matters of life and death in some countries where spyware is routinely used to monitor citizens.

We said earlier that there are legitimate use cases for spyware as well, so let’s talk about some non-creepy (or at least less creepy) reasons people use spyware or monitoring software:

First up would be concerned parents. Let’s face it: the internet can be a scary place, especially for parents with young children in the house. On previous episodes we’ve discussed some steps that parents can take to help provide a safer online experience for their children, but sometimes parents need to take things a step farther. By installing spyware or monitoring software on their own family computers, parents can keep track of what their kids are doing online – what sites they’re visiting, who they’re talking to, and so on. This can help a parent to head off potential issues before they become a major problem – for example, if a parent suspects that their child has been talking to an online predator, they can put a stop to it and get the police involved before anything bad happens.

While keeping track of your children’s online behavior might be a necessary evil, we’d still strongly suggest having an open dialog with your children at the appropriate age so they understand your reasons for monitoring their computer activities. This can help keep lines of communication open, build trust, and they’ll know they can come to you with any problems they might encounter in the future.

Finally, there are times when the need for monitoring software is a matter of policy. This requirement is often the case for school or work-issued devices, and is meant to help protect the school or company against potential legal issues. A school might feel compelled to track their students’ computer usage for the same reasons parents might choose to monitor their child’s internet usage – in order to head off potential issues before they become major problems. Further, a school would want to put a stop to improper or illegal use of their devices by students in order to shield themselves against the potential for lawsuits should a child cause serious problems with their actions.

A company might monitor its employees with the same type of legal issues in mind, but there are other reasons as well. A business can’t thrive if its employees are slacking off all the time, and can use the presence of monitoring software on company-issued machines to act as a deterrent for employees who might otherwise spend their workday on social media sites or doing online shopping. Some companies will also monitor their employees’ computer usage to identify leaks or theft of intellectual property. Companies do have some options that aren’t quite as heavy-handed as spying on their employees all day long, however – at least as far as employee productivity goes. Most modern networks can be configured to block access to specific websites at the server level, which provides an easy way to keep employees off of social media during the workday without making them feel like they’re living in George Orwell’s 1984.

Legality of spyware

When it comes to the legality of spyware, things get a bit murky. Part of the problem comes from the fact that most commercial spyware is marketed as “monitoring software” and buyers are advised that they can only install it on a machine they own and must inform users that they’ve installed monitoring software. Obviously, there’s no way for a company to know if the end-user is actually going to follow these rules, but they’ve basically covered their bases, legally-speaking – even if it’s obvious that people will use their software for illegal purposes. By not explicitly encouraging illegal behavior, these companies manage to navigate a fine line and avoid running afoul of the law.

That being said, if a piece of spyware is specifically marketed as a tool used for spying on other people without their knowledge or consent it opens the software author open to a world of legal hurt. In January 2017, a 21-year old college student pleaded guilty to charges of aiding and abetting computer intrusions. Although he hadn’t hacked any computers himself, he developed and sold a keylogger named Limitless to over 3,000 users who went on to use it to infect over 16,000 victim computers. The fact that he marketed Limitless on hacker forums and embraced illegal use of the keylogger didn’t help – the Justice Department successfully argued that he had been selling it with malicious intent.

His arrest was actually a bit unique, as not many people have been successfully prosecuting for selling spyware overall. Spyware laws differ from state to state, and enforcement tends to be rather hit or miss. If a spyware vendor generates enough controversy to catch the eye of the government, they might be faced with a fine, as was the case for the creator of a smartphone spyware app called StealthGenie in 2014 – he was fined $500,000. Still, many spyware vendors manage to fly under the radar and avoid legal trouble. Further complicating the matter is the fact that the spyware author might not even be living in the United States, so successful prosecution is anything but guaranteed.

When it comes to companies monitoring their employees, the law is much more clear: It’s perfectly legal when it comes to company-owned devices and networks. If an employer provides a work laptop, desktop, or cellphone, they are perfectly within their rights to monitor an employee’s usage of the device. This covers everything from documents and data stored on the device, to anything being viewed on the screen, to keeping track of keystrokes, and so on. Same goes internet access from a company network – the company is free to monitor the web sites their employees visit, and can monitor employee e-mail as well.

Now, there are a few restrictions in place when it comes to workplace monitoring. Some states require employers to notify employees when they are being monitored – it might be included in an employee handbook for company policy. Generally it’s not ok for a company to monitor its employees’ private e-mails or personal devices, however, at least not without notifying the employee beforehand.

In the same way, educational institutions are also able to monitor student use of school-supplied equipment, at least up to a certain point. If the level of monitoring clearly crosses the boundary of acceptable behavior it can result in serious problems for the school administration. In February 2010, a school district in Pennsylvania got in trouble for spying on students through the webcams on school-issued laptops… outside of school hours. School officials argued that they’d been using the webcams to spy on students in an attempt to locate missing computers. Hadn’t they ever heard of Find My Mac? Guess not. In the end, the school district settled for upwards of $600,000 dollars.

Finally, there’s a real legal grey area when it comes to spyware that’s not sold out in the open to the general public. There’s an active international trade in tools and technology that can be used to enable spying, and there’s a lot of money to be made by software developers with questionable morals. Because the majority of these sales are made in secret directly to governments (or at least with their knowledge and blessing), most people are unaware that this type of activity even takes place, and there is no regulation in place to limit this type of activity.

Sometimes, however, this type of activity does come to light, as was the case with HackingTeam in 2015. For years, HackingTeam had been developing and selling surveillance software to governments, law enforcement agencies, and corporations all around the world. In July of 2015, HackingTeam was… hacked. It’s a bit ironic, I know. The resulting data breach laid bare the company’s innermost workings and secrets, including a list of its customers. The customer list made it clear that HackingTeam had been doing business with a number of repressive governments known for poor records when it came to human rights. The leaked data showed that HackingTeam’s company revenues from these sales exceeded 40 million Euros.

Also found in the data breach was source code for HackingTeam’s surveillance software, which included numerous zero-day exploits. HackingTeam’s code was later found to have been repurposed in recent malware outbreaks, most likely by hackers who expanded and modified the leaked source code and exploits. This type of exploit re-use was also seen recently after the Shadow Brokers leak of pilfered NSA spy tools in the spring of 2017.

Spyware for Apple devices

We said earlier that spyware and other types of monitoring software come in many different shapes and sizes, and it’s no different when it comes to macOS and iOS. A wide variety of spyware programs are available on macOS, from commercially available monitoring software, to underground hacker tools, to everything in between. This isn’t some new development in the Mac malware scene, either – in fact, spyware has been around on the Mac platform for decades! Macs have been marketed as immune to malware, but even back before OS X that wasn’t true. A variety of keyloggers (and screen scrapers, in later years) were available back in the days of System 7, OS 8, and OS 9.

These days, something of a cottage industry has sprung up for Mac spyware makers, and there are countless spyware programs available for macOS. These range from free open-source tools, to paid commercial products, to secret hacking tools only available on the dark web. Some even have taken on the trend of in-app purchases – one Mac keylogger won’t log text entered into password fields unless you pony up some extra cash to unlock the feature. Most Mac spyware is marketed as being completely invisible once installed on a system, but some shareware keyloggers won’t run invisibly while in demo mode – you need to purchase the full version to keep it hidden from view.

There’s even a remote monitoring tool built right into macOS! Apple Remote Desktop is marketed as a tool for system administrators to easily manage a large number of computers on the same network, and is generally used in a corporate or educational environment. Apple Remote Desktop can be configured to notify a computer user when they’re being actively monitored, but when this feature is disabled monitoring can take place without ever alerting the user.

When it comes to spyware on iOS, things are a bit different. On a Mac, you can basically install software from anywhere you please right out of the box, but on iOS you’re limited to using the App Store. Beyond the strict requirements that apps need to meet to pass Apple’s muster for inclusion in the App Store, the security safeguards put in place on iOS make it much harder for spyware to actively monitor an iPhone or iPad. That being said, there are some notable exceptions when it comes to jailbroken phones.

As a refresher, jailbreaking an iPhone or iPad is basically done to gain complete control over the device – breaking out of the restrictions put in place by Apple. Unfortunately, by jailbreaking your iPhone you’re also removing all of those protections that Apple put in place for your safety. A jailbroken iOS device can run apps from anywhere, not just those found in the App Store. And since those apps didn’t come from the App Store, they didn’t need to pass Apple’s rigorous review process to ensure their safety.

You can probably tell where this is going… without those safety mechanisms, spyware suddenly works like a charm on your iOS device. A number of websites offer spyware for jailbroken iOS devices, many of which operate in stealth mode so the victim never knows their phone is spying on them. This is yet another reason why it’s a bad idea to jailbreak your iPhone!

So the moral of the story is don’t jailbreak your iPhone and you won’t get spyware, right? Well… not quite. Some spyware is available that works on non-jailbroken iOS devices. Wait a minute… didn’t we just say that Apple’s security system prevents spyware from working on non-jailbroken devices? Well, the spyware makers have come up with a rather novel solution to increase their market share, and it actually utilizes Apple’s own services to perform the dirty work!

Spyware offerings from mSpy, Spyzie, Highster Mobile, and others all work by using iCloud backups to gain access to data from the target iOS device. Basically, you provide the spyware vendor with the Apple ID and password for the iOS device you want to monitor. Then, the company uses that information to snag copies of the data uploaded automatically when iCloud backup is enabled on the target device. From there, the spyware vendor can provide you with pretty much any data that’s been backed up, including text messages, call history, photos, videos, emails, browser history, and so on.

Unfortunately there’s no real way for someone to tell if they’re being spied on in this manner, since everything is taking place between Apple’s iCloud servers and the spyware vendor’s servers – no app is actually running on the victim’s iOS device. This is a very good reason to make sure to follow best practices when it comes to your Apple ID password, and to keep it secret – don’t go sharing it with people!

Ok, so if you don’t jailbreak your iOS device and you’re positive your Apple ID password is safe and secure, you have nothing to worry about, right? Well… not quite. If someone has enough money and motivation, they can probably still get some spyware on your iPhone. This was almost the case last summer, and the only reason we even know about it is thanks to the would-be victim’s vigilance.

In August 2016, a joint investigation by Citizen Lab and the Lookout security company revealed the existence of an extremely complex piece of spyware targeting human rights activists, which they called Pegasus. All the spyware needed was for the intended victim to click a malicious link received in a text message, at which point it would be installed and start collecting data. As part of this installation process, Pegasus made use of three separate zero-day exploits to silently jailbreak the target iOS device and install spyware. Due to the high price they command, the use of a single zero-day exploit is usually enough to raise eyebrows in computer security circles, and the use of three separate zero-day exploits in a single attack pointed to signs of an attacker with a serious bankroll.

The only reason that this attack was unsuccessful was because the would-be victim had previously been targeted with spyware and was extra cautious when it came to clicking links in random text messages. If he hadn’t forwarded the link along to security researchers, we never would have known the threat even existed. After the details of the attack came to light, Apple was able to quickly identify and patch the security holes exploited by the attackers. However, the fact that someone was willing to pay top dollar in order to stockpile and use multiple zero-day exploits goes to show that Apple devices are being targeted, and while it didn’t work this time, next time we might not be so lucky.

Identifying and avoiding spyware infections

One thing to note before we go any further: if there is monitoring software installed on a machine provided by your school or work as part of a mandated policy, don’t remove it on your own. If you’re feeling uncomfortable in situations like that, it’s best to bring it up with the appropriate department at your school or place of employment. That being said, let’s continue!

At the beginning of this episode we talked about how spyware tries its hardest to remain hidden from the user on an infected machine. As such, the symptoms of a spyware infection are much more indirect than something as in-your-face as adware or ransomware. There are some things to look out for, however, and some people are more likely to be targeted with spyware than others. People in abusive, controlling relationships (or people who recently got out of one) are at increased risk of spyware infection by a jealous significant other or ex. Likewise, people engaged in political dissent under a totalitarian regime, or human rights activists bringing stories of corruption or abuse by governments to light are at an increased risk for spyware as well. If you fit one of these risk categories, you’ll want to be extra vigilant to lessen the chance of being infected.

So, how do you tell if you’ve been infected with spyware? Most of the time you’ll have to rely on contextual clues and gut feeling more than anything else. If you notice strange activity on your online accounts, such as notifications that you’ve logged in from different locations or that your password has been changed, or if you’ve been locked out of your online account all together, it could be an indication that someone has installed a keylogger on your system and has gained access to your online account by capturing your password. One thing to keep in mind is that you might also just have had a bad or easily guessable password, shared your password with other people, or re-used the same password across multiple sites.

More concrete evidence that someone has been spying on you would be if someone has access to your private photos or conversations and either posts them online or threatens to do so – that would be a good time to get the police involved. Another indicator of spyware would be the light for your webcam coming on at random times when you weren’t expecting it to. It might only flash on for a couple seconds, but unless you’re using a video chat app or or taking pictures with Photo Booth it could be a sign that someone is spying on you through your computer’s webcam.

There are some things you can do to try and avoid being infected with spyware in the first place, and they all follow some common themes as far as computer security best practices go. First, be wary when it comes to e-mail attachments and links – if you don’t know the person who sent the file or link, don’t trust it. Even if you do know the person who sent you something, double-check with them through an alternate form of communication (such as a phone call) if you weren’t expecting an e-mail from them. Don’t download or install software from untrusted sources – when in doubt, stick to something like the Mac App Store for safety’s sake.

Next, it’s very important to keep your computer locked down, access-wise. Don’t share accounts on your computer – if someone else will be using your computer, make sure they have their own separate account on the system. Even better, make sure it’s a guest account with limited privileges so they can’t install software without your knowledge or permission. In a similar vein, don’t share your passwords to online accounts, especially things like e-mail. All too often, it only takes access to your primary e-mail account and someone with malicious intent could request password changes on your other important online accounts, which usually end up sending a link to your primary e-mail address for confirmation. It’s a good idea to change your passwords once you get out of a relationship, especially if the password would be easy to guess for someone who knows you pretty well. Same goes for the answers to security questions for your various online accounts.

You’ll also want to invest in some good security software for your computer – a professional anti-malware program is a must, just be sure to check with the vendor and make sure they specifically scan for keyloggers and other spyware, as some vendors don’t bother. Once you’ve installed some security software, be sure to run scans on a regular basis, and keep it up-to-date with the latest malware definition updates. It’s also a good idea to get an outbound firewall such as Little Snitch, which will alert you to hidden programs that might be trying to surreptitiously send data off your computer. One thing to note is that Little Snitch tends to have a fairly high learning curve as far as determining which connections are ok to let through and which ones should be blocked – there’s always going to be a lot of traffic coming and going from any computer connected to the internet, most of which is normal and nothing to worry about.

If you’re worried about someone spying on you through your webcam or microphone, you might want to check out a great tool called OverSight from Objective-See. OverSight will monitor your Mac’s microphone and webcam, and alert you when the microphone is activated or a process on your computer accesses the webcam. If something tries accessing your mic or webcam without your permission, OverSight gives you the option to block it. You can also whitelist apps that you know need access to the mic or webcam as part of their normal functionality, such as Skype.

Keep your computer and mobile device up-to-date with the latest versions of your operating system and apps, as well as any security patches or updates that have been released. Older versions of operating systems and apps often have security holes that leave you open to infection, something which is much harder to accomplish on a fully patched and up-to-date system. All the latest updates in the world won’t stop an adversary with a lot of money and zero-day exploits at their disposal, however, as was the case with the Pegasus exploits we mentioned earlier. If you’re targeted by a nation-state or other high-level organization, there’s not a whole lot you can do to stop it from happening – just continue using best practices for online security, and remaining extra vigilant to the threat.

So, what do you do in situations where you know you’re infected with spyware (or have a very strong reason to suspect that you are)? There are a number of steps that you’ll need to take in a very specific order. First off, see if your anti-malware software can successfully identify and remove the infection. If not, try contacting the vendor for your security software – if you’ve been infected with a previously unknown piece of spyware, they’ll be happy to help work with you to get a copy for analysis and remove it from your machine. If your scans are coming up clean or you have reason to believe that there’s still something lurking on your system, it’s time for the next step – backing up important files and reinstalling your operating system.

It’s important that you manually restore your important documents and data from backup rather than just using Time Machine to roll back your system to a previous state. Unless you’re absolutely positive of when you were first infected with spyware, there’s a good chance you’ll just end up restoring from an infected backup anyway. After doing a clean reinstall of your operating system, be sure to immediately install any available security updates and patches – you want to lock down any potential holes that someone could use to try and get back into your system. Once you have your system back up and running, it’s time to change your passwords!

Waiting to change your passwords might seem counterintuitive – you want to lock the person spying on you out of your accounts as soon as possible, don’t you? Well…you do, but if you spend a few hours changing all of the passwords for your various online accounts from a computer that’s still infected with spyware, it’s going to be a waste of time in the end. Any spyware that’s still running on your system is going to pick up those new passwords and send them right off to the person spying on you. It’s better to wait a little while so you can ensure your system is clean before you spend time changing passwords.

We’ve discussed password security on more than a few previous occasions, and the normal advice still stands: Make sure you’re using strong, hard-to-guess passwords, and not re-using the same password on multiple sites. Additionally, you’ll want to make sure that you change the answers to your security questions on all of your online accounts as well – if the person spying on you knows enough details about your life, it can be pretty easy for them to answer those security questions and re-gain access to your account even after you’ve changed the password. Times like these are when a password management app such as 1Password really have a chance to shine. They make it easy to generate strong, complex passwords, and even come with an added bonus that can help defend against keyloggers!

Many password management apps come with a feature that can auto-fill your passwords for you when you go to log into a website. Thus, since you’re not actually typing in your passwords when logging into your online accounts, keyloggers won’t be able to snag them. One thing to keep in mind is that some more advanced spyware does keep track of the contents of your clipboard, which is used in conjunction with many password managers apps when auto-filling your login information for a website, so a password management app won’t completely protect you from spyware threats.

Problems? Questions? Security concerns? If you have anything to ask us, send us an email at checklist@securemac.com!

  • Dejac Associates

    Another great posting on Spyware by the makers of MacScan.

Join our mailing list for the latest security news and deals