Recent testimony to a Canadian federal government committee revealed that the RCMP has been using “on-device investigation tools” (ODITs), or spy apps, with judicial authorization. The ODITs access and export emails, text messages, microphone recordings, camera images, and other sensitive data.
And without restraint or court approval, various autocratic regimes worldwide have surreptitiously installed the sophisticated spy app Pegasus on the smartphones of opponents.
These revelations significantly increased interest in checking smartphones for spy app infections. Here are the answers to the most common questions about spy app infections.
What are the signs of a spy app on my smartphone?
The simpler ODITs, but not the more sophisticated ones, reveal themselves through one or more of the following signs:
- Phone lighting up or making abnormal sounds when not in use.
- Surprising increase in data usage.
- Battery drain when not in use.
- Random reboots and shutdowns.
- Text or SMS messages you didn’t create.
- Suspicious files in file manager you didn’t make.
- Sudden slowdowns in performance.
- Random pop-ups on the screen.
- Observable delay in shut down.
Sophisticated ODITs can only be detected by the anti-spy apps discussed below.
How can I check my smartphone for spy apps?
Antivirus software vendors have expanded their software functionality to detect spy apps. The extent to which this software can detect the more sophisticated ODITs is debatable. This article rates some of the available software: 10 Best Spyware Removal Tools. These software packages vary in their support for Android, iOS, Mac and Windows.
For software to remove Android spy apps, consider one of these apps: 7 Best FREE Anti-Spy Apps for Android: Spyware Removal.
Android phone owners may also find it effective to use the software built by TechCrunch: TechCrunch launches TheTruthSpy spyware lookup tool.
To better understand other ways that hackers use to attack smartphones, please view this slideshow: Has your iPhone been hacked?
Why are spy apps challenging to detect on a smartphone?
Antivirus software cannot detect the more sophisticated ODITs because they exploit zero-day vulnerabilities that are unknown to the developers of operating systems and antivirus applications.
ODIT infection indicators can be found in the device’s data transfer logs. The log contains information about emails, phone calls, SMS, IM messages, and other communications to a remote server. However, reading and interpreting data transfer logs requires specific software and considerable technical expertise. To learn more about data transfer logs, please read the applicable article:
How are spy apps installed?
More sophisticated ODITs are installed remotely without the smartphone owner ever having to open a document or click on a website link. Typically the silent installation occurs through a zero-click attack that exploits vulnerabilities in apps like Apple’s Messages or Meta’s WhatsApp.
Simpler ODITs are installed directly on the smartphone by briefly stealing it from the owner.
Can I prevent the installation of spy apps?
The Apple App store, Google Play, and even websites for side-loading apps pride themselves on simple app installations. This ease of use makes preventing the installation of spy apps impossible.
To thwart spy apps, Apple will offer a new Lockdown Mode in iOS 16. This iPhone software version is due to arrive later in 2022. How successful this feature will be remains to be seen.
To reduce the risk of spy apps on Android, block unverified apps in Settings. On Google Play, ensure Play Protect is enabled.
Can sophisticated spy apps be detected on a smartphone?
Amnesty Tech has developed a utility that identifies sophisticated ODITs. It is called Mobile Verification Toolkit (MVT), and its source code is available on GitHub. Amnesty Tech is part of the human rights organization Amnesty International.
MVT runs on Android and iOS. However, MVT preparation and installation are complex and require considerable expertise. MVT must be compiled for a specific device. That can be done only on a computer running Linux or macOS.
The software package iMazing, running on a Mac, can detect Pegasus on a connected iPhone or iPad.
What is Pegasus?
Pegasus is the name of the most widely-known sophisticated ODIT, and the latest example of how vulnerable we all are to digital spying. It achieved widespread awareness and notoriety when it was discovered on the Android and iOS smartphones of prominent politicians, human rights activists, and journalists. Many have speculated that Pegasus was installed on these phones by various autocratic regimes.
The Israeli cyber-surveillance company NSO Group developed Pegasus and claims its spy app is only used to “investigate terrorism and crime” and “leaves no traces whatsoever.” However, the Forensic Methodology Report, produced by Amnesty International, shows that neither of these statements is true.