Spyware 101: A Guide for Tech Dummies

Several months back, before COVID-19 rocked our collective world, someone hacked Jeff Bezos’ phone, and the event sparked a national conversation. People asked: How easy is it to slip malware or spyware onto a phone? Are governments spying on us? Are companies spying on us? Is MY company spying on me!? Below, let’s look at some common spyware questions, in plain English for non-technies.

What is Spyware?

Spyware is a piece of code that monitors a digital device. Unlike malware, which deploys viruses, spyware tracks activities and extracts information, like browsing history, app data, and texts. It can be installed on all electronic devices, including phones, tablets, PCs, virtual assistants, and smart-appliances.

Can It Be Deployed on a Phone Remotely?

Bad actors don’t need in-person access to install spyware. Take the Bezos phone hack. According to reports, the Amazon founder had exchanged phone numbers with Saudi crown prince Mohammed Bin Salman (MBS) at a dinner party. A few weeks later, Bezos received a video from a WhatsApp account that allegedly belonged to MBS. Bezos’s forensic team contends that massive amounts of data were uploaded to his phone within hours of the video landing. They didn’t find any spyware but concluded that a furtive piece of code was embedded in the message.

We must note that Saudi Arabia adamantly denies any involvement. Some folks are skeptical of the country’s claim, but skilled hackers purposefully mask their work and plant false flags — which very well may be the case in this incident.

Regardless of who’s responsible for Bezos’ phone hack, you should extract two lessons from the incident:

  1. It can happen to anybody; and
  2. Be very leery of unsolicited videos and photos that land on your phone, even if you know the sender.

Spyware Laws

Few laws govern spyware, hence the industry’s Wild-West edge. Moreover, spyware developers protect their clients’ identities at all costs. As such, the market is a bit of a black box.

Do Governments Use Spyware?

Yes, some authoritarian-leaning countries use spyware on their citizens and strategic foreign targets. Democratic-leaning nations also use it for spycraft and counterintelligence operations.  However, U.S. law enforcement agencies cannot deploy spyware onto private devices without a judicial warrant, except in the rarest of circumstances when a known threat is imminent.

Do Companies Use Spyware?

Yes, some companies use spyware. Brands may deploy trackers, in the form of cookies, that monitor where you are or trigger pop-up offerings. They can do this because you agreed to it by clicking “yes” on the “terms and conditions.”

Employers also use spyware on work-issued devices, like phones, tablets, and computers. So if you don’t want your employer to access personal email and social media accounts, don’t install them on your work devices.

On Phones

Mobile spyware is becoming more prevalent, especially on devices issued through work. It’s also becoming more stealthy and can sit on a device for months without anyone being the wiser. It can activate microphones and record conversations. It can take pictures with the phone camera and download everything on a phone.

So take a minute to think: What sensitive materials do I have on my phone?

Could it Happen to Me?

Theoretically, spyware can land on any phone. Lawyers, journalists, activists, politicians, and business luminaries, however, need to be extra careful because they’re front line targets. According to the University of Toronto’s Citizen Lab, 100 high-profile spyware abuse cases have been uncovered over the past several years.

Pushback and Lawsuits

Spyware lawsuits are hitting the courts. Popular messaging app WhatsApp is suing a company for violating the WhatsApp terms of service. The chat platform is accusing a spyware company for allegedly using its platform as a delivery service inappropriately. It’ll be awhile before the case comes to a conclusion, but we’re eager  to see how it ends. A WhatsApp win could significantly alter the playing field.

What can you Do to Protect Yourself?

Avoid unwanted programs and attacks by bending the knee to updates. Let them rule you. When your phone or device prompts an update, don’t swipe the alert away. Don’t ignore it. Take two minutes and let the update run. Also:

  1. Remain vigilant when it comes to suspicious emails, text, and attachments.
  2. Scrub your devices of non-essential apps; and
  3. Check your privacy settings on a regular basis.

People who want to avoid getting swept up in routine dragnet data sweeps can install apps like Signal that help keep you further off the radar.

To learn more about personal privacy and digital security issues, head to our blog!