Not sure how spyware works or what harm it can cause? Want to catch up on the latest examples of spyware and industry trends? Let’s explore some of the biggest spyware threats that appeared in 2021
If you are looking for spyware examples, you have come to the right place. Of course, this means that you probably already know that spyware is malicious software used to spy on people – the name betrays it. But did you know that spyware has powers beyond stealing your photos and data?
Spyware is malware that can also be used to:
- Lock your screen,
- Disable antivirus programs,
- Record videos using your phone camera, and
- Causes a variety of other problems – sometimes without leaving a trace.
In this article, we will review four true examples of spyware discovered or observed in 2021, including how they invade victims’ devices, what damage they cause, and what techniques we can use to treat and prevent these dangerous infections.
Spyware Example 1: PhoneSpy
How PhoneSpy infects your device
Unknown. PhoneSpy has been found in 23 legitimate apps like yoga lessons, video streaming and messaging apps. Because these apps are not in the Google Play Store, zLabs researchers believe the malware was distributed through other third-party platforms that attackers shared through social engineering and phishing techniques.
What happens when PhoneSpy infects your device?
Not sure what happens when spyware like PhoneSpy is installed on your device? The following is a quick overview of the risks associated with this example of spyware and what it can do:
- Theft of credentials, photos, contact lists, call logs and messages
- Record video and take pictures using the front and rear cameras of the device
- Record or broadcast your GPS location
- Download files and documents from the hacker-controlled command and control server (C&C server)
- View device information like IMEI (i.e. serial number), brand, device name and Android version
- Led victims to phishing sites to trick them into sharing credentials
How to protect your device from this example of spyware
PhoneSpy performs its activity without leaving a trace and hides itself by hiding the infected app icon from the device menu. Thus, the victims are unaware that their device has been hacked. There is no information on how much data is stolen or how it has been misused.
On November 22, 2021, Zimperium announced that PhoneSpy’s command and control server has been removed and is no longer active. So, in theory, PhoneSpy should no longer be a threat. This spyware example may have been used for espionage and the campaign ended when the task was completed. However, you should avoid installing apps from anywhere other than official app stores (Google Play, Apple App Store, etc.) and be careful if someone asks you to do so.
Example 2 Spyware: Android / SpyC23.A
Advanced Persistent Threats (APT) are well-planned, well-organized, multi-stage attacks. They are usually targeted at government agencies and corporate giants and are run by groups of hackers who work together. Because spyware is one of the main targets of APT attacks, hackers often use innovative spyware to deploy it.
The infamous APT group is ATP-C-23. ATP-C-23 uses many types of attack, including Android / SpyC23. On November 23, 2021, Sophos published a report Declare that they have discovered a new and powerful version of spyware called Android / SpyC23.A. The malicious program serves a group of infamous threat players known as ATP-C-23. Earlier versions of this malware are known as vamp, FrozenCellAnd GnatSpy.
After being installed on the target device using a hacked app, the spyware cheats the user into granting administrator permission to the hackers. This approach allows the attacker to:
- View your sensitive files,
- Lock the device,
- Install or uninstall apps, and
- Disable security messages (so you are unaware of their activity).
The new version has the power to connect to other C&C servers in case the primary server is removed. It also hides alerts coming from security apps and the Android system, which means the victim does not receive an alert about the threat – even if his mobile has already detected the malware.
How Android / SpyC23.A infects your device
Android / SpyC23.A is transmitted through infected applications and distributed via SMS or similar mediums. It may be disguised as:
- App updates
- System application updates
- Intelligence of Android update
After attaching a device, Android / SpyC23.A changes its display icon and name to another known app to disguise itself. Sophos reports that some examples of such phishing software applications usually include:
- Google Play
- YouTube
- edition
What happens when your device becomes infected?
Now that we know what Android / SpyC23.A is and how it infects your device, it’s time to explore its effects:
- Read messages, documents, contacts and call logs
- Record incoming and outgoing calls
- Take screenshots and pictures
- Record video of the screen
- Read app messages
- Block alerts from Android and security apps
How to protect your device from this example of spyware
Download only apps from the App Store or Play Store, never from SMS, WhatsApp or emails. Do not grant admin / super-user / root access permissions to any applications. We have not found an anti-spyware program that still claims it can remove Android / SpyC23.A, so the best way to reduce the threat is to avoid getting infected.
Spyware Example 3: Pegasus
It is safe to say that it is based in Israel NSO Group Pegasus Spyware Disrupted the world of espionage, made headlines all over the world. Although the company claims that it helps countries fight terrorism and crime, evidence suggests that people use Pegasus software for their personal agenda. It is used to spy on activists, political rivals, employees, bloggers, media workers – anyone the customer wants.
The latest attack, FORCEDENTRY is affecting targeted Apple users. On September 13, 2021, Scientist b Citizen Lab has released a report On zero-click exploitation that exploits vulnerability in iOS CoreGraphics to provide Pegasus spyware. Along with spying on the victim’s devices, it was also deleting the evidence from the phone’s DataUsage.sqlite file.
The NSO Group has clients in many countries, including the United States, the United Kingdom, Saudi Arabia, the United Arab Emirates, Hungary, France and India. You can see all the latest developments related to Pegasus Spyware on The guardianof Website.
How Pegasus Spyware Infects Your Device
Pegasus spyware is distributed in three main ways:
- Absorb phishing through text messages or emails
- Zero-click attacks that exploit vulnerabilities in applications and operating systems
- Above a wireless transmitter receiver located near a target
What happens when Pegasus enters your phone
After attaching a device, Pegasus can:
- View SMS messages, address books, call history and journal entries
- Read and deal with the history of web browsing
- Track actions and conversations
- Turn on the camera to record in real time
- Turn on the microphone to record calls
- Track GPS location
How to protect your device from this example of spyware
Pegasus spyware is used to spy on targeted users and is not currently a threat to most of us. If you think you may be a target for Pegasus spyware, it is best to enlist the help of a trusted cyber security specialist. Because this spyware is used in extremely sophisticated attacks, you will not be able to prevent it due to existing vulnerabilities in your phone.
However, to prevent infection, be vigilant when opening videos, messages or unknown links. If you think your device is infected, you can always reset the factory settings to get rid of many types of malware.
Spyware Example 4: Ghost RAT
Ghost RAT (also spelled Gh0st RAT) is a Trojan horse designed for espionage. RAT stands for “Remote Management Tool”. This name is appropriate given that Ghost RAT operators, GhostNet System, use a C&C server to remotely control victims’ devices.
The latest Ghost RAT attack was on NoxPlayer, a free Android gaming emulator for PC and Mac from a company called BigNox. On February 1, 2021, WeLiveSecurity Release a report indicating that attackers have hacked the BigNox API infrastructure to host and deliver Ghost RAT and two other types of malware. It is aimed at users from Taiwan, Hong Kong and Sri Lanka.
How Ghost RAT infects your device
Attackers use phishing scams and social engineering to trick potential victims into downloading the infected software. Because Ghost RAT is Trojan, the charger does not work until users download, install, and run the software.
What happens when Ghost RAT is installed
After a user installs Gh0st RAT, the spyware connector (i.e., the hacker) can:
- Access the infected device remotely
- Turn on the camera, video recording, and audio recording functions of the device
- Steal their stored data
- Use encrypted TCP channels to prevent detection
How to protect your device from this example of spyware
The basic steps to protect your device from Gh0st RAT spyware are the same as those of any other malware:
- Install software and applications only from legitimate sources
- Carefully read reviews in the app store if you are installing an unknown app
- Keep track of the apps on your device
- Uninstall suspicious applications
- Keep your devices up to date and repaired
- Recognized the difference between fake and legitimate software
How to identify legitimate software to avoid spyware (and other types of malware)
Legitimate companies use code signing certificates to verify the authenticity of their software. Organizations seeking the most trusted digital certificates in the public domain must first be reviewed by a third party certification authority (CA). The CA validates specific types of information about your organization before issuing the certificate. It offers a level of trust and validity to both your organization and your software by attaching your verified organization information to your software.
But how do you know if an app is digitally signed? A dialog box will appear displaying the name of your verified organization in the advertiser’s field when a user downloads or attempts to install your software.
Compare this to the example of an “unknown advertiser” message that appears when a user tries to install unsigned software:
Code signing certificates come in two types: standard authentication and extended authentication. What is the difference between the two?
- A standard code signing certificate shows the verified ID details of your organization (as shown in the diagram above).
- The Ann EV certificate completely circumvents the warning because it is automatically trusted by Windows browsers and operating systems.
Last words on examples of spyware in 2021 and what that means for 2022
There is a misconception that only influencers and politically active people can become the target of spyware. But spyware operators have many other goals besides spyware, and in fact no one is a potential target. Cybercriminals can use spyware to use it as extortion after stealing your sensitive data. They can also sell the data they get to advertisers who want a better understanding of your likes, interests and buying preferences.
To avoid getting infected with spyware, always be vigilant in your downloads and when clicking on links or granting permissions to the app. Feel free to seek expert help if you think your device is infected with spyware. We hope the latest examples of these spyware programs have provided you with an idea of what the spyware state was like in 2021, and what you can do to protect yourself and your data in 2022.
