Spyware on your phone?

How suspicious spouses, protective parents, and concerned companies are turning to cheap and hard-to-detect commerical spyware apps to monitor your mobile communications.

Sometime in early 2007, Richard Mislan, an assistant professor of cyberforensics at Purdue University, started getting phone calls and e-mails from people around the world–all looking for help with the same problem. “They thought someone was listening in on their cell-phone calls,” he says. “They wanted to know what they could do to confirm it was happening.”

Mislan, who has examined thousands of phones at the Purdue Cyber Forensics Lab, politely disregarded some callers as a little paranoid. Others, he thought, had reason to be concerned. A decade ago the idea that anyone with little technical skill could turn a cell phone into a snooping device was basically unrealistic. But as the smart-phone market proliferates–it grew 86 percent in the United States alone last year–so do all the ethical kinks that come with it. Among them is a growing sector of perfectly legal smart-phone spyware apps that are peddled as tools for catching a cheating spouse or monitoring the kids when they’re away from home. But what they can effectively do, for as little as $15 or as much as several hundred, is track a person with a precision once relegated to federal authorities. “Not only can you look at a person’s e-mail or listen to their calls, in some cases you can also just turn on the microphone [on a smart phone] and listen to what the person is doing any time you want,” says Chris Wysopal, cofounder and CTO of Veracode, a software-security company.

Turning what is essentially cell-phone-bugging software into a business model is not a bad idea, technically speaking. The smart-phone market–largely dominated by the Symbian, Research in Motion, and iPhone operating systems–has 47 million users in the United States and is expected to exceed 1 billion worldwide by 2014, according to Parks Associates, a market-research firm. In most cases, people’s lives are tethered to these handsets. It’s how we e-mail, text, search, and, on occasion, even call someone. And the dependence just continues to grow. Last year consumers paid for and downloaded more than 670 million apps that can turn a phone into everything from a book reader to a compass. Smart-phone users effectively carry a real-time snapshot of what happens in their daily lives. This is what makes the smart phone the perfect way to track someone.

Among the top commercial spyware vendors who have ventured into this space are FlexiSPY, MobiStealth, and Mobile Spy. While the services vary, what they do is essentially the same. According to all three spyware Web sites, a person must have legal access to a smart phone to install a piece of spyware. For example, if you’re spying on a family member, that means the phone is family property. If you’re an employer monitoring your employee, the phone should be company-owned. To install the spyware, you have to have the phone in your possession for at least a few minutes to download the app. (There are apps that can be downloaded remotely, but that’s less common and not legal.) In Mobile Spy’s case, once the software is installed, you can log into your Mobile Spy web account to view e-mails, text messages, pictures taken, videos shot, calendar entries, incoming and outgoing calls, and GPS coordinates. MobiStealth and FlexiSPY take it a step further and allow a person to remotely record any conversations that take place near the cell phone. “The most threatening [part] is that it’s pretty impossible to tell if this is happening to you,” says Mislan. That’s because once the spyware app is on the phone it is virtually undetectable to the average user. There is no typical corresponding app icon, nor is it listed on any menu. At best, it may show up with a generic name like “iPhone app” or “BlackBerry app,” so that it appears to be a regular part of the system.

There is nothing illegal about making these apps, and almost all makers have disclaimers on their Web sites warning people not to use their products illegally. “Our software is for very specific uses,” says Craig Thompson, support coordinator of Retina-X Studios, the creator of Mobile Spy. “We do what we can to discourage innappropriate use.” Still, there is no way to know if someone is using the app to monitor his or her child (legal) or stalk an ex (not so much). Illegal use of spyware has already been reported in states such as Washington, Oklahoma, and Texas. According to Wysopal of Veracode, in addition to state and local laws, the federal Computer Fraud and Abuse Act and the Wiretap Act technically offer some protection for consumers. But even if someone discovers spyware on their phone, prosecuting the perpetrator can be difficult. “The problem with this law is the crime has to rise to the level of a felony for the FBI to investigate, [and] that typically involves $5,000 or more in damages,” Wysopal says. “I don’t really know what the damages are for someone installing [mobile spyware] and reading your e-mails.”

Jeff Troy, acting deputy assistant director for the FBI’s Cyber Division, says the issue is a growing concern for his organization because of how fast the smart-phone market is evolving. “I do think there is need for additional cyber laws to address this,” he says.

Until that happens, the best solution may well be preventive. According to BlackBerry maker Research in Motion, “BlackBerry smartphones include a firewall that can be set to prevent an app (like spyware) from making external connections; and passwords can also be required to authorize downloading an application to the device.” Google’s Android gives apps limited access to phone resources by default, but that can be changed manually, so the best bet is to lock the phone and/or SIM card whenever you’re not using it. Google has also recently activated a “kill switch” on its phone to remotely disable apps “that violate the Android Market Developer Distribution Agreement or other legal agreements, laws, regulations or policies.” Of the trio, Apple probably has the most user-friendly safety net, because all apps must be approved by its app store. To even get most spyware apps on an Apple iPhone, a person would have to jailbreak it, which voids the warranty.

If the software is already on a phone, Mislan says there is little that consumers can do on their own to confirm this. Even if you’re positive you are being spied on, doing something like replacing the SIM card is not always enough to wipe a phone clean of the problem. In some cases, Mislan advises consumers to reach out to companies like SMobile Systems that offer security solutions for cell phones–a growing market in themselves.

Wysopal says that as with so much that’s technology-related, something big has to break before things change in the smart phone—spyware space. “You’ll have to see someone important, like a politician, have their phone compromised,” he says. “If that happened, it would be a wake-up call.”