 Okay, so hello everyone. My name is Ahmed. I'm very happy to be here. And in addition of being happy, I'm also a security analyst and a penetration tester at ARMV in Heidelberg. And yeah, tonight I will talk about these little creeps that live in our pockets and feed on our secrets that we trust our phones with. With that I mean stockware, mobile stockware, and spyware. So tonight I will give overview about how they work on Android and iOS and then we'll look at them from social and legal points of view and I will conclude with just some tips on how to detect these apps and how we can try to prevent them or protect ourselves from them. So I will go through all of this but after this commercial. So are you a caring mother who is really worried that your child is growing wild? Are you a loving husband who suspects that your wife is having some kind of love affair with the neighbor's dog? Been there. Don't you just want to know that everything is going fine with the people you love? Don't you just want to make sure that that they are not hurting themselves and especially not hurting you? Don't you just want to know that everything is fine and you can finally relax? Don't you just want to know? Well, say no more and have no fear because Creepy Joe is here. With Creepy Joe and also with your assistance, he will know everything about the people you love. Where they are, where they go, what they type on their phones, he can take a look at all the images and videos on their phones and he would know every little social media activity that they do. And for some fee, of course, he will share most of the secrets with you. So that's it, but don't you forget, our dashboard is awesome, our security is shit. But we welcome your creepiness, your insecurities unless, because if you can't trust your loved ones, who else can you trust? With Creepy Joe, now you know. And now we're back to the presentation. So this commercial mainly just summarizes my whole presentation. And I think most of you now pretty figured out that this Creepy Joe doesn't exist. However, there are a lot of those Creepy Joe's out there on the Internet and they are proudly and openly offering the service so that you can spy on the people you love. Pretty nice, right? So what are these Creepy Joe's? They are called spyware or stalkerware and sometimes stalkware. The differences between the terms is not that big, so I'll just keep using these terms interchangeably during this presentation. They are mainly spying services. And in most cases, they are apps installed on the victim's phone by the attacker. These apps will collect much, much, much information from the phones and then send them to the service back end. Then the attacker goes to the back end, logs in and sees all of the stolen data on his or her dashboard. What makes it really creepy because it is personal. It's not like there's some hacker on the other side of the world hacked you by mistake. This hacker or this attacker wants to spy on you, personally you. And usually those people are unfortunately people who are really close to you and you thought that you trust for several reasons. So what kind of features and what kind of features are those spyware apps provide? It depends. But in worst cases, it can reach to key logging, geolocation current and previous locations, access to contacts, emails, SMSs. And in some cases, if you're lucky, you will also get audio and video stream from their phones. And in addition to all the data of all apps installed on their phones. That of course depends on the platform whether it's iOS and Android and whether they are jailbroken or rooted or not. So we'll start with Android. So in this presentation, I just or my little research, I analyzed one of those Android spyware services called Android Monitor. It's pretty cool because it gives me one free day to analyze it and then it asks for just as little as $3 per month, which is nothing for someone who wants to stalk someone. And how does it work? So let's just assume, let's just assume, okay, that I'm kind of crazy person who is in a relationship and I'm suspecting my girlfriend or something. I wait for her, for example, when she takes a shower, I will sneak in, take her phone, unlock it. And that will be the hardest thing I will do today. Then I will accept to install apps from third parties, so other places other than Play Store. Then I go to some website. This one is called installk.com. Then I will download this Android spyware on her phone. I accept permissions. I give it all the permissions that it wants. I enable some settings and if the phone is rooted, then I will also give it our granted route privileges. I will return the phone and then I will chill as if I didn't do anything bad today. So of course, when my, the person who I'm spying on comes back from the shower and look at the phone, they will see that there's a strange app. But this is where Android itself helps the spywares to hide themselves. Because here there's a class called package manager and it supports a method called set components enable in settings. So by decompiling the code of the app, I see that they're using this method with register activity. Register activity is the main activity, which is the main component that actually launches the app. When I hide, when this app, when this activity is hidden, the icon is hidden. For a normal user who doesn't suspect anything, they will not notice that this app is installed. And then every time the phone boots, it sends a broadcast to all apps like, hey, I completed booting. Now you guys just work and do whatever you're doing. So this app also listens to this broadcast messages and listen to this boot completed. When it's completed, then it starts itself again to start spying. Now this not only that, also Android can also give the capabilities of those apps just to take more information. And I just want to make sure I'm talking now about unrooted phones. So it can be like the most updated phone with the latest Android version. And this can, or most of this would work. So Android, of course, gives access to some sources of information which apps actually really need, like GPS location, for example, or access to contacts. However, it can also give the capabilities for apps to read SMSes stored on the phone and the new ones that they receive. Access to emails and two browser history and bookmarks. So of course, all of these capabilities require permissions. But we assume that the attacker, while when he is told the app, he granted the app all the permission that it needs. Not only that, Android also offers actually an innocent and very good functionality called accessibility events. And this helps users with some disabilities to, let's say, handle more their phones. Or also, the users who cannot handle their phones properly, for example, if they are driving or something. So apps can actually listen to those accessibility events. And then they try to make, for example, the presentation of data to the users more friendly for the people who cannot just use their phone normally. In that case, setting of code standard typing service has to be enabled. And any app who listen to those accessibility events have to also require this permission called bind accessibility service. Now, this is good. This can be helpful, actually. But is it really secure? I really don't think so. Because those accessibility events are sent to all apps. All apps who are granted those permission can listen to all of those accessibility events. And our focus on two main events takes change to ID number 16 and takes selection change. So when somebody is typing something and then the text has changed in an input, or when, for example, the focus went off of an input field. The issue with those events is that it has a lot of information. It has the name of the app and the actual test, the actual text that has been changed. So we can say that somehow you have a key logging service that is sponsored by the Android OS itself. And this is what most of the malware is and most of the spyware is used just to do the key logging attack. So, again, going back to the app, there's a component called main accessibility service that usually works in the background. And we can see here, yeah, maybe it's a bit small, but it requires the bind accessibility service permission. And here it listens to the accessibility service events. If you look at the code of this main accessibility service component, yeah, a bit small, but we see that it checks for the ID of the event, if it's 16 or it 192, which are text changed or selection changed. In that case, they can get the text that has been changed and then they can just process it however they like and eventually send it to the back end. So now for demo, it's just a quick Frida script that hooks into this component and just show us how this accessibility events work to achieve a key logging attack. So here I have an Android emulator and I installed the app already there and I give it all the permissions. And now I will just run this Frida script. Of course, the demo guys allow me to and I will show you how this is captured pretty easily. So now as you see, just by doing anything, you can already see that there are accessibility events detected there. So I will just type test and here you can see it's already detected there. And it's there again. And also the name of the app is there. So this is a pretty reliable key logging attack thanks to the Android operating system. So let's also take a look at the dashboard of the attacker now and how much information he will get from that. So this is the dashboard and you can see here there's just a lot of information. So we can go to, for example, call history. You can see who they called, when and the duration. The resolution doesn't have the SMS. All of this stuff. GPS location is an emulator so the GPS location will not work that pretty well. But the IP location says that I'm somewhere in Germany. Also images. Wait a minute. The guy in the commercial was right. She was having an affair with the neighbor's dog. Well, yeah, this is how you know. But anyway, keep going on. If we look now at, for example, apps, the data of other apps, then you see that it requires, it requires routed devices because of what I will talk about recently. Just come in the next slide. But here eventually we can see the key logging. It takes some time to get reflected on the dashboard. But here we can see all everything that I wrote on this emulator is just there. And the app that generates this. So, yeah, again, all of this data can be really achieved by any stalker without routing the device and even if the device is really secured. But now if we assume that the device is routed, then just hell can really break loose. Because the difference between routed and unrooted devices is that when the phone is unrooted, then each app works in its own sandbox. Each app has its own dedicated memory and dedicated storage. And no other app can access the resources, for example, the storage of any other app. Now when you route your phone, then any process running with root privileges can just access anything. And that's how the spywares with root privileges can just get the data of any app. For example, WhatsApp messages, Skype contacts, Tinder matches, whatever. So this is how, for example, our spyware gets the data of Skype. So first of all, it just runs a thread every now and then. Then searches for any installed Skype database on the phone. Then uses its root privileges to change it into what readable, copy the database into a temporary database and then squeeze it out of secrets and information and then just send it to the backend or do whatever it wants with it. So that was a quick overview on Android. Now going to iOS, it's mainly more or less the same, especially the sandboxing. Also, all app, every app works in its own sandbox and no other app can access the storage of any other app. And also iOS gives the apps some sources of information that they might need, such as location and contacts and so on. However, iOS, in my point of view, it's more secure than Android from the perspective of that they don't give full access to SMSs or emails as far as I know. Also, you cannot install any third parties on iOS if they are not jailbroken in most cases or at least not as easy as just going to a website and then download an app and install it. Also, they provide a very good accessibility events feature, but they are not as open as the one in iOS. So even if you install a spyware on an iOS, on an unjailbroken iOS, you will not get any key login service and you won't get full access to, for example, SMSs and so on. However, there is an interesting third option here. Yeah, sorry. So anyway, if it's broken, then the same thing happens. Also, key login can work because now it will run with the spyware will run with root privileges and then can access everything, can even in some iOS versions can even access some system information such as the key chain, for example. But there is a third option which is interesting, which is iCloud. Now, if the phone is not jailbroken and you are the stalker, are not really fan of all of these ninja moves, just like you know, stealing the phone and then try to install something before somebody sees you and so on, there's an easier way because iPhones give the possibility of yeah, backing up everything on iCloud. So and this everything can contain call logs, SMSs, images, videos, and also the backup of some apps. So actually, why would we go to the iPhone to store the information or we can just get it from iCloud? But of course, no spyware or stalker will try to hack iCloud. And this is where the stalker comes in. So all the stalker needs to do is go to, for example, one of those spying services, MSpy is one of the most famous ones that do both for iOS and Android. And they offer iCloud spying. So for a stalker, it just goes there, creates an account, pays a little bit more than the $3 but 33 euros. But I mean, it's Apple, everything has to be expensive, of course. But then they create the account and then just give the spyware, the iCloud credentials, then iCloud then the spyware will just go to the iCloud, pull all data. And then again, the stalker just chills and then later logs on to see on the dashboard what kind of information he can get from the victim's phone. However, this would work only if the double factor authentication is not enabled. That's why they also try to give some tips on how to deceive the victim to disable the two factor authentication or do some social engineering or so because otherwise it will not work. So here, we can see that this is what MSpy offers with Jailbreak. It works on old iOS versions till 9.1, but it gives the full package of data of most apps installed on the phone. On the other hand, without Jailbreak and with iCloud spying, you can also get WhatsApp. So why is WhatsApp special than the other apps? Well, because WhatsApp backs up everything on iCloud. So all the messages and all the images sent and received, they're all backed up on iCloud. But for example, if we compare it to other apps such as Facebook, all the data of Facebook are already on Facebook servers. That's why the app itself doesn't need to back up a lot of information on iCloud. But on the other hand, if you compare it to a Jailbroken device, then the app itself, although it doesn't back up a lot of data on iCloud, but it caches a lot, a lot of data. And this is where the difference will be really huge. So I can just also show it quickly. So here I have the iCloud backup of Facebook. If we just take a look here, there's just two directories. Nothing much here. There isn't any cache. However, if we take a look at a snapshot of the storage directory of a Facebook app on a Jailbroken device, then we can see there's much more data. And all of this are pretty juicy. If we can just take a look in a directory, then another directory, then some other directory here I can find. Yeah, anyway, there's somewhere here. There's too many directories to find it. Yeah, anyway, we can see that there's a lot of cache and a lot of information. So for example, these are all the images that the app opened, and it just cached there. Of course, this is not my real account. I just liked a couple of cat pages. That's why you can just see cats everywhere, but I'm not really obsessed with cats just for your information. And so yeah, now let's take a look at also the Mspy dashboard. So again, this data, there's nothing installed on the iPhone that I'm currently the Mspy is spying on. And you can see that there's also a good amount of information. The contacts, text messages, call logs, notes, all installed apps, you can see all the installed apps there. Browser history as well and bookmarks, as well as all WhatsApp messages. There's also there without touching the phone. So now let's take a look at those spywares from, let's say, impact or let's take a look at it from the social and legal points of view. Probably most of you now are wondering, is this thing really legal? Well, I'm not a guy of low and I get bored when I read a lot of texts, to be honest, but it was pretty clear in GDPR that it is essential for anything to process any user information, and just correct me if I'm wrong, that the consent user consent is pretty important here. So by consent means that the user has to agree that, okay, you can process my data and also they have the right to withdraw it and the right to be forgotten, so to delete it. Of course, nothing this will happen because you, as a victim, will not even know that somebody is collecting all of your information. And also for children that the consent of parents have to be there. So consent is like the key. Without the consent, it should break the laws or should break at least the GDPR. But those apps are just out there and they're just open and they're probably saying, hey, come to us to spy on people. So how is this possible? Well, I take a look at the privacy policy of Mspy. Most of the time they were talking about data security of the stalker himself. So how they use his email address and what kind of actions he does on the dashboard, as if this victim just doesn't exist. But then at the end, I just saw some text here and I'm just quoting, you are the data controller of the target device, data. And you appoint us as a data processor. Whatever that means, so at least they're not collecting the data, they just process it. And you warrant that you have the appropriate authority to collect and process the target data, which is just like pretty normal for any stalker to go to the victim who wants to stalk like, hey, please, I'm free today. Do you want me to stalk you? Like, yeah, please, follow me. So it's also not possible that something like this would happen in real life. And the sentence that I was really waiting for, you will be responsible of any illegal use of persons data. So they're just like throwing the ball in the stalker's court. And it seems that it follows the same idea of guns don't kill people, people kill people. Yeah, but with your guns, but now we didn't pull the trigger. And in that case, we also didn't install our malicious spying software on the people's devices. Also, CitizenLab discussed a little bit of loopholes that some of those spyware services actually exploit in Canada in order to keep processing and keep working in business without being illegal. And in that case, they say that if they somehow show that they don't even process the data, they just get the data from somewhere, and then they just presented on the dashboard, then they're not doing anything illegal. And also, if we take a look at it from an ethical point of view, I mean, this discussion can take days, but we will start it with, yeah, we'll have to respect everybody's privacy, and we'll have to show our children that we trust them and so on. But I have never been a parent, but maybe one day when I just see my little child comes to me with stoned red eyes and just like this, I will really try to freak out. And if there's like an easy solution for me just to make sure that they're not hurting themselves, and it just takes one minute and a couple of clicks, I'm not sure if I will take it or not, to be honest. And at least I won't blame anyone who will do this, or I will understand. An interview with a satisfied Felixi Spy user said that I used the service to confirm that my ex-girlfriend was cheating on me. It allowed me to get a remote audio recording of her in the act. So at least that answers a couple of questions. But then okay, now you know that this happening. What would you do? Would you just go on, move on and say, okay, fine, I will live another life? Well, in most cases, that doesn't happen according to people who work in, for example, domestic violence. And they say that after the strategy of the offenders is not just to know but to control the victims and to make sure that they live under pressure all the time. They also report that in the US, for example, 54% of the victims of domestic violence are victims of stalkerware. And in Australia, 74% of the people who work in this field report that people use these tracking apps to abuse the women. And even if you don't do this, after you get the power of knowledge that you can know everything that you can know where is everybody is and what they're doing, will you just let it all go and go back to oblivion, not knowing if people are cheating on you or not? That can be a little bit addictive. So at the end of the day, you might create a monster in yourself and might end up crazy as well. But is there any good side of this spyware thing? I didn't find anything that talks really about the advantages of these services, but they are something similar. The first example is an app called Apshir. Apshir is a mobile portal to government services in Saudi Arabia. And they offer a horrible service for a husband to, I don't know how to say, just block the wives from driving abroad. So if the woman is going to the airport and her paper is fine, then the husband just say, no, you're not going anywhere. And of course, this is bad and a lot of activists got really mad at it and they even asked Google and Apple to take this app from the stores. And it actually worked out. Most cases it's now almost not working anymore. So yeah, victory, everything is fine. But as a twist in the plot, afterwards, Saudi women start to complain and saying that they were better off without this app. So now let's just agree on something. This is horrible, okay? This is horrible to control somebody's freedom in that way. However, when this app was there, those controlling husbands were sure that, okay, I can block her at any time. She cannot go anywhere. I can just click and then she won't leave the country. But now, now they're even controlling them more and don't leave them in a room because they don't know if they can block them or not. So again, it's a horrible thing, but it can also work as a blessing disguise. Also, another example is GPS tracking of autistic children. And yeah, it's not spying, it's just tracking. However, it decreased the percentage of autistic children getting lost by 20, 23%, which is also good. However, in general, activists are really against this kind of services because I think everybody should agree that they are bad in most cases. And they managed, they put a lot of pressure on Google to withdraw seven of the stalkerwares, which were installed 130,000 times. Also, activists are calling mobile antivirus to mark them as malicious apps. Because even if some antiviruses really detect them, they don't report them as malicious. They just flag them as normal services, which is definitely wrong. And now Kaspersky really started to listen to this and now they flag them as malware. And finally, New York City, in the cooperation with other universities to also fight against gender-related violence, they created a tool called IDSI to detect stalkerware or spyware on victims or just on people's phones. However, this tool is not just open. It's not open for anyone to use. I tried to contact them to use it and see how good it is. But they just didn't reply to me. Maybe they thought that I'm also developing a stalkerware that would not be detected by their tool or something. But as far as I know, from what I read, it's a good tool. And now we're getting to the slides. Because there are also a lot of activists that really target these services just to show how bad they are. In 2017 to 2018, at least eight of them got hacked. For example, FlexiSpy got hacked by a hacker called Lipprboy, another group called the Decepticons. And they just, they went in there, they stole all data, and then they leaked it just to show everyone that this is a horrible thing going on and then they deleted, they just erased all the servers. And now they're getting there because there was just an exposed admin panel out there on the internet. They could manage to brute force the password and then they're in. Retina X is also another supplier. It happened the same thing to them twice. And the total victims is estimated around 130,000 with both hacks. And the list keeps going on. Family orbit 281 gigabytes of pics of video. And because there was just an API key out there in the app. True spy, same issue, 10,000 victims. And the list keeps going on and on and on. And honestly, I'm not even sure if this considered a bad publicity to them. I mean, for example, if I know, if I'm just a normal user, and I know that my email provider is hacked and my data is leaked, I would say I will never do business with those people again as a normal user. But if I'm a stalker and I know that, for example, M-Spy got hacked and a lot of data, a lot of Vixen got leaked, including images, videos, social media data, so on, so on, so on logs. I would say these people are really good. They're collecting a lot of data. And at the end of the day, I'm the stalker. I don't really care that much about the privacy of the people's data. And if I'm the victim, I wouldn't even know that my data got leaked unless, until maybe someone tags my leaked naked picture or something on social media. So I would say it's not a bad publicity for them. And finally, we'll just take a look at how to detect these kind of apps. So an indication if you're having a relationship with someone who is a bit like control-free or, yeah, there might be a possibility that they installed, might be a possibility that they installed something on their phone. Also, if your battery starts to drain rapidly or if your data flows, data traffic starts to just rocket just quickly, that means that there's something running in the background collecting more data and then sending it to the internet. Especially for Android, if there are dangerous settings enabled such as allowing third-party apps or the accessibility event settings, that means that probably somebody also tampered with your phone. Antiviruses usually don't detect them, but now Kaspersky does. And finally, you can also check the installed apps. And I told before that the apps you can just, like for a normal user, you can just see them if a spyware is installed in the app because it's hidden. However, just by using quick commands such as iDevice, installer for iOS, or just a simple adb command for Android, then you can just know what kind of apps are installed in your device. But of course, you need to know whether their apps are malicious or not. So you can see mSpy, okay, spy, in the case it's a spy, but if it's not, then you would never know. And yeah, that's why I just made just a quick script. It's a Python script. It doesn't install anything in your Android device. And it just lists the installed apps on your phone and then searches, queries those apps on Kudus. And Kudus is actually a great project. It's an online database of millions of apps which are analyzed using Yara rules and Android guard tool. So they just queries these apps and then just if there are bad reports on these apps, then it will tell you, hey, I found those bad reports. If not, then we'll say it's cool. So I will just show you pretty quickly how it works. So now it's running again against the emulator I showed you before. So now it just gets all the installed, just the name of the apps, and then queries them on Kudus and then we'll see the result in a minute. So also those apps, most of them are not malicious, but there also happens sometimes that somebody, for example, finds a malicious app which shares the same name or the same package name like this with a legitimate app. And that's why you can see, for example, a normal app, even a system app with even bad reports, but that is just a small ratio. So if we go up there a bit, we can see, for example, this is the Skype app, and I told it myself, I know that it's not malicious. However, maybe some researcher found also a malicious app with the same name, and yeah, it's just one report out of 25, so the percentage is 4%. However, if we go back there, we will see this is our spyware app, and you can see 18 out of 18 reports, so this is 100% of the researchers say that it is malicious. There are also some analyzed URLs you can check if you have an account on Kudus. So again, this doesn't analyze anything, it just checks mainly what other people say about the apps installed in your device. And finally, how to protect yourself. There isn't a bulletproof way to protect yourself from this kind of malicious apps, but as we always say, don't root or jaybreak your phone. Just don't. It might not look that interesting to you. There are not many tweaks at least better than insecure. Just don't root the device. Also, we prove that iCloud password is very important to somebody's personal security, so you have to even handle it pretty carefully, and of course enable to factor authentication. Won't install any untrusted apps for Android specifically. You have to make sure that the authentication of your phone, to unlock your phone, it has to be a good mechanism, not just swipe right, or just draw a pattern that people from kilometers away can see you drawing the pattern, and then they can unlock your phone. Password is not very convenient just to type a 20-digit every time you want to check your messages. So from my point of view, biometric are the best. Also, they can be bypassed, but not as easy as the others. Don't leave your phone unattended. If you're going to take a shower, just take it with you just in case. And finally, yeah, if somebody gives me a phone that's great, but just don't take phones as gifts, or at least if you take it as gifts, just factory set them just to make sure that nothing bad is installed on them. And now I reached the end of my presentation, and thank you very much for not falling asleep. Thank you. Does anybody have any questions? Now it should be on. So there's like only a name validation. There's no way to like do a hash sum of the application to verify it's not using any other name. So they come again? The script you showed to verify the app names. This is only a string comparison. No system to verify the hash sum also of the app. Okay, yeah, so you're asking if it's a better way to check the hash of the app? Yeah, if there's something to verify it by hash also, because the name can be changed like for every build or installation. That's right, and actually this is what coders do, so I will even show you in the output here. So even the links of these apps, these are just actually the hashes of the APK files, but just to make it more general, maybe they just analyze like one version of the app and then you have just another version of it. So yeah, that would be more precise, but I'm just using this just to make it more general, but it's a good idea also to add this just to like another step of confirmation, for example. It's a good idea, thank you. As you like. Well, you can shout then. Great. No, it's just a great recommendation, thanks very much. Yeah, so just for the sake of recording, I'll just repeat what you said. So yeah, you're just suggesting that I should check the certificates that actually sign these apps and just then I can recognize the, let's say the developer or the owner of the apps. Yeah, that's a great idea, thank you. Oh, you got experience now. You said that you can see the high traffic volume of such apps, but they don't show up when you go on the detailed statistics or are they just aggregated under system traffic usage? Yeah, that's a good question. Actually, I haven't checked something like this. I haven't checked to see if the apps themselves are sending like a lot of data, but I mean eventually you can just, as a user, even like if you're just watching your package, you can even see that it's okay now there's a rise in my in my traffic, but that can also, I think that can also be possible. Yeah, also a good idea, thank you. Anybody else? Okay, then yeah, thanks again. It was really nice to be here. Thank you very much.