Jealous lovers or suspicious spouses might be tempted to spy on their significant other’s smartphone – to snoop on texts or phone calls, peek at contacts, or scour the device for files such as photos.
But if you’re thinking about installing one of these apps on someone else’s mobile device without their consent, be warned – it’s not just morally questionable, in many juridictions, it’s very likely illegal.
Law enforcement has taken notice of these spyware apps, too, as evidenced by raids and arrests of users of one particular mobile spying app in Germany, France, Britain, Belgium, Switzerland and the United States.
It’s not clear at this point how many were arrested in the international law enforcement action, which Europol announced on Wednesday, 28 October, but 13 house searches were conducted in Germany, and one man was arrested in the UK, the BBC reported.
The law enforcement action, led by German authorities, targeted users of DroidJack, which, as the name implies, can hijack Android devices.
DroidJack can be used to remotely access Android devices from a PC, and remains hidden from the device owner.
That explains why security companies refer to this type of malware as a remote access Trojan, or RAT (RATs are also used to spy on PCs, frequently as a way to remotely turn on a victim’s webcam).
SophosLabs has been detecting DroidJack as malware since August 2014 (Sophos detects DroidJack as Andr/SandRat).
SophosLabs senior threat researcher Anna Szalay tells me that DroidJack has been packaged with other apps to disguise it, for example, as a Muslim prayer app and even a mobile security app.
It can access any part of the device and just about any function you can think of – it can even spy on encrypted chats sent via WhatsApp by stealing the unique encryption key and storing the chats in plaintext.
It looks like DroidJack’s developer may have started out creating legitimate apps, including one still available on Google Play called Sandroid PC Remote.
But at some point the developer decided to turn his app for remotely accessing a PC into its opposite – we’ve seen a spammed out message from the developer proclaiming as much.
DroidJack is available on a public website (Sophos Antivirus blocks the website as a malware repository) for $210, and includes features such as:
- View, send or delete SMS messages from the target device
- Listen to phone calls, retrieve call logs and make a phone call from the device
- View, add, or delete contacts, call or SMS contacts
- Turn on the device’s microphone for live listening and recording
- View browser history and bookmarks
- Open an app on the device
- Track location via GPS
- Stealth mode to hide the app from the device launcher
Although the recent law enforcement action targeted users of DroidJack, it doesn’t look as if the developers of DroidJack are in danger of being arrested at this point.
Mobile RAT makers attempt to walk a fine line by marketing their apps for legitimate uses like parents monitoring their children’s phones or employers keeping tabs on their workers’ company-owned devices.
Selling your spyware as a way to monitor your spouse or lover for infidelity, however, could get you in trouble, as the CEO of the StealthGenie mobile RAT found out when he was fined $500,000 in 2014 for explicitly marketing the app to the “spousal cheat” market.
DroidJack’s marketing might not go quite far enough to cross any legal lines, but let’s not kid ourselves – if it looks like a RAT and smells like a RAT, it’s probably a RAT.