Help! My mobile device is spying on me

Next time you are sitting in a coffee shop, waiting for that flight or riding the office elevator using your mobile device, consider this; how secure is that mobile device? Could it be possible that your mobile device is spying on you?

Sense of Security, an information and security risk management consulting company, recently posed this question by undertaking a research project to determine if an attack against an individual’s mobile device is both plausible and feasible. As it turned out, the answer is a resounding yes on both counts - and with alarming simplicity, ease and cost effectiveness!

There is nothing complicated about this research project or its execution. The aim was to place an application onto a device and then use the voice recorder and GPS functions of the device to spy on its owner – by remotely instructing the application where and when to record and how long for. The security implications could include: corporate espionage; insider trading; financial gain; political gain; competitive and strategic advantage.

With the huge global uptake of mobile devices has come another global phenomenon; the personal attachment of individuals to their mobile devices. People neither switch them off nor will allow themselves to be separated from what has arguably become their link to their lives. Are we dealing with a mobile device separation anxiety epidemic? One fact remains, exposure and therefore opportunity to exploit by the cyber-criminal is at an all-time high.

Our research delves into the possibility and plausibility of spying on an Android device owner. In summary the Android platform was selected for the following reasons:

  • The volume and rapid uptake of Android devices in the market;
  • Market fragmentation;
  • Google Play vetting controls;
  • The open platform of the Android operating system;
  • The lag for software updates.

The proof of concept

The following describes our attack scenario:

Once a target has been identified one needs to identify their mobile device. This can be achieved physically or remotely. For example a target can be tricked into browsing the attacker’s website. The attacker can then determine the target’s device by way of the information shared between the target’s mobile device and the web server.

Similarly installing an application on a mobile device can be done physically or remotely. If the device has been acquired physically and has no password installed then installing an application can be somewhat elementary. If the target phone has a password/passcode the next approach is passcode guessing. Interestingly passcodes do demonstrate certain common trends. One recent study revealed “15 per cent of all passcodes sets are represented by only 10 different passcodes”.

If one does not have physical access, remote acquisition may be achieved by one of the following:

    Google play. By compromising the target’s Gmail account the attacker will then be able to push an application to the mobile device.
  • Spear phishing, whereby a spoofed email together with an appealing application (spying application embedded) is sent to the target from a purported trusted source tricking the target into downloading the application from the marketplace.
  • Drive by Download, where acquisition may be possible by getting the target to click on a link where the application is hosted on an attacker’s server.

Our research team wrote a Proof of Concept (PoC) Triggered Voice Recorder application for the specific purpose to act as a GPS triggered voice recorder. The application is less than 600 lines of code and is designed to poll a server and download commands describing the location of where to activate the inbuilt voice recorder. The application was written to run in the background and not require user interaction with the device owner.

To ensure that the application was accepted by the marketplace we needed to confirm that it could be concealed through another host application. We nominated a demonstration application as the host (Notepad), renamed it and published it to market via Google play. Since this was a demonstration application the vetting process was successful and the application was published in eight (8) hours. The host application was then repackaged by injecting the Triggered Voice Recorder code into the application and then republished under the same name.

The application was then downloaded on the target Android device. The GPS coordinates and recording duration were configured on the “attack” server. The PoC application then polls the attack server for instruction and activates the recorder at a prescribed location. Conversations are recorded and the recording file is sent to the attacker’s server, all transparent to the user.

Mitigating controls

As organisations are becoming increasingly mobile, IT departments have to balance their users need to stay connected with maintaining mobile device security and the protection of corporate data. Ensuring security for enterprise mobility now has to extend beyond just the security of laptop devices. Accordingly, organisations are now looking to Mobile Device Management (MDM) platforms to manage their fleet of mobile devices.

There are a few core components to mobile device security. These components are hardware encryption, remote wiping and the ability to set a passcode policy. While MDM platforms have a number of features that can be configured to improve the security of mobile devices, not all of these will address the attack scenario exhibited in this article (which is to get an application onto a device and then use the functions of the device to spy on its owner). In this case the data on the device is not compromised – so encrypting the device is irrelevant. Similarly, the ability to remote wipe the device will not address the issue “after the fact”.

A strong passcode policy may improve security and make physical acquisition of the device a lot harder – but it won’t address remote acquisition techniques. A significant advantage of some MDM platforms is the ability to whitelist applications. This feature ensures only specific approved applications can be installed on the mobile device which greatly reduces the end user (or an attacker’s) ability to install malicious or unwanted applications.


There is no doubt that as mobility solutions are increasingly adopted and the world becomes a more interconnected place, our reliance on these “tools of the trade” will ultimately lead to increased exposure and risk.

This research has demonstrated the degree to which all mobile device users, including corporate executives, are exposed to the very real possibility of becoming a victim of a targeted attack. It is therefore incumbent on security and risk managers to exercise ‘due care’ in understanding the risks and issues with mobility and to implement reasonable controls to address those risks.

The supporting whitepaper to this article can be located at:

Sense of Security can be contacted by:

Email: Phone: 1300 922 923

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Murray Goldschmidt

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts