Play Live Radio
Next Up:
0:00
0:00
Available On Air Stations
Watch Live

Local

Spyware — easy to install, easy to hack

A new study out of UC San Diego focuses on the way spyware works and how secure the apps are. KPBS sci-tech reporter Thomas Fudge says it’s all too easy to install—and to hack.

Cyber security expert Alex Liu sits at a conference table at UC San Diego and sends a text from one smartphone to another that had an app called Mobile Tracker Free. The text is sent and received and appears on a web portal in Liu’s laptop.

Software like this can be used as spyware. These common phone apps allow you to see another person’s texts, emails, phone calls and photographs. San Diego County Deputy District Attorney Ramona McCarthy said she’s seen a lot of cases that involve spyware. Some stalking victims who had no idea how closely they were being watched.

“They’ve tried their best to eliminate their public persona online. And yet they’re still finding out that their former partner or current partner ... is still able to follow them, know who ... they’re dating, their new job and they’re just wondering why,” McCarthy said.

Advertisement

McCarthy added that people helping stalking or domestic violence victims often discover spyware by asking the victim to look for apps on their phone they don’t remember downloading. She said sometimes the DA has issued a warrant for a suspect’s phone and found spyware that way.

Liu said if you can get temporary physical access to a person's phone and can unlock it, it’s easy to install spyware. Liu was the lead author on a paper called No Privacy among Spies.

His research revealed how these apps work and their lack of security. He said many use unencrypted communication channels that are easily hacked over Wi-Fi.

“If the app itself is hacked, the problem becomes much bigger ... (personal information) can be exposed to the public. Right? I’m pretty sure you don’t want whatever is on your phone to be leaked to the public,” Liu said.

Alex Liu stands next to UC San Diego's science and engineering building in this undated photo. Liu is a computer science Ph.D. student who specializes in cyber security.
UC San Diego
In this undated photo, Alex Liu stands next to UC San Diego's science and engineering building. Liu is a computer science PhD student who specializes in cyber security. Undated photograph

There are many apps that can track another person’s smartphone, such as Life360 and Find My Friends. An app becomes spyware when it is implanted without the target’s knowledge.

Advertisement

Though the apps are often used for stalking, Liu says that’s not how companies market the app, which include instructions suggesting both parties know what’s going on.

“Usually (the company) would say you need the other person’s consent. You click a button saying ‘Yes, I understand that by using this app I would acquire consent from the other party.’ But in reality it’s not enforced,” Liu said.

Computer science professor Thomas Ristenpart, from Cornell University, took part in Liu’s study. He said at a recent lecture at UC San Diego, that he contacted customer service for some of these app companies, and asked them if their app would be good for tracking a spouse. He heard back from nine of them.

“One tool, to their credit, said ‘No, that’s not what this tool’s for ... That’s probably illegal — what you’re suggesting — so don’t do it.’” Ristenpart said. “The other eight of the nine (companies) responded with something along the lines of, ‘Yeah. Our tool’s awesome for that. Here’s how you set it up for tracking your husband.’”

Liu says the apps are easiest to install on android phones, where there are fewer limits on where you can get your apps. Deputy district attorney McCarthy says if a former partner knows the password of your iCloud account they can hack into your phone and install spyware.

KPBS has created a public safety coverage policy to guide decisions on what stories we prioritize, as well as whose narratives we need to include to tell complete stories that best serve our audiences. This policy was shaped through months of training with the Poynter Institute and feedback from the community. You can read the full policy here.