By Lysa Myers
If you’re reading this article, it’s likely that
you’re hoping for quick tips on what to do if you suspect there’s spyware or a
tracker on your phone. If that is the case, you’re likely to be disappointed;
there are no quick lists of things to identify or remove to make you safe
again. But that doesn’t mean there is nothing you can do. While it will
require a determined effort, the good news is that you can make your devices
more resilient against a wide variety of different security threats including
spyware.
Increasing complexity = no quick fix
If you’re wondering why there is no quick fix, a
brief look into the past can give the answer. As the popular maxim
goes: “History doesn’t repeat itself but it often rhymes.” In technology, as in
so many areas of life, we often see recurring patterns of threats. But there’s
always a twist, as the underlying technology evolves. Such is the case with
spyware and other threats on mobile phones.
Desktop computers have had malware for many
decades, and those threats changed over time. Early malware was both simple and
so rare as to be popularly considered an “urban legend”; the entire instruction
set for finding and removing all known malicious code used to fit on a floppy
disk, and this only needed to be updated for new threats on a quarterly basis.
Now, anti-malware products find and remove so many threats that counts cease to
have practical meaning, and updates for new threats must be delivered well-nigh
constantly. As a result, where we could once say, “look for A, B or C files to
see if you’re infected”, or “do X, Y and Z to clear your device”, now we can’t
realistically give such simplistic advice.
Likewise, threats targeting mobile phones have
grown in both quantity and complexity. Where we used to be able to give a short
list of things to look for to see if you’ve been affected by specific malware
programs, that’s no longer realistic. If you’re reading this because you think
someone might have installed spyware on your phone, it’s probably best to proceed
as if your suspicions are correct.
Mobile phones, aka “the computer in your
hand”
As we moved from the early days where threats were
few and new ones appeared infrequently, to the present situation of having a
practically uncountable number of threats, malware researchers tried to find
some way to help people figure out which threats are of greatest concern. One
such method was to include a rating for the “severity” of the threat, meaning
how much potential there was for harm to an affected user. In one threat-rating
model, spyware and backdoors were considered to have “infinite” damage
potential because there was almost no limit to how much harm attackers could
cause if they could quietly sit on your machine and passively watch your every
action or manipulate your computer as if they were sitting at your desk.
Now most of us carry powerful computers with us
wherever we go, and those computers are equipped with receivers that identify our
location at all times. As a result, someone who’s watching us on our phones has
even more capability to monitor our activities, as our computers are likely
within arm’s reach all day and night.
Time to get thorough
Rather than trying to scare you with my previous
description of the damage that could be done, I’m hoping historical context
will give you an idea of the sort of changes that will need to be made if you
believe you’re being tracked.
If you’ve ever had to go through the process of
replacing a stolen credit card, or of changing your legal name for marriage,
you’ll have a good sense of how much it can help to sit down and create an
exhaustive list before proceeding. In order to do that with a clear head, you
will need to get yourself out of harm’s way first.
·
Start with your phone
If you suspect your device is being tracked, you
must consider the affected device “untrusted” from here on out, as even
restoring it to factory settings may not completely clear a tracker. The
microphone or camera functionality of your phone may be in use by the tracker,
so be mindful of what is happening around your device. As unintuitive as this
may sound, you may not want to power your phone off, as this may compromise
data or evidence on your phone. Do turn off network connectivity immediately;
put the device in Airplane Mode, and make sure this has disabled Wi-Fi and
Bluetooth connectivity as well.
In order to preserve evidence or have an expert
check your device, you’ll need to act promptly and carefully, as there are
still ways malware could affect data stored on your device, even without access
to a network connection. Put your phone out of earshot, and leave it there
while you get to a safe place. When you are ready to forward your phone to an
expert, put it into a Faraday Bag before interacting with it again.
“Keep in mind that SMS text
messages are not encrypted”
While it certainly doesn’t hurt to ask for help
from local law enforcement, know that even major cities may not have the
expertise or the bandwidth to investigate compromised mobile devices. The
most important objective is to take steps to make sure you’re safe.
Ask for help, but do not wait for others to help you.
Once you are out of physical proximity of the
mobile device being tracked, you can begin to take a more thorough assessment
of your situation and start bolstering your defenses.
·
Check your other devices
While it is entirely possible that any tracking is
limited to one device, it’s a good idea to check any desktop, laptop, tablet,
or cellphones that you use. Keep potentially-compromised devices out of your
safe space so that they cannot report this location to the person tracking you.
If you’ve forwarded your mobile device to an expert for analysis, they may also
need you to provide access to these additional devices.
Once you determine that devices are safe, you
should bolster your overall security precautions. Make sure you have updated
security software including anti-malware and firewall functionality. Update
your software including your operating system, Internet browsers and plugins.
Change your passwords: choose ones that are strong, memorable and unique for each device and account. Do
not re-use passwords for different accounts or devices. Going forward, once
you have determined that your devices are clean, you may decide to encrypt data
stored on your devices and communications sent over the network, such as via
email or instant messaging. Keep in mind that SMS text messages are not
encrypted.
·
Check online accounts and services
Most of us use our phones to access a variety of
online resources; this may include online banking, social media, online review
sites, etc. Many sites will allow you to de-authorize devices: if that option
is available, remove the compromised devices.
Now is a good time to improve security for every
account you have accessed on your phone and any other affected devices. Delete accounts
you no longer use. Once again, change your passwords, and make sure your
choices are strong, memorable and unique. Wherever it’s available, enable two-factor authentication but do not send keys via SMS, or to
email accounts that are linked to devices that are being tracked, as this will
mean your attacker can use also use these keys to access your accounts. You
should also set up login notification, so that you will be alerted if
unauthorized devices try to get into your accounts.
·
Leave the backup
If you’re in the habit of taking regular backups,
you might be inclined to start pulling files from your online or offline backup
sources. As it can be hard to know at what point tracking began, it is safer to
assume that backups are compromised, especially if the backup was accessible to
a device you suspect has been tracked. If you want to recover your valid data
files while leaving suspicious files behind, you may need to employ an expert.
·
Get a “burner” phone
Until you can be fairly certain that your situation
is resolved, you may want to get a temporary, prepaid “burner” phone that is limited to emergency
contacts. Do not log onto online accounts or services from this device, and do
not contact anyone who might give the number to the person you suspect is
tracking you.
“You should also set up
login notification, so that you will be alerted if unauthorized devices try to
get into your accounts”
Any other steps you might need to take will depend
on who is tracking you: for example, if you live in the same house with the
person, you’ll need to get yourself to a safe location as soon as possible.
Once you’ve extricated yourself from immediate danger, there are a number of
other things you can and should do to protect yourself. If the person
tracking you is an acquaintance or someone entirely unknown to you, they may be
more interested in your assets, or in your absence from a location rather than
your presence.
When you’re ready to get a new phone, be sure to
secure it well. Set a password to lock your device, rather than a less-secure
numeric PIN or pattern-lock. Install a mobile security product, if you’re using
an Android device. You may want to set your device to automatically install
updates, so they’re applied promptly. You can also set your device to only allow
the installation of apps from reputable app stores, but your caution should not
end there: be judicious about checking that apps are well (and positively)
reviewed, and consider if the permissions it’s requesting seem reasonable for
the purpose of the software. And finally, be vigilant about clicking links in
email – it’s better to err on the side of typing a website directly into your
browser rather than clicking a link that may send you somewhere unexpected and
potentially dangerous.
Each situation is different, and your specific
needs will necessarily vary. You should consider consulting with a lawyer or a
social worker, who can help you make a thorough plan to keep yourself safe.