How to keep spies off your phone — in real life, not the movies

Credit to Author: Sergey Golubev| Date: Thu, 19 Dec 2019 14:07:45 +0000

In the new Terminator movie, Sarah Connor puts her phone inside an empty bag of chips to hide her movements from the bad guys. Our recent experiment showed that this method is actually workable (with some provisos): A couple of foil bags do indeed jam radio signals from cell towers, satellites (such as GPS), and wireless networks (such as Wi-Fi or Bluetooth). But do people actually spy on other people through these networks? Let’s investigate.

Spying over radio: GPS, cellular, and Wi-Fi

Sarah Connor was concerned primarily about GPS signals. At first glance, that’s logical; we use satellites to determine the exact location of a device. In reality, however, things aren’t that straightforward.

Can you be tracked by GPS?

Phones do not transmit any information to satellites. The system is entirely unidirectional: The phone doesn’t transmit anything through GPS, but rather picks up a signal from several satellites, analyzes how much time the signal took to arrive, and calculates its coordinates.

So, tracking someone using only GPS is simply not possible. One would need to send those coordinates out from the phone, and the GPS standard does not provide for that.

Terminator 6/3: Sarah Connor and a bag of chips

Tracking through cellular networks

With cell towers, unlike GPS satellites, communication is bidirectional. And although determining your location is not the main task of a cellular network, it can lend a hand. Broadly speaking, someone who knows which tower is currently serving the phone can determine its location. However, accessing that data is extremely difficult.

Recently, researchers found a rather interesting way of discovering information about this nearest tower — through an intricate SIM card vulnerability that can be exploited using an ordinary computer and USB modem. However, this method requires specialized technical know-how, and so it is deployed only in high-cost, targeted attacks.

Another consideration is that cell-tower-based geolocation is not all that accurate; it yields the general area, not exact coordinates. And whereas in a city that general area might be relatively small (your location can be found to an accuracy of several hundred yards), in rural areas, where the distance between cell towers is measured in miles, the margin of error can be enormous.

Tracking with Wi-Fi

In theory, your movements can also be tracked using Wi-Fi — when you log in to a public network, it receives certain information about you and the device you’re using. Moreover, smartphones broadcast information about themselves to find available networks, and they can be tracked even if you are not connected to anything.

The sole inconvenience is that Wi-Fi tracking is possible only when you are in the vicinity of an access point. So, although this method is practiced, it is not used for tracking specific people, rather for general monitoring of people’s behavior in a certain area. For example, some shopping malls use this kind of tracking to create individual ads based on data about visits to particular stores.

How people are tracked in reality: Operating systems and apps

Spying is outright impossible by GPS, too inconvenient using Wi-Fi, and expensive and difficult through cellular networks. However, even if you are not an investigative journalist or the head of an international corporation, that doesn’t mean no one but nosy advertisers is snooping on you or harvesting your data. Your GPS coordinates, personal messages, and other data might well be of interest to a mistrustful boss or jealous partner. Here’s how such individuals can actually track you.

They can hack into your Apple or Google account

By default, iOS and Android collect your data. They store it in, among other places, your Apple or Google account — in the clouds. If your iCloud or Google Account gets hacked, everything that system meticulously harvested will fall into the hands of the attacker. Therefore, we recommend making sure your accounts are properly protected. At the very least, use a strong, unique password and enable two-factor authentication. At the same time, you can configure what information about you is stored in these accounts — for example, consider turning off location history.

They can view metadata, geotags, and check-ins

Unfortunately, sometimes users themselves make it easier to track them, for example, by posting photos with metadata — information about where and when the image was taken, on which camera, etc. — on social networks. Some sites delete this information when photos are uploaded, but not all. If not, anyone will be able to see the history of the picture.

Your check-ins and geotags also play into the hands of cybercriminals. Don’t use them if you want to prevent others from tracking your movements.

They can install spyware on your smartphone

Many malicious apps exist to collect and transmit information from your device to their controllers. They can track not only your movements, but also your messages, calls, and much more as well.

Such malware usually penetrates the smartphone in the guise of a harmless app or by exploiting system vulnerabilities. It operates in the background and works hard to evade detection, so in most cases, the victim is not even aware that something is wrong with their mobile phone.

They can use spying apps — legally!

Alas, not all spying apps are considered malware. The category of legal spyware known as stalkerware, or spouseware, is often positioned as a parental control tool. In some countries, the use of such spying apps is lawful, and in others their legal status is undefined. In any case, these apps are freely sold on the Internet and tend to be relatively inexpensive — in other words, it’s accessible to everyone from watchful employers to jealous partners.

True, stalkerware needs to be installed manually on a victim’s device, but that’s no impediment if your gadget is easy to unlock. In addition, some vendors sell smartphones with spying apps already installed. They can be given as a present or a company device.

In terms of general functionality, legal spying apps differ little from malicious spyware. Both operate surreptitiously and leak all kinds of data, such as geolocation, messages, photos, and much more.

Worse, they often do so without any concern for security, so it’s not only the person who installed the stalkerware on your smartphone who can read your WhatsApp messages or track your movements — hackers can intercept the data as well.

How to guard against mobile tracking

The real danger of mobile tracking comes not from cellular networks and certainly not from GPS. It is far simpler and more effective to spy on a person through an app installed on their smartphone. So, instead of putting your phone inside two empty chip bags, simply protect your devices and accounts properly:

  • Use strong passwords and two-factor authentication for all accounts, especially important ones like your Apple ID or Google account.
  • Protect your devices with a strong, complex PIN and don’t reveal it to anyone. No one can install spyware if the device is properly locked.
  • Download apps only from official stores. Although dubious programs occasionally sneak into Google Play and the App Store, you’ll find far fewer of them there than on other resources.
  • Do not give permissions to mobile apps if they seem excessive. You can always grant permissions later if they’re genuinely required.
  • Use a reliable security solution. For example, Kaspersky Internet Security for Android detects not only malware but legal spyware too, and warns the device owner about it. For information about how to search out stalkerware on your smartphone, and what to do if you find it, see http://www.stopstalkerware.org.


https://blog.kaspersky.com/feed/