Commercial Spyware: Definition, Types, Detection and Prevention

Commercial spyware isn’t anything new. But hackers have managed to evolve commercial spyware into streamlined, potent and easily downloaded/installed mobile apps. Among many other ways to steal data and wreak havoc on the target device, hackers can now count on commercial spyware as well. Modern commercial spyware is now able to harm not just personal computers but also entire business networks. What originally started out as a way for employers to keep an eye on employees has now become a full-blown cyber threat.

Commercial Spyware

What is Commercial Spyware?

Commercial spyware is a software/app/script that allows bad actors to keep an eye on the victim’s device, potentially stealing data and causing harm in the real world. Application distribution platforms such as the Google Play Store, the Apple App Store and some third-party software repositories such as F-Droid offer apps capable of recording the user’s location and seeing texts, media posts, photos and files. But these usually come in the form of parental controls or employee monitoring tools. Hackers can abuse such concepts and develop malicious versions of such apps known as commercial spyware. Commercial spyware usually has a separate website and/or landing page.

an image with hacker with no face and spyware inscription

Once a commercial spyware program has infected a device, hackers (with enough skills and resources) can hide the spyware’s presence, block users from uninstalling or deleting the spyware and even miscommunicate the app’s purpose to the user. Besides the ability to access emails and steal audio from the device’s surroundings, the key features of commercial spyware include IM data, backdoor behavior, remote control tools, screenshot capture, key logging and copying content from the device’s clipboard.

Commercial spyware applications also go by names such as “stalkerware” and “surveillanceware.” The main difference between commercial spyware and regular spyware is that people/entities/organizations can pay millions to use commercial spyware. Generally speaking, commercial spyware is custom-built for clients, but cheaper alternatives are available that cost close to $30.

How does Commercial Spyware Work?

Most commercial spyware works by first dropping on the target user’s device, attaching to critical files in the operating system and then consuming processing power, stealing data, recording user activity or gaining system-level access to carry out more functions than advertised.

an image with how does it work text written by chalk

Generally, commercial spyware has one task: to keep tabs on the internet habits of the target user. Sometimes spyware benefits a hacker-owned website by generating fake traffic and/or sending users to fake product landing pages.

In order to work in any impactful way, spyware must be downloaded on the user’s device. The most common way users do that is by clicking a suspicious link, button or pop-up ad, which leads to a malicious website. Other times, hackers inject legitimate software packages with spyware. Browser extensions can also infect the user’s device with spyware.

Note:

High-grade commercial spyware sometimes has to be manually installed on the target device. But just like regular spyware, commercial spyware is also invisible on the infected phone.

Once on a system, commercial spyware usually runs in the background and changes how the device communicates with the outside world. After that, each commercial spyware will have a different method to accomplish a pre-set task. Some commercial spyware will move to change the system settings, internet or firewall settings or Windows registry (if applicable) and access restricted content. Ultimately, all actions of the commercial spyware will come down to monitoring the target’s digital life.

Any number of goals can be achieved once the data is collected, such as blackmailing, disclosing sensitive information, hyper-targeted advertising, revenue generation, espionage and selling data.

What are the Different Types of Commercial Spyware?

The different types of commercial spyware are given below.

  1. Infostealers: An advanced enough commercial spyware is capable of acting as many different types of commercial spyware, depending on the client’s requirements. However, Infostealers—among the most common spyware programs—are widely used as a method to first collect information on the user and then transfer all that data back to the hacker’s command and control center. Meanwhile, the user has no idea the commercial spyware is running and collecting everything from search history data to email accounts to passwords and content present in storage.
  2. Adware: Although adware is not as common as before, this type of commercial spyware still comes in handy when the objectives are not as grand as stealing every piece of information on the target’s device. Adware usually causes the user’s device to show pop-up ads on the screen. Ads are annoying in any case but become even more annoying when on screen without permission or any control. If the user mistakenly clicks on a pop-up ad and provides any kind of information to the website (opened via the ad), the website/form will store that information and send a message containing the data back to the hacker.
  3. Keyloggers: Keyloggers may not be the most popular commercial spyware but are certainly dangerous. As the name suggests, the main job of the keylogger is to record all of the user’s keystrokes for any given session. If the user types a password in a session where the keylogger is active, that password will get recorded. Keyloggers can use similar tactics to steal credit card information as well. Any record kept by the keyloggers gets sent back to the hacker’s command and control.
  4. Riskware: Riskware is a type of commercial spyware that is dangerous to the user because of the inherent security vulnerabilities within the software. Sometimes, the developers of such software violate many ethical and legal requirements and purposefully make applications incompatible with certain programs. Similar to other spyware types, riskware allows hackers to collect sensitive data and grant process control at the administrative level. Riskware is different from other types of spyware because such applications usually have some use. This is why riskware is rarely handled well by the device’s user or even an antivirus program.

How is Commercial Spyware Infected on Your Devices?

Commercial spyware infects devices in a variety of different methods. For the most important targets, hackers usually need to find a way to manually get the commercial spyware on the device. However, modern commercial spyware also has the ability to infect any device connected to the internet, either via cellular data or WiFi.

As mentioned, commercial spyware can infect devices without any sort of participation on the part of the device’s owner. Similar to regular spyware for easier targets, commercial software can infect a device when the owner of the device clicks an infected link.

Note:

Another way commercial spyware infects devices is security vulnerabilities present within the apps installed on the mobile device (or desktop computer/laptop) or operating system. This can happen if the user skips on regularly downloading and installing updates.

Other commercial spyware programs infect devices via semi-fake VPN services. Such VPN services may not charge users and may also unblock content from a variety of streaming platforms. But there is also a risk of spyware infection from such VPN apps. Users who stick to popular and well-reviewed VPNs should be safe from such commercial spyware.

If the hackers belong to a powerful enough group, the commercial spyware can get on a target device remotely as well.

an image with warning sign viewed by magnifying glass

Some of the risks that come with commercial spyware infection include hackers getting access to the device’s microphone and camera. Other commercial spyware risks include complete monitoring of the user’s offline and online activities, hackers knowing the user’s location via GPS tools present on the infected device and sensitive data getting transferred from the device to servers run by hackers. Advanced enough commercial spyware, such as Pegasus, can essentially use the target device (once infected) as a spy.

Who is Capable of Creating Commercial Spyware?

Currently, many entities are able to create commercial spyware in-house or hire third-party developers to deploy commercial spyware from the ground up quickly. Such entities include governments, powerful hacker groups, law enforcement agencies and private companies.

an image with create word connected by people

Companies with the ability to create commercial spyware are usually very secretive, which is why there isn’t a lot of information publicly available about these projects. For example, the U.S. National Security Agency has hired such private software companies to develop commercial spyware to not only spy on government officials but also journalists and potential criminals.

One of the more well-known private companies capable of developing potent commercial spyware is NSO Group, which developed Pegasus. There’s also the Gamma Group that developed FinSpy. Another lesser-known example is The Hacking Team.

When does Commercial Spyware Appear?

While there is no certainty of when the first commercial spyware appeared, the first spyware program was created in 1995. However, more recently, one of the first advanced commercial spyware programs was Pegasus, developed by NSO Group and used by governments worldwide.

an image with warning system sign 3D

The specific timeframe for when commercial spyware appears on the target device depends on the hacking team behind the scheme. In some cases, the owner of the targeted device is able to spot the signs of commercial spyware’s appearance, such as messages that have not been sent by the user, accounts being accessed at irregular times and general changes in the amount of bandwidth consumed by the device.

Where Can You Most Often Find Commercial Spyware?

The most common place where commercial spyware can be found is in malicious email attachments and links on suspicious websites. As mentioned, commercial spyware can infect a device in different ways depending on the developer’s skill.

an image with spyware alert detected on smartphone

Once on a device, users generally cannot find the location of the commercial spyware; the only way to know is to look for suspicious behavior. Of course, if the owner of the device has the necessary skills, digging deep into the subdirectories may lead to the files the commercial spyware is using to record user data.

As far as finding commercial spyware for purchase goes, individual users or companies have a hard time finding cybersecurity companies willing to sell commercial spyware on platforms like the Google Play Store or Apple App Store. Advanced commercial spyware companies usually only sell to governments, law enforcement agencies or influential private groups. And since good commercial spyware such as Pegasus costs millions of dollars, there is no point for an individual user to try and use the internet to find commercial spyware for purchase.

an image with spyware text viewed by magnifying glass

Moving a level downwards from the most advanced commercial spyware can cut down the price to as low as $30. These are other types of spy apps that individuals can buy and install on another person’s phone manually.

Of course, some types of legitimate commercial spyware, such as parental controls or employee tracking applications, are available on app distribution platforms such as the Google Play Store and Apple App Store for reasonable prices, even for individual users.

How Can Commercial Spyware be Detected?

The easiest way to detect commercial spyware is to install a spyware detection app or perform manual steps to identify potential signs.

Before covering the steps, though, users should understand that even in the case of advanced commercial spyware such as Pegasus, anyone who isn’t a high-profile political or prominent figure probably doesn’t have to worry about hackers monitoring devices.

an image with warning detected

Amnesty International has a “Mobile Verification Toolkit” that can run on both macOS and Linux to examine files. The toolkit can also check the user’s mobile device configuration to check for indicators of commercial spyware. Keep in mind, however, that the Amnesty International tool doesn’t tell the user if there is commercial spyware on the device.

Some manual steps include checking if the phone is rooted. If so (and the owner of the phone did not root the device), that is a sign there is a security compromise. Most commercial spyware programs need to gain control of the device, which is only possible with rooting. That isn’t to say malware can’t harm a device without rooting, though.

Another way to detect commercial spyware is to see the data usage patterns and amounts. If a given device has suddenly started to consume an unusual amount of data, there may be commercial spyware present. As mentioned, commercial spyware can access user messages, locations and even conversations in real time. All of that information has to be sent back to the hacker’s command and control, which is likely to consume a lot of data. On the other hand, if the phone is using data during periods in which the owner does not remember carrying out online tasks, that is also a good sign spyware may be present on the device.

Commercial spyware doesn’t always come in the form of government-level, banking-breaking Pegasus. As indicated before, individuals can go to the website of relatively small-time developers offering commercial spyware apps on the cheap. Following that, if someone knows a bit too much about the owner of the device, the person may have surreptitiously installed commercial spyware on the owner’s device. Using the spyware, the person can know the owner’s location and internet activities.

an image with bugs detected on pc vector illustration

Commercial spyware is not only used by governments, intelligence agencies, identity theft rings, shady organizations, criminals and tyrants, but also by untrusting significant others, co-workers and sometimes even friends for both personal and financial gain.

Pro Tip:

As indicated earlier, digging into deeper subdirectories of the smartphone or desktop computer may help detect commercial spyware. Many commercial spyware programs hide as .apk files in the “Download” directory of the SD card connected to a mobile device.

Compared to Android devices, commercial spyware usually has an easier time staying hidden on iOS devices because the operating system doesn’t allow easy access to subdirectories. Sometimes, special forensic software is required to access folders such as “Logs” (which iOS commercial spyware uses to hide) and detect commercial spyware. Similar to Android, the vast majority of iOS commercial spyware requires a jailbroken device.

How Can Commercial Spyware be Avoided?

The steps users need to take to avoid commercial spyware are given below.

  1. Make External Backups of Sysdiags on iOS Devices: While this tip won’t help avoid commercial spyware, sysdiags backup comes in handy to know, after the fact, if a given iOS device was infected and how. The exact steps for sysdiags backups vary on different iOS models. Some require the trigger combination of volume up + volume down + power button simultaneously. Search for the exact method for the make and model of the iOS device that needs protection.
  2. Create Backups of Important Data Each Month: General backups are useful for detecting commercial spyware and protecting user data.
  3. Use Apps that Notify Users if a Device is Jailbroken/Rooted: Advanced commercial spyware requires a rooted or jailbroken device. Once a user gets the notification, the device either needs to get replaced or cleaned, thus keeping spyware away.
  4. Use a VPN: Commercial spyware that takes advantage of hacking techniques such as man-in-the-middle attacks to infect devices can be thwarted with a VPN. The same goes for hacking attempts leveraging DNS hijacking or HTTP masking. VPNs hide the user’s real IP address and encrypt user traffic. In this way, hackers can’t use the GSM operator to target a given device. Just make sure the VPN doesn’t come for free, offers anonymous payment methods, requires little information for registration and supports modern security protocols.
  5. Avoid Using Google Chrome or Safari: Google Chrome and Safari are two of the most popular web browsers on the mobile platform and otherwise (for Chrome). Commercial spyware that abuses security exploits in web-kit based browsers (essentially all web browsers including Chrome) generally have a harder time against browsers like Firefox Focus.
  6. Don’t Click on Links Received via Any App: This tip includes email apps, messaging apps, social media apps and web browsers. Avoiding clicking on untrusted or unknown links has long been the leading tip to stay safe from commercial spyware and other cyber threats. But a surprising number of people still do not make a habit of it. Some commercial spyware programs use zero-click exploits, which bypass the user, while others use one-click exploits, where the user needs to perform a single click. Users typically are presented with an opportunity to click on malicious links via messages, SMS, email, WhatsApp or social media accounts. To stay safe, send the link to a desktop computer, preferably using Linux. Or use the Tor browser to open the link.
  7. Keep Up with Operating System Updates: Updating the smartphone or computer as soon as updates are available is a great way to stay safe from commercial spyware and other threats.
  8. Get Rid of Applications Such as FaceTime, iMessage and Others: Hackers know these apps are common and have an easier time developing exploits. Zero-day exploits usually target such apps as well.

Continuing from the previous tips, newbies can stay safe from commercial spyware by following the tips mentioned below.

  1. Reboot All Devices Daily: While rebooting a device daily may not be feasible at all times, the user should at least try. According to Citizen Lab and Amnesty International, advanced commercial spyware programs like Pegasus rely on zero-day zero-click exploits that do not have persistence. Hence rebooting devices can keep users safe from such spyware. Rebooting the device will force hackers to infect the device again. Rebooting also helps keep kicking exploits out of the system.
  2. Enable Security Features: Adjust the settings to unlock the device using facial recognition, a fingerprint or a pin code. This can protect against commercial spyware that requires manual installation on the target device.
  3. Avoid Unsecured WiFi Networks: Not connecting to free and public WiFi networks is also a good way to avoid spyware.
  4. Enable Encryption: Enabling encryption means that even if spyware manages to infect the device, hackers wouldn’t have access to the contents of the user’s data.

Is Spyware the Same as Malware?

an image with malware sign

Considering the question of malware vs. spyware, spyware is the same as malware in the sense that malware is a term including all sorts of cyber threats, such as browser hijack attacks, adware, fake applications, spyware and other malicious applications. There are multiple types of malware, and spyware is a type of malware.

Can a VPN Prevent Spyware?

Yes, a VPN can prevent spyware, but not in a way most would think. VPNs change the user’s original IP address, encrypt user data and sometimes change the DNS server used for queries. Protecting against spyware is different. Modern VPN providers come with additional tools for detecting malicious links, websites and apps. Moreover, since the user’s IP address changes, hackers that use man-in-the-middle attacks to inject commercial spyware on target devices fail.

Damien Mather Damien is a cybersecurity professional and online privacy advocate with a bachelor of Computer Science. He has been in the industry for 20+ years and has seen the space evolve far bigger than he ever thought. When he is not buried in his research or going through code, he is probably out Surfing or Camping and enjoying the great outdoors. 
Leave a Comment