Are cyber actors hiding in your pocket? Root Spyware on Mobile Devices | FTI Council
[co-author: David Youssef]
Built-in security features make it difficult for forensic investigators to confirm the presence of spyware in smartphones. A new technique speeds up the process.
Spyware is not always bad. When used by law enforcement and legitimate intelligence agencies, it can be used to prevent threats from cyber actors or terrorist organizations by turning a device into a secret surveillance tool to monitor activity. .
In the wrong hands, however, spyware can undermine the data security of individuals, business executives and government officials by hacking into mobile devices and gaining full control of the operating system. From there, data can be collected and unwanted espionage can be initiated.
Pegasus spyware, which exploits sophisticated exploits against mobile device operating systems, is a concrete example of information collected from its targets without consent. This creates additional challenges for forensic investigators and leaves those potentially affected – from journalists to senior executives – wondering, “Has my phone been compromised?” “
Investigators are playing catch-up
This is not an easy question to answer. Cell phone manufacturers are increasingly concerned with putting robust data privacy and security controls in place within their devices. While the enhanced security features do indeed provide data protection benefits to consumers, they also create limitations that can become problematic in certain scenarios.
For example, the same “privacy veil” built into mobile devices to restrict end users also provides hiding places for cyber actors, as evidenced by “clickless attacks”. In these attacks, without requiring any interaction with the user, sophisticated cyber actors can secretly access the entire operating system of a device remotely. Even when a user follows security best practices such as multi-factor authentication and regular software updates, click-less attacks can penetrate, leaving users unaware that cyber actors have gained access to using the camera and microphone to spy.
Common security features of smartphones also complicate the work of forensic investigators. Determining if a device has been hacked is a complex process requiring the examination of massive amounts of collected data logs. Alternatively, “jailbreaking” the device – removing manufacturer restrictions to unlock additional controls – is an option to access, but this process is often complicated and time consuming.
Adding to these complications is the fact that operating systems are constantly being updated, leaving investigators in a continual game of catching up to keep pace with ever-changing code, policies and settings. In some cases, an investigation cannot begin until it is determined exactly what has changed since the last operating system update and whether the forensic analysis process needs to be changed. Sometimes this may require a complete rewrite of forensic tools to align with the latest operating system changes.
The process of determining if a device has been compromised can take weeks or months, which can be problematic for urgent matters, and because individuals are not likely to agree to give up their devices for an extended period of time. . However, a new methodology developed within the Cybersecurity and Technology segments of FTI Consulting offers a more efficient and practical process for determining trade-offs.
View full image
The methodology involves the use of specific threat detection tools and AI-based technology to automatically process and analyze anonymized network data and identify active threats related to data theft, espionage, and hacking. The surveillance. Relevant information is pulled from specific device logs and executed through a proprietary tool that monitors the information. Together with a team of investigators and researchers, a step-by-step roadmap is developed that shows how the device got infected and how much data was extracted, all within hours.
And the process can be done remotely. There’s no need to go through the laborious process of forensic imaging of the mobile device or wait for a jailbreak to access it.
Beyond identifying threats, investigators can use the tools in tandem with a uniquely developed review process to establish a timeline leading to compromise and beyond. The result? A more in-depth investigation that describes a full story of how the cyber attack happened and what information was accessed – all done efficiently and without the need to rely on outside sources.
The advantages that cyberactors have – the ability to hide in plain sight – compel investigators to take advantage of cutting-edge methodologies to keep pace with forensic examination of mobile devices. Without the right investigation methodology, results can be precarious, results can be delayed, and victims can be at greater risk. To truly eliminate spyware from a mobile device and prevent future incidents, investigators need to have the big picture of what happened.
Is it possible to predict the next “Pegasus?” White hat technology is unlikely, as so often, to fall into the wrong hands. However, as the threat landscape continues to evolve, so will the efforts of experts to develop new cyber risk mitigation techniques.