Mercenary spyware is brazen, commonplace, and sophisticated. Fight back with Developer Mode.
Wind the clock back to only a few years and sophisticated mobile malware threatened only the highest value targets: world leaders, cartel bosses, and individuals accused of terrorism, to name a few. Persistent, stealthy malware was expensive to develop, the purview of only the most well-funded state actors. The rise of mercenary spyware, however, significantly reduced the costs associated with hacking a mobile phone – any unscrupulous organization with a desire to steal intellectual property, spy on the opposition, or otherwise gain from compromising mobile devices could afford the tools to do so.
Recent revelations, especially from Amnesty International and Citizen Lab, highlight the growing brazenness, ubiquity, and prevalence of mobile spyware. Earlier this year, links to a commercial spyware tool called Predator were essentially sprayed across X (formerly Twitter) in a dragnet that could have ensnared bystanders following the discussion. The campaign targeted a diverse range of victims, including civil society members, rank and file politicians, and lower level government officials. Perhaps more alarmingly, Human Security recently reported the discovery of Android devices with backdoored firmware in schools across the United States. Security researchers found that these devices, primarily tablets, were preloaded with malicious firmware that allowed unauthorized access and data exfiltration. This firmware was believed to be uploaded not by state actors, but rather by savvy criminal operators.
And these savvy, malicious actors are learning how to cover their tracks. As revealed in the Citizen Lab report, Predator runs an eight step validation process before fully deploying, including checking to see if the system log is being monitored, whether the device is monitored for jailbreaks, and whether the user is running a proxy, among other things. Catching Predator in the wild essentially means outsmarting the adversary, which is why so few samples of mercenary spyware have been fully captured.
These revelations beg the question, how can we fight back against a threat that is increasingly commonplace, yet also sophisticated? The answer is mobile forensics. Similar to how detectives meticulously comb through crime scenes to find forensic artifacts, mobile security researchers laboriously pick apart mobile devices for clues suggesting the presence of a malicious actor. It is a time consuming and expensive process, one that requires knowledge of both computer science and security, and one that is very difficult to scale.
As the first mobile threat hunting company, iVerify is pioneering methods to scale mobile forensics beyond academic institutions, taking the forensics process out of the laboratory and into the board room.
One way we’re doing this is by making use of Developer Mode. Developer Mode on iPhones can help researchers catch spyware by allowing them to gain more access and control over the device's functions, specifically the ability to monitor for suspicious behavior, unusual activities or access rights – signs of spyware that might otherwise remain hidden. What’s more, there’s some evidence that Developer Mode can actually directly protect users from malware. Citizen Lab reports that the most recent version of Predator specifically checks to see if Developer Mode is turned on before deploying the full payload. If it is, Predator fails to install! (It should be noted there are some tradeoffs to turning on Developer Mode. For example, doing so makes sideloading apps easier. But for targets of mercenary spyware, the tradeoff in terms of additional protection is probably worth it.)
In the coming weeks, we will share more about how we plan to scale mobile forensics via the launch of a tool that will make mobile forensics widely accessible in the enterprise, reducing barriers to data collection and analysis. Stay tuned!
Rocky Cole, Co-Founder & COO,
Matthias Frielingsdorf, Co-Founder & VP of Research