What is spyware? How it works and how to prevent it

Spyware is used by everyone from nation states to jealous spouses to surreptitiously collect information and monitor the activity of people without their knowledge. Here's what you need know about this pervasive and creepy form of malware.

Spyware definition

Spyware is a broad category of malware designed to secretly observe activity on a device and send those observations to a snooper. That data can be used to track your activity online and that information can be sold to marketers. Spyware can also be used to steal personal information, such as account passwords and credit card numbers, which can result in identity theft and fraud.

"Spyware is really anything that's collecting—and possibly disseminating—information about the user without the consumer's consent," explains Josh Zelonis, a senior analyst with market research company Forrester Research. "Spyware is and will always be a popular method of collecting private information. We see it in banking Trojans, ad networks, jealous spouses, and companies crossing ethical boundaries by installing keystroke loggers as part of their 'insider threat programs. It's an incredibly broad problem that impacts everyone potentially."

Use of the malware seems to be on the rise. According to a recent report from security software maker Malwarebytes, consumer spyware detections increased 27 percent from 2017 to 2018. Business detections increased even more: 142 percent over the same period.

"It's a part of a trend back to traditional threats," says Jerome Segura, head of threat intelligence for Malwarebytes. “It shows that criminals are interested in stealing data from users," he adds. "Once they have the data, they can deploy additional malware on the system and create an additional vector for monetization."

Types of spyware

Spyware can take a number of forms. They include:

  • Adware: It eyes your online activity and displays ads it thinks you'll be interested in based on that information. Although benign compared to some other forms of spyware, adware can have an impact on the performance of a device, as well as just being annoying.
  • Tracking cookies: They're similar to adware, although they tend to be less intrusive.
  • Trojans: After landing on a device, they look for sensitive information, such as bank account information, and send it to a seedy third-party who will use it to steal money, compromise accounts or make fraudulent purchases. They can also be used to gain control of a computer through the installation of a backdoor or a remote access Trojan (RAT).
  • Keyloggers: They allow a miscreant to capture every keystroke from your keyboard, including the keystrokes you use when you log into your online accounts.
  • Stalkerware: It's typically installed on a mobile phone so the owner of the phone can be tracked by a third party. For example, during the trial of Joaquín “El Chapo” Guzmán, it was revealed the drug kingpin installed spyware on the phones of his wife, associates and female friends so he could read their text messages, listen to their conversations and follow their movements.
  • Stealware: It's crafted to take advantage of online shopping sites awarding credits to websites that send traffic to their product pages. When a user goes to one of those sites, stealware intercepts the request and takes credit for sending the user there.
  • System monitors: They record everything that's happening on a device—from keystrokes, emails and chat room dialogs to websites visited, programs launched, and phone calls made—and send it to a snoop or cyber criminal. They can also monitor a system's processes and identify any vulnerabilities on it.

How does spyware work?

Spyware is distributed in a number of ways. One of the most common is getting users to click on a link that leads to a malicious website. Those links can be in emails, text messages, pop-up windows in a browser, and ads on web pages. Poisoned links have also been known to appear in Google search results.

Sometimes you don't need to click on a malicious link to get to an infected website. This is most commonly done through an infected ad delivered to legitimate websites through legitimate ad networks—also known as malvertising. On occasion, threat actors embed malicious code on legitimate websites that can infect a visitor just by landing on a page.

Such "drive by" infections are popular in so-called watering hole attacks. Those attacks—named for a hunting technique used by predators who wait for their prey to gather around a watering hole before assaulting them—usually target a specific group of users. For example, a high-profile watering hole attack took place in 2013 when a malicious script was discovered at a popular site for iOS developers, PhoneDevSDK. The script redirected visitors from PhoneDevSDK, which included developers from Apple and Facebook, to a drive-by site.

Opening infected files is another method of distributing spyware. Such files are typically attached to email messages disguised as originating with a trusted source, such as a bank or the U.S. Post Office.

Users, too, can be enticed to download spyware. A developer might tout their program as a useful addition to a software library, but it can contain spyware. In some cases, deleting the software from your computer will get rid of the application, but the spyware will be left behind and continue snooping on you.

Mobile phones can also be a target of spyware. Although both Google and Apple do a decent job of catching malicious apps distributed through their online stores, they're not perfect. In the fall of 2018, for instance, four programs in the Google Play store—including one to find embassies abroad—were removed after discovering they were infected with the Overseer spyware. Users should be especially wary of programs  distributed outside of the Google and Apple stores. 

Sometimes malicious apps can appear to be original programs, or they might masquerade as an existing program. For example, an outside-the-apps-stores version of Psiphon, a program designed to give people in countries with repressive regimes unrestricted access to the internet, was infected with Triout, spyware that reads text messages, takes screenshots, copies photos and records phone calls, videos and the GPS location of the phones it infects.

"A couple years ago, the prime distribution channel for spyware was still through watering hole attacks and the use of exploit kits," explains Mounir Hahad, head of the threat lab for Juniper Networks, a network security and performance company. "These days, it has become mostly via email and SMS messages, followed by secondary downloads from compromised websites."

Social engineering remains the number one way to spread malware infections, maintains Jon Amato, a senior director analyst in the Atlanta offices of research and advisory company Gartner. "Tricking someone to go to a web page that exploits a browser vulnerability or exploits the user's gullibility is going to be the main way any malware gets distributed, including spyware," he says.

How to prevent spyware

Many spyware infections can be averted by users, maintains Tanner Johnson, a senior analyst with IHS Markit, a London-based research, analysis and advisory firm. "Spyware infections take place because individuals go to nefarious websites without knowledge," he says. "They click a random link. They open an attachment they shouldn't. They engage in poor cybersecurity practices."

Care should also be taken when downloading files. Files should only be downloaded from trusted sites. If you have a good antivirus or antimalware program, it will, in many cases, flag downloads that are infected. Make sure your security software comes from a reputable vendor. Malware authors have been known to bury their wares in bogus antivirus apps.

For mobile phones, it's best to download apps from Google Play for Android phones and the App Store for iOS mobiles. "Rooting" an Android handset or "jailbreaking" an iPhone should also be avoided if you're concerned about spyware. In an enterprise environment, it’s wise to make this a policy. Using mobile device management (MDM) software that limits the download to approved apps only is also a good option.

In addition, although it's unlikely that someone is going to physically access your phone to install spyware on it, always create a lock codefor your phone that only you know. This is a requirement in many corporate environments.

Even if you're careful about the links you click, the attachments you open, and the files you download, you still may be targeted by drive-by infections. Since drive-by attacks often depend on browser vulnerabilities to infect their victims, the risk of drive-by infections can be reduced by keeping your browser version up to date.

Since spyware is frequently connected to pop-up windows and advertising, there are several steps you can take address those malware conduits. Both the Mozilla Firefox and Google Chrome have built-in pop-up window blockers. They can be configured to block all pop-up windows or alert you when a website wants to launch a pop-up so you can decide whether you want to see it. You can also allow pop-ups automatically from trusted sites.

Malvertising threats can be addressed by installing an ad-blocker in your browser, if it doesn't already have that feature. AdBlock Plus is one of the most popular programs for blocking ads. Anti-tracking software, like Ghostery, can also be a valuable browser addition to reduce the risk of spyware infections.

In a corporate environment, a good endpoint protection solution will detect most adware. What likely to be most effective, though, is a strong security awareness program that teaches employees how to avoid adware and other types of malware infections.

How to remove spyware

If your computer appears unusually sluggish or crashes a lot, your browser becomes overpopulated with pop-up windows, or you begin to observe suspicious hard drive activity, your efforts to avoid spyware might have failed. That means you'll need to remove the infection.

Removing any kind of malware manually is difficult, but it can be even more so with spyware. The malware is designed to be clandestine. That means it will hide telltale signs of its presence, like icons. Checking system resources can be a dead end, too. Spyware authors often name their files to mimic the names of real system files to hide their identity.

A number of programs—some of them free—can detect and remove spyware. They include SUPERAntiSpyware, Malwarebytes, Avast Free Antivirus, AVG AntiVirus, Adaware, Trend Micro HouseCall, SpywareBlaster and SpyBot Search & Destroy. In addition, Actiance Security Labs maintains Spyware Guide, which lists thousands of spyware programs with links to tools for removing them from systems.

Spyware on smartphones can cause symptoms similar to computers, such as frequent system crashes and performance hits, but there are other signs, too. For example, the phone may start turning itself off and not responding immediately when you try to turn it back on. Other signs include faster battery depletion than normal, surges in data usage and unusual text messages in your inbox.

Another tipoff is modifications to your phone that allow it to download apps outside Google's and Apple's app stores. In Android, that's typically done by changing a phone's security settings to allow downloads from unknown sources. In iOS, it's sometimes done by planting on a phone an app called Cydia, which is used to download software on a jailbroken iPhone.

If you suspect you have spyware on your phone, you can back up your data and reset it to its factory settings. You'll also want to make sure you're running the latest version of its operating system.

As with computers, there are also security programs that can be used to scan a phone for spyware and remove it, although that solution may not be effective in every case. For Android phones, there's also a "nuclear option" called dr.phone. It will totally and permanently wipe everything on your phone—photos, apps, contacts, messages, call logs and all private data. It's not to be used lightly.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!