I Tracked Myself With $170 Smartphone Spyware that Anyone Can Buy
For a relatively small fee, you can snoop on someone’s messages, call logs, photos, and location from across the planet.
This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
In a rundown and noisy Berlin bar, a friend and I were having a private conversation. But nearly 4,000 miles away, someone was listening from their New York apartment.
With a single SMS message, this spy had remotely activated the microphone in my smartphone, turning it into a portable and surreptitious eavesdropping device. It wasn't some top-secret government program, or an expensive piece of surveillance gear that made this possible. It's something anyone can do for as little as $170, or sometimes less.
Welcome to the largely unregulated industry of consumer spyware—powerful, malicious software for computers and mobile phones that jealous lovers, commercial competitors, or crooked cops can buy online.
"They can be average depending on what package you buy, and they can be extremely, extremely potent," Yalkin Demirkaya, president of Cyber Diligence and a forensic investigator who has worked on cases that involved off-the-shelf malware, told Motherboard in a phone call. Demirkaya said he had heard allegations of one law firm using spyware against another firm to steal sensitive information, and that he has dealt with around two dozen cases that involved consumer spyware, including computer and mobile versions.
For a more tangible understanding of just how powerful this sort of malware is, Motherboard purchased one piece of software for infecting Android devices—SpyPhone Android Rec Pro, from a Poland-based company. The company markets itself to detectives, but it appears anyone can buy technology from its website; the site also advertises phone cracking hardware for circumventing the passcode on mobile phones.
SpyPhone Android Rec Pro can make copies of all SMS messages sent or received by the infected phone, preserve the device's call log, steal photos taken with the phone's camera, and pinpoint where the device is located within 5 metres using GPS. It then sends all of this collected information to a provided email address, either once a day or as frequently as every hour. As the name suggests, the malware also intercepts all incoming and outgoing phone calls, and, as demonstrated, allows the remote activation of the device mic. The 'activation' SMS, however, was visible to the target device, which would possibly alert the victim.
(For legal reasons, Motherboard only conducted phone conversations with the full, prior consent of each person on both ends of the call. Intercepting communications can be a federal offense under US law).
Shortly after placing an order, the spy company sent Motherboard an email with a download link to the malware, an invoice, and a user manual.
"In view of constant changes of application detection by Google, please download it directly from the mobile phone browser by using the following link," the email read. The file itself was an .APK, an Android application. The program cost just over £140, or $170 USD.
Within minutes, I had downloaded the malware, turned off an Android security setting that would allow it to install itself, entered my subscription key, and was ready to collect data. If I was trying to do it quickly—while, say, my target had left their phone on a bar table—I could probably set it all up in seconds. (Installing the malware requires physical access to a device.)
By default, the user interface for the malware is displayed on the phone's home screen like any other app, but this can be hidden by ticking a particular setting. After that, an attacker just needs to type their subscription code into the phone, and it will pop up again. As well as being able to turn the mic on with a specific text message, SMS can also be used to remotely change the malware's settings, or deactivate the spying tech too.
I took the malware-loaded phone across Berlin for a touristy day out: through Alexanderplatz, over to Museum Island, to a coffee shop in Friedrichshain, and then back across the city to the dive bar, when the "spy"—a colleague in New York—activated the device's microphone. Every five minutes, the phone recorded my GPS location, and the malware silently stole any photos I took with the phone's camera.
Meanwhile, the automatically generated reports included the latitude and longitude of my phone, and a handy link to the location on Google Maps. Phone call logs came with an audio file of the conversation, and it even alerted when the phone was powered down. (The device did not collect data while it was switched off.)
A map showing the GPS locations recorded by the malware. (Map created by the author, but the malware reports do include links to automatically generated Google Maps for each GPS record too).
SpyPhone Android Rec Pro is far from the only example of consumer spyware. Myriad companies creating and reselling this sort of technology exist. TheTruthSpy claims to offer much of the same capability, as well as monitoring of WhatsApp messages, Facebook chats, and internet browsing history. XNSpy promises to continue collecting data on the target when the device is not connected to the internet. And Highster Mobile says users can remotely turn on the phone's camera. (Many companies sell malware for iPhones too, but this typically requires the device to be jailbroken as well.)
Clearly, this is exceptionally powerful malware. Indeed, as Forbes and security researcher Morgan Marquis-Boire found, some of this spyware has apparently been copied by those in the government malware business, and uses much of the same code. But consumer spyware is not marketed to governments. Instead, many of the companies explicitly gear products toward jealous lovers—especially men—who want to monitor their spouses.
"Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won't."
"Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won't," reads the website of FlexiSpy, another company selling spyware.
Cindy Southworth, executive vice president of the National Network to End Domestic Violence, pointed to several examples, including one from a website called HelloSpy.
"It showed a woman thrown off a bed as part of their advertising for their spouse-tracking," Southworth told Motherboard in a phone call. Another image on the HelloSpy website, online at the time of writing, includes a woman, with her face cut and bruised.
"It's repulsive, it's misogynistic, it's gross," Southworth added.
Spyware being used to monitor lovers or facilitate domestic violence has a nearly two decade-long history, with plenty of cases involving phone and computer hacking. But many seem to have fallen under the radar.
At the turn of the millennium, snoops used programs to keep tabs on people as they used Windows-based machines. In 2001, Steven Paul Brown allegedly installed a piece of software called eBlaster onto his ex-wife's computer, which would monitor all of her browsing data and email it to Brown. In 2006, a 28-year-old computing student in the UK was sentenced to life in prison for killing his wife in a brutal knife attack. He had used a piece of sophisticated software to monitor his wife's computer.
A year later, a police officer faced two felony counts after allegedly spying on an ex-girlfriend with a piece of software made by Real Tech Spyware. The software, delivered to the target in a malicious email attachment, was able to record keystrokes, giving the officer access to the ex-girlfriend's email account. According to media reports at the time, the man had previously admitted to using software to track women. And in the same year, a man from Austin, Texas, was jailed for four years for installing SpyRecon on his estranged wife's computer. The software monitored what sites she had visited and read her messages.
But the introduction of smartphones opened up a whole new avenue of surveillance. Spyware could now intercept phone calls, track a device's GPS location as its owner moved around, and extract much of the information that apps might collect. In 2014, Cid Torrez faced charges for bugging his wife's work phone with spyware. (Torrez was indicted with killing his wife years earlier.) The following year, one man allegedly used surveillance software to monitor his ex-wife's phone during divorce proceedings.
Of course, not every case ends up in a criminal charge, let alone a conviction. An NPR investigation in 2014 found that 75 percent of 70 surveyed domestic violence shelters encountered victims whose abusers had eavesdropped on conversations using hidden apps.
Some spyware companies include terms and conditions on their websites, likely in an attempt to distance themselves from these sorts of cases.
"SOFTWARE INTENDED FOR LEGAL USES ONLY," a disclaimer on mSpy's website reads. "It is the violation of the United States federal and/or state law and your local jurisdiction law to install surveillance software, such as the Licensed Software, onto a mobile phone or other device you do not have the right to monitor." Motherboard sent the company behind SpyPhone Android Rec Pro a detailed list of questions about their product, its legality, and its potential applications, but did not receive a reply.
Companies that sell consumer spyware, and in particular those that market it explicitly for monitoring lovers have been charged, sued, and pursued by officials.
In 2005, federal authorities announced a 35-count indictment against Carlos Enrique Perez Melara, the alleged creator of an $89 piece of software called "Loverspy." The malware was distributed through innocent looking images, which, when clicked, installed the software onto the target machine. A thousand people worldwide bought the program and used it to extract information from more than 2,000 computers, according to the FBI at the time. Two men and two women were also indicted from their alleged use of the tool. Perez Melara, however, has eluded authorities for years. The FBI added him to the agency's most wanted list in 2013.
Prosecutors had a bit more success against Hammad Akbar, the CEO of a spyware product called StealthGenie. He pleaded guilty to sale of an interception device and advertisement of a known interception in 2014, and paid a $500,000 fine.
According to forensics investigator Demirkaya, following this case some US spyware companies dropped the ability to intercept calls from their products. But the prosecution appears to have done little overall to the easily accessible spyware market. On a YouTube video advertising a piece of malware similar to the one I tested, one commenter wrote recently, "I want to track my wife."
Back in the dive bar, my phone should have stopped recording after three minutes. But I couldn't help looking at its black screen, paranoid that it was still on.
Update: This piece has been updated to clarify that consumer spyware is also available for iPhones.
If you are concerned that consumer spyware may have been installed on your phone, here is some basic advice on what to do next.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .