Every Breath You Take: A CTI Review of Stalkerware

so um china is a trade intelligence analyst in the financial services industry she is also uh she also graduate uh with the graduate of science women's academy with several global information series certifications she is doing his phd in cyber security at marymount university uh she is also a member of different cyber security communities and is a frequent speaker at several events like their com.com etc so every breath you take china it's your time thank you awesome thank you so much for the introduction i assume you can see the slides yes yes okay so i am a cti analyst and i thought what happens if i apply cti methodology to something that isn't necessarily as conventional such as stalker wear right

normally that's associated with domestic violence um people in experiencing intimate partner violence like how could that possibly apply to corporate america so sit back relax and i will step you through uh the methodology and reasoning and some cti techniques as far as how to take a complex subject and see whether or not it can be applied to corporate corporate land right so for the lawyers i am not speaking on behalf of anyone other than myself uh this is a disclaimer for the lawyers of course and uh i'm also you also can find me on twitter at cheerio ch33r10 so i'm going to do a very brief overview of what it is how it works um some of the tradecraft this was

really fun and some hypotheses that i have and at the very end i have a treat for some of the technical people so basically stalkerware allows you to spy on people i mean that's basically narrowing it down to the most simplest terms possible the citizens lab they do a ton of research on this and it's basically software that's used to facilitate intimate partner violence like whatever whatever is going on with relationships that uh it's basically a digital means to keep keep control of people and uh some of the tools that can be used for intimate partner violence is just your regular commodity stock aware i could pull up google right now and get a free

one if i wanted uh spyware of course for mobile devices dual use apps so i can track your location you know hey honey put this on your phone and then i'll know everywhere you are and how long you stay there uh mrats of course shared accounts and uh osen social media friends family so i could be like hey uh you know boyfriend's cousin like was he really at that place or was he somewhere else so just social engineering techniques with friends and family as a form of harassment um so commodity stock aware if you look at it there's basically different tiers of what people pay for with stark-aware with commodity stock aware so it goes from the basic like i can read

your text messages i can read your call logs i can look at everywhere you browse on your phone um to your general location right and then it goes up from there so i can gain access to your social media accounts like i can i can do a lot if i want it to be bad right um i can look at your files here's just uh all of these icons i can look at i can record video i can listen to your voicemails i can read all your email i can change your phone settings i can delete whatever i want like uh it pretty much gives me really good access to basically your life in your mind

and here's a citizen's lab they did a report and they have different stock aware variants so cerberus you can look it up right now and download a copy for you um and flexi spy and some of the other ones moby stealth m spy so these are just ones to keep in mind as you're um out there looking at things you hear some other names of stark aware vendors so how does it work basically i'm going to focus more on android devices because the apple apple iphones they require to be jailbroken and basically what they do with that if if it isn't jailbroken then they use your icloud account and spy on you that way so there's that i'm not an ios apple

expert so that's about my limited understanding with that i'm sorry um as far as android's concerned that one is fun because if they modify a certain couple settings which i'll talk about later and which is in a report that i've provided for you for you to put in your tip if you want your threat intelligence platform um so the attacker needs physical access to the device and then they modify some settings and then they install the stalkerware so as a cti analyst i love the kill chain because it's easy to map back to that right so you have your reconnaissance they do recon on um i'll just use me as an example so that i've stay safe

so uh you know let's say i'm a bad a bad person and i i want to put stark aware on someone's device i would look at uh what they could possibly be interested in and use that as a lure or be like oh honey like i see your hands are full of stuff why don't i just you know uh hold your phone for you so it doesn't drop because i don't want you to break your screen right and then while he's distracted i you know gain access to it and do what i want uh weaponization so that's basically just getting the url from stalkerware so that you can install it after you of course purchase the

service and then delivery like i said tricking whoever it is to gain access to the physical device um if i were a bodybuilder which i'm not uh which means if i were stronger i could potentially threaten physical violence to gain access to the physical device and then the good thing the good thing though about commodity stalkerware for android devices is that there are no technical exploits so it's just basically social engineering which is obviously a problem um and then of course installation the stock aware vendors are so nice they have 24 7 service where basically uh you can call it you know three in the morning because she's he or she is asleep and you're like i need help i can't

figure out how to enter it so they're they they they accommodate any requests they're very helpful so commodities soccerware it's very easy to use it's depending upon where it is at least in the united states it's legalish and uh it's very cheap very very cheap uh and all all i need is just to trick whoever it is to give me physical access so the mrat the mrat uh is cheapish it requires a little bit more uh technical sophistication and skill and the other thing is it's generally illegal generally so of course no cti talk would be complete without the miter attack so one of the interesting things here if you look at the miter attack they

actually have uh tactics and techniques for mobile devices so um for me because i was a victim of stalkerware for about two years uh the person that did it against me he used dental mold to lift my prints to gain access to one of my devices and i was like whoa mind blown like i was in the shower i didn't even expect it so that's actually a miter attack technique not specifically dental mold uh but lock screen bypass so people get very creative with gaining access to your device i know i lived it um so the wonderful thing about the stark aware citizens lab report is that they also tested uh the various dockerware variants for

av detection and i was like oh my gosh this is this is it this is it because basically um you know you look at how stock aware is you look at mrap's your different malware has very similar capabilities and like how it operates right uh the only difference is how it's generally used which i mean duh hackers repurpose stuff all the time right and so the wonderful thing or the scary thing about starkerware is that it has a very very low av detection just because people don't really see it as a serious issue since it's domestic violence related and i'm saying software that has malicious behaviors is bad period regardless of how it's branded or how

people market it um the wonderful thing about this though and this report is that the eff and ava gal print are in the process of talking with various av vendors to actually get them to alert on starkwear on people's phones so that's a definite plus so now i'm gonna go into the traditional targets you know i am an absolutely normal person uh salt of the earth you know um and i was targeted like i'm not anyone quote unquote special uh so anyone can be subject to this um so now i'm going to talk about capabilities of stock aware like spying and stuff like that and how that applies to different people in different areas how other targets so we have

children of course children are have a uh the parent apps we have employees where especially during covet time uh there were articles where uh bosses were just going crazy scrambling to try to find some sort of spyware that they can put on the devices so that they can monitor everything the employee does the other thing is journalists um unfortunately quite a few journalists have been murdered uh like assassinated so um they are often frequently targets of spyware uh you know government grade uh stuff right um i mean yeah and also to the the people that are friends or close associates of journalists are also targets so we have dissidents we have activists allegedly a court you know uh the the black lives

matter uh people uh way back in i think 2014 they uh chicago police law enforcement were actually accused of using some sort of police scanner against them which had to do with spying on their their mobile devices hong kong residents they were targeted with a watering hole attack to install iphone spyware now that one's that one's sophisticated and then of course the dalai lama was targeted with spyware and muslims as well so um basically no one's safe criminals um of course they're targeted with it terrorists so this is a really funny story so whatsapp sent out a message to their users and whatsapp was like yo you have been hacked and so unfortunately one of the

people that they notified was a terrorist that the euro european law enforcement had used the nso group spyware to basically track the terrorists so when whatsapp was like hey you've been hacked the terrace was like oh no and like and uh the trail went cold so um yeah the terrorists are attracted with it and then of course military there was a ban on tick tock that would be a dual use app and i actually did some searching in spain portugal area and apparently allegedly um the catalan politicians and i apologize if i pronounced that wrong and pro-independence movement leaders in spain uh they said that their phones were targeted with spyware and a really great report by lookout had

to do with a stealth mango which is an mrat and it targeted government officials and military people and then of course law enforcement so who exactly is using this so traditional of course relationships and if you look at the stock aware vendor breaches you'll see a metropolitan police for flexi spies users who knows if they were using it officially or if it was you know against their partner or someone else who knows right there obviously they obviously didn't say motherboard filed a legal complaint against the metropolitan police for purchasing flexi spy uh but the metropolitan police refused to look into it so yeah uh moby stealth uh yeah military fbi ice dha tsa uh every three letter acronym are

buying it with their work email so operators similar to the other ones right we have parents of course schools seattle and the united states they uh settled a 610 000 claim for using the webcam on computers to spy on students and of course companies i already told you about the boss and the ftc banned retina x from selling stock aware as a company and cyber crime hacktivists criminals terrorists of course use it uh el chapo so i don't know if you know about the drug drug lord el chapo uh he was notorious for using spyware and stock aware against his partners and leaders in his organization and the fbi was like hmm we can probably

get him with that so they ended up collecting a ton of intel on him through the spyware that he thought he was leveraging to his benefit so uh which ultimately led to his demise and then law enforcement law enforcement miami had their own spyware made it was called penlink and sweden got permission to install spyware on criminals phone devices i already told you about the motherboard and then uh city lab and celebrate celebrates known for um uh creating something called cell phone interception devices so uh yeah it's popular and then nation state so when the uh when the politicians in spain uh were saying that they're being targeted by spyware uh what is it wired

came out with a report let me double check uh yeah i believe it was oh no it was vice so vice actually said that uh spain is involved with domestic espionage against political leaders in their country and they're and they're using nso which is a really well-known uh like government grade uh spyware like a no-click spyware essentially so um of course spain refused to comment on that so and uh another another example is reckless one which is a mexican government apt and they used pegasus to go after javier valdez cardenas which is known for investigating drug cartels and uh people that were close to him were targeted just days after his death so here's some tradecraft

that i'm going to share with you so kimber uh this this particular threat actor not necessarily technically savvy they might be they do a lot of unilateral access to accounts and they manipulate friends and family uh they love using dual use apps and uh they they use shared accounts like oh i saw you logged into such and such an account at such and such a time why did you do that right and they harass their partners or victims that way another one is suki win and this is just your general run-of-the-mill commodity stock aware operator or spyware and of course they resort to emotional and psychological abuse elektra elektra is more technically savvy they they're really good at social

engineering and manipulating people and this is of course the unethical use of social engineering so um and uh they're technical and they use mrap's generally and then poison hydra poison hydra is the one that says give me your phone or else i'll bash your head in so they use a lot of physical threats and abuse to gain access and control over their particular victims so here are some hypotheses and this is concerning the normal use of commodity stock aware so with corporate america i just suggest being really well versed in your environment and uh to read up on it if you're really curious this is probably the most important slide in this whole presentation and it has to do with the checkpoint uh

research and they discovered that 75 percent of a multinational company's mobile devices were infected with an mrat and so they were specifically targeted by someone and they went after their mdm server and then they compromised that and they used it to push an mrat to the orgs mobile devices and this is a big deal because basically when anyone accessed any type of corporate resources with creds those creds along with the 2fa codes were compromised what the org had to do was they had to do a factory reset for all of the mobile devices so um this is real it happened to a real company like it's a real threat so if you use mobile device management

um if you have a byod program uh definitely look into what's going on with that what people are allowed to install on there because on the google play store if you look on there and i'll show you later um there's there's there's a ton of spyware and stalkerware on there uh the other thing is uh starcoware vendors are notorious for being compromised and um they have misconfigs uh hacktivists hate them and they try to hack them like all the time and they have really really horrible horrible security practices so just in the research that i did these are some of the vendors that have been compromised recently ish and i pulled together some stats of the

amount of people in domestic violence situations and then the amount of like uh stark aware surveillance that they experienced so in the united states about 54 percent of intimate partner uh survivors were tracked with stock aware and then 25 of just anyone in general of the particular uh subset of victims have experienced uh intimate partner violence sometime in their life so i took a random sampling of about 50 000 or 20 000 employees for the average company and did a 50 50 split between men and women just because the stats were based on that so i didn't take into consideration all the others vendors or genders excuse me um and so when i did all the math it

came out to about 13.5 percent so these are statistics that were created and generated from the united states from um a ton of different organizations that do uh like the citizens lab did the national network to end domestic violence so i tried doing some research of what is available in portugal so i found the portuguese association for victim support and i read or not read but i translated since i don't know portuguese i'm sorry uh so i tried to translate it to the best of my ability and looking through the their annual report i found these different things that may or may not be associated with stalkerware and so when i added it all up based upon the reports

that they received for this particular agency approximately 4.7 percent of the reported cases had something something to do with electronic digital surveillance or something that's related to that in order to track and harass and whatever so this does apply um just fyi so here are some cti hypotheses of repurposed use of structureware we of course have the insider threat we have executives and employees uh your competitors they can put stalkerware on your c-suite or key partners in your org i mean all i have to do is just listen to their conversations and back before the age of kovid i could track what companies they were going to and where they were traveling to get kind of insider information about

what they're doing or what they're up to and how to strategically maneuver things especially if i haven't hacked into your company yet right industrial espionage um i'm not going to name names of countries here but we recently indicted one here in the united states that's all i'll say on that so here are some solutions uh the citizens lab report has a bunch of iocs and i'll show you some more later so those are things that you can use as well uh definitely recommend uh do not jailbreak any of your phones bad don't do it and then uh stop using tic toc uh especially on anything that has any type of corporate anything you can do tabletops so you can uh

like for instance the mdm solution earlier uh you know do i have one of those what happens with all the mobile devices how would an attacker gain access to that and then awareness um you know tell your employees never leave your smartphones unattended basic security hygiene i've links uh for the report that i'll provide you and then also resources tallpoppy.io they deal with a lot of uh this type of stuff so if you don't really want to get involved in it but you want to provide resources to your employees that's a good resource safeescape.org as well and then stop stalkerware.org so i went over a lot of high-level stuff for stalkerware and now i am going to share with you

some more of the technical stuff so uh i did an assumption that let's say that my company gets breached and i you know i wanted to find out what would be the best avenue right um and also know the difference between manually reversing and apk versus looking at it on virus total hybrid analysis and using like a decompiler or something like that right and i used christina balon's youtube video because i definitely am not a reverse engineer so i to learn all of this myself and i am saying if i can do it you can do it and it is okay so i just threw it in the apk tool and this is manual and

it ended up giving me all these permissions so it gave me a good idea of what the heck the apk does right in the event we get compromised and then i threw it in dexter jar to pull it out and uh then i put it in jd gui to be able to read the um java file and i was able to look and pull out i don't know if you can see that um it's it's a url and i'm like huh the true spy interesting so then it gives me a good idea i can look at what they're doing and then also with the decompiler it um it also uh provides information if you don't want to look at the apk tool

um and you don't care about opsex type stuff this also gets it for you a lot easier without having to install a million duels and virustotal as you can see here it comes up as only 11 hits on virus total some of them say it's malicious some of them don't and here of course are the permissions again and the domain so that's good check check we've got both of them the added benefit though is in hybrid analysis it also gave me a printout of the various ttps associated with mitre attacks so that's great i was going to do it in ghidra but i already found out what i needed to know if you have guidra's

skills definitely do that so now we're going to pivot uh citizen i started with the citizens lab iox right and then i threw that in a virus total and then i pivoted off that for other referring files and other things that it communicated with um and other requests that they made next i went to the various stock aware vendor breaches and i threw all of those into virustotal to see if i could find any additional associations and i threw i've threw everything that i found into a csv file that i put on github which i'll share with you and then uh in infosec twitter there was this big thing about an article being written on how to spy on your wife so i used

that as a title and or as a search in google and found a bunch of additional resources and then i translated spy on my wife into portuguese and i also found additional resources as well and then i went to the google play store and i put in the name of like a popular spicy is really popular so i just threw that in there and oh look more samples on the google play store so then i clicked on those ended up getting the website through that into virustotal picked out anything else i could find uh the other thing is i looked at the um ssl tls certs on it and pivoted off those two and found that

next was looking at security researchers so anna's crew tables if i said that right um he's he's really big on stalkerware as well i highly recommend following him he had a github full of stuff so i pulled out the iox from that and then i went to uh twitter and i just put hashtag starkawareapk and lo and behold he shows up again so i pulled those additional iocs and then of course malware hunter team they're amazing i pulled a bunch of stuff that they had on there they usually alert people they're like hey this one doesn't uh is it really detected in virustotal so take a look um and then i looked at the various url

categories for the sites as you can see one came up as malicious another one uh not so much and then i did a specific search for portugal uh the submitter portugal and then uh various permissions to see the location look at your camera take pictures and your sms text messages nothing came up over the past 90 days but that doesn't mean that there isn't something so um then there's a meta metasploit stagers that i found that was related to that that was uploaded so people are playing with it um and then of course here's a website i'm gonna wrap it up i apologize uh you know sites.google.com and there is a threat report you can put in

your tip as well as the indicators of emulation um additional information about stock aware here is the github that i can put in the chat after this is over as well and um thank you very much for your time and that's it okay thank you thank you jaina we have some questions here i think we have too many questions in fact and this is an interesting topic uh it involves everyone so i have some questions and i i will put some questions here um i will start there is some that i i have two questions here that are more uh they they lead us to a big discussion so i will left that then to the to the end just to

give us just a point on that question then probably catalin could talk with you offline to clarify the the the questions he put here that are very relevant questions i will start to uh to ask you uh one of the questions is is there a simple way of finding out if your phone is running software as an individual we are not in the in the area is is it easy or if you need to be in the area yes so um uh if you in in my resources there's a ton um of stuff to look at in the threat report that i gave you but really briefly if you look at it this is specific to android devices so

if you look at the permission setting for google play um basically if it says that it allows download from unknown sources you can pretty much assume that you are compromised um so i would the problem here is more with rock applications and not official applications that should be validated by the app stores correctly so i'm sorry what so i i just said uh czech device administrators google play if google play protect is disabled you are most likely pwned and especially if install apps from unknown sources is enabled and and another question what advice do you give to people that suspect that their phones are being monitored by their ex partners or uh anyone for even people what advice

do you give okay so because i went through it for two years the advice that i give um it doesn't get better it escalates and it gets worse and it's potentially life-threatening um i would avoid confronting um and i would honestly make an exit plan as soon as possible if everything that you do is monitored what i had to do is um borrow other people's devices to communicate and get out of the situation and as soon as i was physically safe i bought a new device and uh used that and set up everything new changed my passwords and all of that so um that's how i personally got out of it your situation might be

different feel free to hit me up on twitter i'm happy to chat about this and offer additional resources just the final question may i this is probably a question that could lead to a phd degree or something like that how to correlate how to correlate to the context related to automation because we are correlating the the the the what analysis you need to be performing to trigger an alarm something that you are monitoring and collecting information and that allows you to suspect that your phone is is under vigilance or experience process oh uh well definitely relate and used to i think this question is important in the scope of a cyber track intelligence platform what could you bring to a platform

to allow this detection and litigation so so on on the github that i provided for you all there are hashes and uh domains that are associated with a lot of the stock aware vendors that call out so if they're monitoring your device and it's on the corporate network uh you will see traffic for those particular stock aware vendors essentially um you know that's one way to alert uh some of the stock aware some of the av vendors like kaspersky they will notify you if an app has quote unquote too many permissions because what i do when i look at something is i look at the permissions like why the heck would they need to look at my calendar

and my contacts and all of that when it's not an app that's do you know what i mean so um looking at those permissions throwing it in the decompiler really quickly the slides are available on um on github so feel free to pull those down and i've detailed everything in there with the technical steps and there's also like five pages of references um and feel free to reach me on twitter as well and i apologize for going over and thank you very much for the time yeah thank you and thank you for having me we have more questions but i will finish the questions here because you can do it offline and to keep the time keep the track on

time so thank you again tina for your

presentation you