Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Spying Apps

The latest report from the front lines of the war on privacy comes to us as a result of a lawsuit filed in federal court against the Golden State Warriors, Signal360, and app developer Yinzcam. The complaint accuses the defendants of “systematically and surreptitiously intercepting consumers’ oral conversations without their consent” via an app created for the Golden State Warriors. The allegation centers around the use of audio beacon technology for precise location tracking, typically in-building. Specifically, the complaint states:

Unbeknownst to Plaintiff and without her consent, Defendants programmed the App to turn on her smartphone’s Microphone and listen-in. Specifically, because Plaintiff carried her smartphone to locations where she would have private conversations and the App was continuously running on her phone, Defendants App listened-in to private oral communications.

The plaintiff, LaTisha Satchell, characterizes it as “disconcerting” that “defendants hijack users smartphones and turn them into listening devices.”

It is disconcerting. At Appthority, we’ve been researching and discussing how mobile surveillance enables the stalker economy for quite a while. We observe that without debate we have evolved to “an economic model that requires continuous and comprehensive surveillance of mobile device users.” The Golden State Warriors app is simply one example of that. At Appthority, we know of many more such examples.

If you use a smartphone, your location, your online history, your contacts, your schedule, your data, your device, and your identity are all in play. Location is often referred to as the holy grail of mobile marketing. And, as the lawsuit claims, the surveillance activities are often done surreptitiously.

Why is this so valuable to advertisers and marketers? Because, as the lawsuit points out, a smartphone is something “which consumers carry on their person everywhere they go.” It’s constantly able to provide surveillance information of any kind, starting with location. If advertisers know where you are, they know a lot about you–and can therefore deliver the most effective ads.

But smartphones aren’t just a top target for marketers. We’ve recently learned about the Trident exploit, discovered by Citizens Lab when an alert smartphone user, Ahmed Mansoor, a human rights activists based in the United Arab Emirates, notified them of a suspicious SMS he had received. This very sophisticated exploit was aimed at Mansoor’s smartphone—not his personal computer, not his car, not his home, and not his office. Why was his smartphone the target? Because, it is likely to be on his person, everywhere he goes, able to know who every text, email and phone call went to, record every conversation, capture every email and text, track every online search and all web browsing activity, and know who his friends are and what his schedule is. In Mr. Mansoor’s case it wasn’t an ad network conducting surveillance, it was a threat actor with significant resources at its disposal, most likely a nation state.

For advertisers and marketers, as well as for hackers and nation states, the smartphone represents the most intimate and valuable target for surveillance. A compromised smartphone represents a threat, not just to the targeted individual, but to the organization or company with which they are associated and from which they invariably carry deeply sensitive information.

Any enterprise without a mobile threat detection solution is by definition unaware of what information is leaking, and from where. Information about employees’ activities, both on the job and elsewhere, combined with any company-related emails, documents or sensitive information, can be as harmful as any APT attack when done at scale—and just as stealthy.