Off-the-shelf spyware is often marketed towards jealous lovers to spy on their spouse.
This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
On Wednesday, Motherboard showed how powerful off-the-shelf, $170 spyware really is. For a day, I used a piece of software on my phone to surreptitiously collect GPS location data, intercept phone calls, and silently steal photos.
Although a hacker can only infect a phone if they have physical access to the device, the threat from this type of malware is very real. It is heavily used by, and marketed towards, jealous lovers to spy on their spouses. For around two decades, people have used spyware for this purpose, with many cases ending up in violence or even murder.
What can potential victims of this type of surveillance do to check if they're being monitored? What are some of the best practices to keep in mind to make installing the malware harder? And what can those who are certainly being spied on do?
Unfortunately, this is actually one of the harder information security threats to reliably give advice for.
"The threat model against this is very complicated because you don't know really how much private space the abuse victim has," Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, told Motherboard in a phone call.
Some victims may not have the personal space to effectively hide a second phone; others may have been forced or coerced to give up their phone passcode, and not everyone can afford two phones and any costs that come with that.
"Domestic violence and stalking is not just about monitoring; it's about monitoring and then using that information to cause fear," Cindy Southworth, executive vice president of the National Network to End Domestic Violence, told Motherboard in a phone call.
At least there are some things that may help, or give you a heads up, in a tricky situation like this.
"My number one tip for victims is to trust your instincts. If your instincts tell you that your ex or your current partner knows too much about you, it's entirely possible they're monitoring your activities," Southworth said.
The abuser may drop hints—some subtle, some not—that they are surveilling the victim. In one case Southworth brought up, a woman was looking at a particular pair of shoes on the internet. Shortly after, her ex-partner sent the woman the exact URL, and said they would look great on her.
"It was a power trip," Southworth said.
For iPhones, a snooper typically has to jailbreak the device first in order to install the malware. One way to check is to search the phone for the "Cydia" app—an app store that sometimes comes with a jailbroken device. Typically, fully up to date iPhones are harder for members of the public to jailbreak as well, so regularly installing upgrades is important. If someone gave you the phone, perhaps as a present, rather than buying it yourself, that could be another indicator.
Restoring a device to factory settings to remove any malware would be a fairly safe bet, according to Southworth, who has surveyed many of the products on the market. Although the Android malware used by Motherboard did have protections in place to make removing it harder.
If the victim is aware they are under surveillance—perhaps their partner told them to install the software—they may not have a choice in removing the spy-tool, but at least they can then use another phone to contact an attorney or someone else for help. In Australia, for example, the Women's Services Network (WESNET) gives new smartphones to victims of domestic violence.
Indeed, if you genuinely believe you are being monitored with consumer spyware by a spouse, seek advice from a professional, and contact them from an uninfected phone, if you feel safe to do so.