Introduction
Spyware is a category of malicious software designed to secretly collect information about a person or organization and transmit it to an unauthorized third party. Unlike ransomware, which makes its presence known through ransom demands, spyware is designed to operate silently for as long as possible, continuously harvesting sensitive data without the victim's knowledge or consent.
The information collected by spyware can include keystrokes, passwords, financial data, browsing history, email correspondence, instant messages, GPS location, phone calls, camera and microphone recordings, and virtually any other data accessible on the compromised device. This stolen data enables identity theft, financial fraud, corporate espionage, and political surveillance.
The spyware landscape ranges from crude adware bundled with free software to extraordinarily sophisticated state-sponsored surveillance platforms like Pegasus that exploit zero-day vulnerabilities to compromise modern smartphones without any user interaction.
"Spyware is the silent threat. By the time you know it is there, your private life has already been harvested, packaged, and sold -- or worse, weaponized against you." -- Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation
Types of Spyware
Keyloggers
Keyloggers record every keystroke typed on a device, capturing passwords, credit card numbers, personal messages, and all other typed content. They exist in both software and hardware forms:
| Keylogger Type | Implementation | Detection Difficulty | Examples |
|---|---|---|---|
| API-Level (Software) | Hooks keyboard APIs (SetWindowsHookEx, GetAsyncKeyState) | Medium -- detectable by security software | Most commercial keyloggers |
| Kernel-Level (Software) | Intercepts keystrokes at the kernel driver level | High -- operates below most security tools | Rootkit-based keyloggers |
| Form Grabber (Software) | Intercepts form data before HTTPS encryption | High -- targets browser internals | Zeus, SpyEye banking trojans |
| Hardware Keylogger | Physical device inserted between keyboard and computer | Very High -- invisible to software scans | KeyGrabber, AirDrive |
| Acoustic Keylogger | Records typing sounds and reconstructs keystrokes | Extremely High -- no software footprint | Research prototypes |
| Memory-Injection | Injects code into browser processes to read form data | High -- operates within trusted processes | Banking trojans |
Screen Capture and Recording
Screen capture spyware periodically takes screenshots or records continuous video of the victim's screen. This captures information that keyloggers miss: graphical passwords, on-screen keyboards, image-based content, and the visual context of what the user is doing. Advanced variants capture screenshots only when specific applications (banking sites, email clients) are in the foreground, reducing data volume while maximizing intelligence value.
On mobile devices, screen capture can be combined with camera and microphone access to record the physical environment. State-sponsored spyware like Pegasus can silently activate the camera and microphone without any visible indicator.
Information Stealers
Information stealers (infostealers) are specialized spyware that harvest stored credentials, browser cookies, cryptocurrency wallets, autofill data, and session tokens. Rather than passively logging keystrokes over time, they execute a rapid one-time sweep of the victim's stored data and exfiltrate it immediately. Prominent infostealer families include RedLine, Raccoon, Vidar, and Lumma.
Infostealers have become one of the most significant initial access vectors in cybercrime. Stolen session cookies allow attackers to bypass multi-factor authentication entirely, hijacking authenticated sessions to cloud services, corporate VPNs, and financial platforms.
Browser Hijackers and Adware
Browser hijackers modify browser settings without consent -- changing the homepage, default search engine, and new tab page to generate advertising revenue or redirect searches through affiliate links. While less dangerous than credential-stealing spyware, browser hijackers track all browsing activity and inject advertisements into web pages. They often install browser extensions that are difficult to remove and resist settings changes.
Pegasus and State-Sponsored Spyware
Pegasus, developed by the Israeli company NSO Group, represents the pinnacle of commercial spyware capability. First documented by Citizen Lab and Lookout Security in 2016, Pegasus can compromise both iOS and Android devices, often through zero-click exploits that require no user interaction -- the target simply receives an iMessage or WhatsApp call, and the device is compromised without the user opening anything.
Once installed, Pegasus can:
- Read all messages (including encrypted messages in WhatsApp, Signal, and Telegram, by reading them on the device after decryption)
- Access emails, contacts, calendars, and photos
- Record phone calls and ambient audio via the microphone
- Activate the camera silently
- Track GPS location in real time
- Extract passwords and authentication tokens
- Access cloud accounts (iCloud, Google) by stealing authentication credentials
In July 2021, the Pegasus Project -- a collaborative investigation by 17 media organizations coordinated by Forbidden Stories and supported by Amnesty International -- revealed that Pegasus had been used to target journalists, human rights activists, lawyers, and political leaders in multiple countries. A leaked list of over 50,000 phone numbers selected for potential targeting included heads of state, cabinet ministers, and diplomats.
| Spyware | Developer | Capabilities | Known Targets |
|---|---|---|---|
| Pegasus | NSO Group (Israel) | Full device compromise, zero-click exploits | Journalists, activists, politicians in 45+ countries |
| Predator | Cytrox/Intellexa (North Macedonia/Greece) | Similar to Pegasus, one-click and zero-click | Politicians, journalists in Europe, Egypt, others |
| FinFisher (FinSpy) | FinFisher GmbH (Germany) | Desktop and mobile surveillance, intercept | Activists and dissidents in Bahrain, Ethiopia, others |
| Candiru (DevilsTongue) | Candiru (Israel) | Browser exploits, Windows spyware | Journalists, activists, politicians |
| Hermit | RCS Lab (Italy) | Android/iOS surveillance via ISP cooperation | Targets in Italy, Kazakhstan |
"There is no such thing as a backdoor that only works for the good guys. The existence of these capabilities is itself the vulnerability." -- Tim Cook, CEO of Apple, on commercial spyware
Stalkerware
Stalkerware (also called intimate partner surveillance software or spouseware) refers to commercially available applications marketed for monitoring family members or employees, but predominantly used by abusive partners to surveil their victims. These applications are typically installed on the victim's phone by someone with physical access to the device and operate covertly.
Stalkerware applications monitor text messages, call logs, GPS location, social media activity, photos, and browsing history. Some can record calls, activate the microphone, and take screenshots. Popular stalkerware apps have included mSpy, FlexiSpy, Cocospy, and TheTruthSpy.
The scale of the problem is significant. Kaspersky's annual stalkerware report for 2023 identified over 31,000 unique users affected by stalkerware globally. The Coalition Against Stalkerware -- founded by organizations including the National Network to End Domestic Violence, the EFF, and several cybersecurity companies -- works to improve detection, support victims, and advocate for legal restrictions.
Detecting stalkerware requires checking for unfamiliar applications with broad permissions (especially accessibility services, device administrator, and location access), unexpected battery drain, increased data usage, and devices that have been jailbroken or rooted without the owner's knowledge.
Infection Methods
Spyware reaches devices through numerous vectors depending on the sophistication of the attacker:
- Software Bundling: Spyware included with free software downloads. The installation is technically disclosed in lengthy license agreements that users do not read.
- Phishing: Malicious email attachments or links that install spyware when opened. Social engineering is tailored to the target.
- Drive-by Downloads: Exploiting browser or plugin vulnerabilities to install spyware when the victim visits a compromised or malicious website.
- Malicious Apps: Trojanized applications distributed through official app stores (bypassing review processes) or sideloaded from third-party sources.
- Zero-Click Exploits: Exploiting vulnerabilities in messaging applications (iMessage, WhatsApp) to compromise devices without any user interaction. Used by Pegasus and similar state-sponsored tools.
- Physical Access: Stalkerware and some corporate monitoring tools require brief physical access to the target device for installation.
- Network-Level Injection: State actors with ISP-level access can inject spyware into legitimate software downloads or redirect targets to exploit pages.
Data Exfiltration Techniques
Once spyware has collected data, it must transmit that data to the attacker without detection. Common exfiltration methods include:
- HTTPS to C2 Servers: Encrypted connections to command-and-control servers that blend with normal web traffic
- Cloud Storage: Uploading stolen data to legitimate cloud services (Dropbox, Google Drive, OneDrive) that are unlikely to be blocked by corporate firewalls
- Email: Sending collected data as encrypted email attachments through webmail services
- DNS Tunneling: Encoding stolen data within DNS queries, which often bypass network monitoring and firewalls
- Steganography: Hiding exfiltrated data within image files or other innocuous-looking content
Advanced spyware throttles its exfiltration to avoid triggering data-loss-prevention (DLP) systems and times its transmissions to coincide with periods of high network activity.
Detection and Indicators
Detecting spyware requires attention to both technical indicators and behavioral anomalies:
| Indicator Category | Symptoms | Investigation Steps |
|---|---|---|
| System Performance | Unexplained slowdowns, high CPU/memory usage, overheating | Check task manager/activity monitor for unknown processes |
| Battery and Data | Rapid battery drain, unexpected data usage spikes | Review per-app battery and data statistics |
| Network Activity | Outbound connections to unknown IP addresses, DNS anomalies | Monitor network traffic with Wireshark or a network monitor |
| System Changes | New browser extensions, modified settings, unfamiliar apps | Audit installed applications and browser extensions |
| Account Anomalies | Unknown logins, password reset notifications, MFA prompts not initiated by user | Review account activity logs for cloud and email services |
| Mobile Indicators | Camera/microphone indicators activating unexpectedly, device rooted/jailbroken | Check device integrity, review app permissions |
For mobile devices, Apple's Lockdown Mode (introduced in iOS 16) significantly reduces the attack surface by disabling features commonly exploited by spyware, including certain message attachment types and JIT JavaScript compilation. For comprehensive analysis, Amnesty International's Mobile Verification Toolkit (MVT) can analyze iOS and Android device backups for indicators of known spyware including Pegasus.
Removal and Recovery
The appropriate response to spyware depends on the type and sophistication of the threat:
- Consumer Spyware/Adware: Run a full scan with reputable anti-malware software (Malwarebytes, Windows Defender, etc.). Remove suspicious browser extensions. Reset browser settings. Check installed programs for unfamiliar entries.
- Stalkerware: Contact a domestic violence helpline before removing the software, as removal may alert the abuser and escalate the situation. The Coalition Against Stalkerware provides guidance. Consider obtaining a new device rather than cleaning the compromised one.
- Corporate/Advanced Spyware: Engage a professional incident response team. Preserve forensic evidence before remediation. Assume all credentials on the device are compromised and rotate them from a separate, trusted device.
- State-Sponsored Spyware (Pegasus-class): For high-risk individuals, factory reset the device and set up as new (do not restore from backup). Enable Lockdown Mode on iOS. Change all passwords from a separate device. Contact organizations like Citizen Lab, Access Now, or the EFF for specialized assistance.
After removal, change all passwords accessed from the compromised device, enable MFA on all accounts, monitor financial accounts for unauthorized activity, and consider credit monitoring services if financial data may have been exposed.
Legal and Ethical Landscape
The legal status of spyware varies significantly by jurisdiction and use case. In the United States, the Federal Wiretap Act (18 U.S.C. 2511) and the Computer Fraud and Abuse Act (CFAA) prohibit unauthorized interception of communications and unauthorized access to computers. However, enforcement against commercial spyware vendors has been limited.
In November 2021, the US Department of Commerce added NSO Group and Candiru to the Entity List, restricting their access to US technology. In March 2023, President Biden signed an executive order restricting the US government's use of commercial spyware. The European Parliament launched an investigation into Pegasus use by EU member states, and several countries have faced legal proceedings over their use of commercial surveillance tools.
The Wassenaar Arrangement, an international arms control framework, includes "intrusion software" in its dual-use technology controls, though enforcement varies widely among participating states.
For related topics on how malware conceals its presence, see rootkits. For analysis techniques used to identify spyware, see malware analysis.
References
- Marczak, B., et al. (2018). "Hide and Seek: Tracking NSO Group's Pegasus Spyware to Operations in 45 Countries." Citizen Lab, University of Toronto.
- Amnesty International. (2021). "Forensic Methodology Report: How to Catch NSO Group's Pegasus." Amnesty International Security Lab.
- Forbidden Stories & Amnesty International. (2021). "The Pegasus Project." https://forbiddenstories.org/
- Kaspersky. (2024). "The State of Stalkerware 2023." Kaspersky Lab.
- Coalition Against Stalkerware. https://stopstalkerware.org/
- Electronic Frontier Foundation. "Surveillance Self-Defense." https://ssd.eff.org/
- CISA. (2022). "Protecting Against Malicious Use of Remote Monitoring and Management Software." CISA Alert AA23-025A.
- European Parliament. (2023). "Report on the Investigation of the Use of Pegasus and Equivalent Surveillance Spyware." PEGA Committee.
- Apple. (2022). "About Lockdown Mode." Apple Support.
- Amnesty International. "Mobile Verification Toolkit (MVT)." https://github.com/mvt-project/mvt