What is spyware?

Cybercriminals use spyware to extract personal information for sale or to use in secondary attacks. Infection can lead to damaging data breaches, leak user credentials, or allow competitors to access confidential information.

Less critical spyware collects data for advertisers to send targeted content, while states and companies also employ spyware in espionage or surveillance.

Whatever the root cause, spyware infections are evidence of weak security practices. Companies need spyware removal strategies to avoid these outcomes and protect their assets.

How does spyware work?

Protecting against spyware attacks begins with awareness of how spyware works.

The term "spyware" first appeared in a 1995 Usenet forum to mock Microsoft's data collection practices. The first reference to spyware as a form of malicious software appeared in 2000 when security firm Zone Labs reported that children's software Reader Rabbit was sending usage data to Mattel Corporation without user consent.

After that, Spyware incidents exploded. By 2005, AOL reported that 61% of user devices carried some form of spyware. The problem has only worsened since then, with threat actors engineering many ways to track online activity and harvest user data.

Modern spyware tends to follow a similar pattern.

1. Firstly, malicious spyware infects target devices or networks by breaching security systems. Infection can occur via downloads from fake websites, contaminated USB sticks, malicious ads, infected mobile apps, or email attachments from phishers.
2. Agents install themselves and conceal their activity. They operate in the background, recording user activity. This can involve monitoring keystrokes, the sites victims visit, files they download, or even feeds from their cameras.
3. Spyware then sends data to command and control centers. Controllers can then use this data in secondary attacks (such as identity theft, phishing, or credential stuffing) or sell data to third parties for a profit.

Types of spyware

There are several types of spyware. Each type uses a different technique to conceal its activities and extract data. Spyware removal methods also vary depending on what type is involved. The list below summarizes the most common variants encountered by contemporary organizations.

• Keyloggers. They track users' keystrokes. This can capture financial information, login credentials, and detailed information about internet usage patterns.
• Adware. Collects data about the sites users visit, their search queries, and any purchases they make online. Spyware agents send this data to controllers, who use it to deliver targeted ads via pop-ups or sell it to third parties.
• Bundleware. Spyware can be bundled with legitimate software and activated when users install those products. This is a common way to work around user suspicions and conceal malicious spyware.
• Rootkits. Rootkits enable attackers to implant spyware on operating systems and other system files. These agents are hard to remove as detecting them is very difficult.
• Tracking cookies. Websites use cookies to track other sites used by visitors. Threat actors can use cookies spyware by hosting them on malicious websites.
• Trojans. Similar to bundleware, Trojans deliver spyware in disguise. Attackers can conceal spyware in documents, images, or streaming videos. Due to the exterior disguise, users can rarely tell whether downloads are legitimate.
• Infostealers. Infostealers or password stealers are specialist spyware agents that harvest high-value data from target devices. Targets could include browser password lockers or instant messaging data. Sophisticated versions scan for relevant information, quickly finding material that attackers desire.
• Red Shell. This form of spyware is associated with rogue game developers. Developers distribute Red Shell agents with downloads to monitor how players use their software and target ads for other titles or DLC.
• Mobile spyware. Spyware can target mobile devices via SMS or app downloads. Attackers can then monitor communications and potentially hijack smartphone cameras.
  
  

Spyware has historically affected Windows devices and software more than other platforms. While macOS is less targeted than Windows, it is not inherently more secure. One 2023 study found that Macs accounted for around 1% of known malware infections. However, there is no room for complacency, with MacOS spyware reportedly increasing. This highlights the need to secure every endpoint against infection.

How spyware attacks affect your network

Spyware infections on business networks are never good news. The first step in spyware prevention involves understanding the main attack techniques.

There are three common methods to look for:

• Unsecured public wi-fi networks. Employees may use public wi-fi in airports or hotels to send work emails and access applications. Without encryption and firewall filters, these networks are vulnerable to malicious actors. Cyber attackers can use weak security to hijack wi-fi connections and implant spyware on user devices.
• Vulnerable operating systems. Rootkit-style spyware attacks exploit weaknesses in the operating systems' underlying networks and user devices. This is particularly important in mobile devices, where Android updates can create unplugged code vulnerabilities. Attackers are quick to exploit these issues before new patches arrive.
• Malicious downloads. Many spyware incidents result from malware downloads. Attackers may trick users into downloading risky email attachments. Seemingly legitimate websites may encourage visitors to download files that actually harbor spyware.
  
  

Once attacks occur, malicious spyware has many damaging consequences, and the effects extend beyond data exfiltration. Consequences of spyware infection may include:

Loss of data

Attackers constantly seek new ways to steal personal information for sale on the dark web. Spyware agents collect personal data and deliver it to cyber criminals, who advertise it on digital marketplaces.

Identity theft

Criminals use data harvested via spyware agents to build profiles of their targets. This can have two main consequences.

Firstly, attackers use specific personal information to make phishing calls or write persuasive emails. Targets may not know their data has been compromised and hand over additional information to criminals.

The second consequence is potentially more serious. Attackers can use stolen data to spoof user identities. Criminals armed with postal addresses, dates of birth, and credit card numbers can apply for loans or seek financial withdrawals.

Poor user experience

Spyware often disrupts the way users experience the internet. For instance, spyware infections could lead to constant advertisements or redirects to websites without the user's consent. This is a minor problem in isolation, but it can impair workflows and expose web users to malicious content.

Network performance issues

Spyware is designed to minimize resource usage and remain in the shadows, but this is not always true. Poorly coded spyware agents may consume system resources and result in slowdowns or excessive memory usage.

Spyware can conflict with internet security applications and—in worst-case scenarios—make devices inoperable via overheating.

Corporate espionage

Companies rely on intellectual property protection to keep their operations secret from competitors. Spyware infections may compromise data security, allowing rivals to access product or marketing databases.

Competitors may extract valuable data about client relations, leading to loss of business and reputational harm. This is a particular problem when spyware infects mobile devices. Employees may communicate with clients via smartphones, including payment details and customer complaints. Rivals can leverage this information to steal customers.

Compliance problems

Companies that fail to secure their systems with robust spyware protection put user privacy at risk. For example, vulnerable e-commerce websites could unwittingly deliver spyware to customers. This may expose user data and lead to GDPR violations.

Common examples of spyware attacks

Spyware is not an abstract network security threat. There are many real-world examples of surveillance-based malware, with consequences ranging from mild to devastating.

SpyEye: stealing banking data across the world

SpyEye is a banking Trojan developed by Russian threat actors called Gribodemon and Harderman and mainly operated by an Algerian under the alias Bx1.

Between 2010 and 2012, the duo sold spyware to 150 clients, who infected 50 million target devices. The agent harvested credit card numbers, online bank logins, and PINs required to access bank accounts. Costs eventually reached $1 billion before the attackers were arrested and imprisoned.

DarkHotel: enabling whaling attacks on high-value targets

Some types of spyware are directly linked to phishing scams that target executives (also known as whaling scams). Of these agents, DarkHotel is probably the most effective and best-known.

DarkHotel is an advanced persistent threat (APT) that exploits poorly secured hotel wi-fi networks. The controllers of the agent target luxury resorts and hotels that high-value targets regularly patronize.

When targets check into hotels with compromised networks, DarkHotel delivers a keylogger and infostealer. The spyware usually achieves this via fake Google or Adobe updates. Hotel visitors download the update and activate the spyware. Attackers access any data stored on the device and keystrokes made on the hotel network.

Pegasus: tracking world leaders without their knowledge

State-controlled spyware has become notorious since the exposure of Israeli-designed Pegasus software. Pegasus is an off-the-shelf spyware product targeting Android and iOS phones that is extremely hard to detect.

In 2021, news emerged that Pegasus had targeted 50,000 individuals. Victims included murdered Saudi dissident Jamal Khashoggi, anti-corruption journalists, women's rights campaigners, and even high-profile Indian politicians like Rahul Gandhi.

Pegasus is hard to detect because it self-destructs after 60 days without control commands. It also uses adaptive malicious code. When possible, the agent uses Android or iOS rootkits to access smartphone operating systems. If that fails, it asks users for permission to gather low-level data.

CoolWebSearch: an annoyance that can pose a serious threat

First appearing in 2003, CoolWebSearch only affected Microsoft Windows devices and is probably the most famous combination of spyware and adware.

The CoolWebSearch agent infected web browsers and changed users' home pages to a fake search engine (coolwebsearch.com). The spyware then delivered pop-up ads, even if the victim changed their home page back to normal.

What made CoolWebSearch harmful was its resistance to removal. If users acquired infection via malicious downloads, they had to uninstall every component before removing the spyware.

Many malware tools at the time failed to detect it, leading some commentators to label it "the Ebola of spyware."

Ways to guard against spyware attacks

Spyware is extremely common and potentially damaging for businesses and individuals. Organizations need strategies to prevent spyware infiltration and block data collection at the source. Follow the best practices below to secure your assets and remove spyware reliably.

Preventing spyware attacks

Ideally, organizations can avoid the need to remove spyware by preventing attacks in the first place. Here are some tips about how to do so.

• Train employees to use the web safely. Employees should not download attachments from untrusted contacts or download files from websites without a business justification. Always use reputable app download platforms and avoid reliance on free software. For example, free Virtual Private Networks may be appealing. However, free products often use spyware to monetize users.
• Scan all files to detect spyware agents. Use threat detection systems to scan all downloads or connected devices.
• Change passwords regularly. Spyware may record login credentials, potentially enabling network access. Requiring strong, regularly changed passwords shrinks the window for attackers to launch secondary attacks.
• Use multi-factor authentication. Similarly, MFA adds another barrier to prevent unauthorized access. Attackers would need access to unique or one-time credentials to leverage credentials obtained via spyware.
• Update security tools regularly. Ensure virus and malware detection software is up-to-date. That way, your security tools will include the latest threat information. It's also important to update internet-facing applications and operating systems. Unpatched assets open the way for rootkit and other exploit attacks.
• Use mobile devices safely. Employees should adopt secure mobile device policies. For example, secure remote connections with VPNs and avoid granting extensive permissions to unknown apps (especially for cameras and microphones). Don't allow employees to use personal devices to access business resources.

How to remove spyware

The other side of the spyware security challenge is removing surveillance agents when you detect them.

• Install anti-spyware software. Most importantly, security teams must install scanning and threat removal software. Scanning tools must draw on cutting-edge spyware databases to cover the latest threats.
• Schedule regular scans of all critical assets. Don't allow spyware to multiply across network assets. Adopt a proactive scanning policy to catch threats as quickly as possible.
• Clear browser caches regularly. Many web-based surveillance agents use standard tracking cookies. Erase browser cookies and the cache regularly to flush out cookies and ensure they remain active for as little time as possible.
• Check installed applications and processes. If you suspect a spyware infection, check installed applications on affected devices. Remove unknown apps and check background processes. Spyware may appear as an unknown process without being detected by scanning tools.
  
  

If you suffer a spyware infection and suspect data exfiltration, it's important to research the degree of exposure. In this situation, it makes sense to use Dark Web Monitoring solutions like NordStellar. Experts can detect data for sale on the Dark Web and help you understand the severity of your spyware attack.

It's always important to take spyware seriously. Take action to prevent infection and create robust processes to remove spyware when you detect attacks.