In 2003, Atir Raihan began work on a product that has gone on to gain infamy in the world’s security industry. His idea: to build a spyware program for mobile phones that would allow people to catch a cheating spouse.
“I remember eight years ago, having a drink with friends and telling them about my personal situation. It involved infidelity with an old girlfriend,” Raihan recalled recently. Wouldn’t it be good, he thought, if there was a technology that could help him get to the bottom of it?
Seeing a potential business opportunity, as well as a solution to his relationship dilemma, Raihan and his Thailand-based company, Flexispy, developed a product of the same name that can secretly track calls and texts made to and from a mobile phone.
Flexispy can’t be installed remotely, so the user has to get hold of the phone and download the software to the device. Once it’s there, the program logs all texts and calls on the device. It can also allow a remote party to listen in on a conversation, and to use the GPS to track a person’s location.
Since its release in 2004, similar products have cropped up from companies such as Mobile Spy, which is marketed as a way to spy on children and employees, and MobiStealth, aimed at parents, employees and law enforcement agents.
While the products are used worldwide, they seem to have been doing particularly well in China. About 10,000 users there are being “infected” with Flexispy each month, estimated Zou Shihong, vice president with mobile security firm NetQin.
Within a small monthly sample of the company’s Chinese clients, 1,000 users were found to have Flexispy installed on their phones, Zou said. In contrast, the company found about 300 cases in a sample of clients in the US, according to a NetQin chief scientist.
Products like Flexispy raise obvious ethical and legal questions. While simply buying such software is not illegal in most countries, how it is used can put users on the wrong side of the law. Wire-tapping is illegal in most countries without a court order, for example. Tampering with a person’s phone might also lead to trouble.
“These products violate privacy,” said Zhang Qiyi, a lawyer in China, where the government has tried to ban Flexispy with mixed success.
Once the program is installed, data from the handset is secretly routed to a server operated by Flexispy. The user can log into the server to read messages and check call logs. The software can also activate the phone’s microphone, so it can be used as a bugging device to listen in on nearby conversations.
An annual subscription costs between $149 and $349, depending on the features. It is available for most major phone OSes, including Apple’s iOS, Google’s Android and Nokia’s Symbian.
In 2007, a year after it went on sale in China, authorities there stopped one of its distributors from selling the product. The word “Flexispy” has even been blocked from searches on China’s popular Sina Weibo social networks.
But Flexispy says numerous websites in China are selling imitations of its software. “In a most amazing case, we found a perfect Chinese clone of our website, selling a cracked version of our product,” said Marc Harris, a Flexispy spokesman.
Spyera, a similar product, has also been doing well in China. Chinese users account for 18% of its customers, up from 6% just two years ago, according to the company’s owner, Mihat Oger. In contrast, the US accounts for 38% of its customers.
“Our sales increased 17% from 2009 to 2010 and increased 32% from 2010 to 2011,” Oger said, adding that much of the growth has been driven by increased smartphone sales.
Flexispy and Spyera said they have taken steps to keep their products legal, such as designing them so they can’t be installed remotely. Flexispy warns customers that using its product without the consent of the person being targeted could be illegal, and it highlights what it says are legitimate uses of its product.
“Our marketing is focused on the legitimate uncovering of a cheating partner or the protection of a child’s activities on a mobile,” Harris said. “However, it is a fact of life that virtually everything can be used illegally. The responsibility is with the user, not the product.”
Security vendor F-Secure has labelled Flexispy as malware in the past. Still, while such programs have the potential for misuse, in most cases that have been investigated Flexispy was being used to spy on a spouse rather than something like industrial espionage, said Mikko Hypponen, the chief researcher at F-Secure.
Tyler Shields, a researcher with security firm Veracode, noted that because the data from phones is sent back to a server operated by Flexispy, its usefulness for criminal enterprise is limited. “If I were a malicious hacker, I wouldn’t want all the stolen data to be sent to a Flexispy server. For a criminal, it’s not as much of a useful tool.”
In China, Flexispy and its variants are better known as “XWodi”, which translates as “X-Undercover.” Online searches reveal a long list of sites claiming to sell Flexispy and similar products. Most of these sites, however, are scams, and selling fake spyware products, said Li Tiejun, an anti-virus engineer with Chinese security vendor Kingsoft.
“Some are real,” he said.
The danger of Flexispy being secretly installed on a user’s phone, however, is minimal compared with more malicious spyware reaching handsets in China, he said.
Each month, Kingsoft is finding more sophisticated spyware coming out of the country, Li said. In August it discovered a program that comes buried inside an apparently innocuous Android application, and which recorded phone calls and text messages without the user’s knowledge. It’s unclear why the program was developed. The creators might have been using it to collect data for marketing, which they could then sell to interested parties, Li said.
Several vendors of China’s XWodi were contacted for this story, but all declined to be interviewed. Flexispy and Spyera would not reveal their exact sales figures. But aside from catching cheating spouses, the companies say their spyware products are generally used to monitor employees or track the activities of young children, teenagers, and elderly people unable to care for themselves.
Raihan maintained that he never intended his product to be used for illegal purposes. “There’s enough business in the legitimate market. There’s no need for it to be used in other situations,” he said. Raihan later sold his Flexispy business to another company.
Whatever its merits, he is proof that the software can achieve its goal. After helping to build Flexispy, he gave his girlfriend at the time a mobile phone with the software installed on it. “Yes, she was cheating,” he said. “I’ve used it ever since. It really opened my eyes.”
View full post on National Cyber Security » Computer Hacking