Newsletter 1: January 8th 2024

Happy 2024! I started a newsletter. Because why not. The goal is to send it weekly, covering one main topic followed by some smaller ones and some non-security related things, because there are so many other things that matter in life. We'll see how that goes.
The target audience is anyone working in digital security, in particular those working with (or being part of) at-risk people and communities. Which is why I call it "digital security" rather than "cybersecurity" I guess, for that is how things work.

Martijn
(martijn@lapsedordinary.net)

There's an app for that

"Could someone be spying on me through my phone?" It is a common concern, often backed up by ‘evidence’, such as a misbehaving phone, data seemingly leaking, or a threat made by an abusive (ex-)partner.

Spyware and stalkerware (off-the-shelf spyware, used in abusive relationships) are real. But not every concern or threat made means there is actually something malicious running on the phone. And doing some basic triage on a phone is often surprisingly easy.

It boils down to the fact that everything that runs on a phone is an app. And app behavior is restricted by the mobile operating system: iOS or Android. I'll focus on the latter today, but as a general rule, iOS (which runs iPhones and iPads) is even more strict about what it allows apps to do.

The first restriction Android applies to apps is that apps need to be granted permission to do something potentially invasive: from reading files stored on the phone to accessing the camera and microphone and from seeing phone call logs to accessing the phone's location.

So if, for example, you use Zoom for meetings, the Zoom app will ask you whether it can have access to the camera and microphone. This isn't because Zoom is nice enough to ask: without this permission explicitly granted by you, the phone simply won't give it the required access, no matter the app developers' intent.

The second restriction is each apps appears in the phone's app list, accessible through the settings, and that for each app, you will be able to see which permissions have been granted.

So if you're concerned that someone has 'hacked' your phone to track your location, it should be done through an app and you check which apps have been granted this particular permission. Then for each of them, you can see if this was something you have installed yourself.

(Among the apps on your phone, you will see many that you didn't install yourself: these are pre-installed apps that came with the phone. Some of them have been granted certain permisisons already. If you want to see if a particular app was pre-installed, look for it in the app list and then on its own page, see at the bottom if you're able to delete it. If not, it was pre-installed.)

You don't even have to go through the list of apps: for each permission, you can see which apps have been granted it. Thus a question like "which apps have access to the microphone?" can be answred through a simple search. I wrote a bit more on this in the Field guide to incident response we published with Internews last year, in Chapter 8.

There are a few caveats to make. The first is that sometimes, more often on cheaper phones, malicious apps come pre-installed. These can be a privacy concern and a good reason to avoid such phones (if financially feasible, of course), but it's less likely to be linked to targeted spying.

A second caveat is that legitimate apps, or the services behind them, can sometimes be hacked* and this gives the hacker access to the private information this app has access to. If. for example, Google Maps tracks the live location on a phone, then anyone with access to the corresponding Google account has access to that location, without the need for any malicious app to be installed.

And thirdly, very advanced spyware such as Predator runs at a lower level and doesn't come as an app. Unfortunately, finding such spyware on Android is notoriously hard, though the good news is that it is also very expensive to use (think tens of thousands of dollars per user). That excludes the vast majority of people as potential targets.

*note that in practice, 'hacked' often doesn't involve anything technical. It can involve tricking someone to do something, or having temporary access to their device.

What else?

Amnesty Tech published forensic evidence that proves the use of the Pegasus spyware against two journalists in India in August and October 2023. The analysis is important as the Indian government had suggested Apple, which had warned the journalists they may have been the targeted of state-sponsored hacking, was wrong. The forensic analysis may also be helpful to those performing such analyses too.
One important takeaway from the analysis is that one infection attempt failed because the phone had been fully patched and the exploit (BLASTPASS) only worked against earlier iOS versions. This highlights the importance of keeping iOS up to date, even if one's concern is threats like Pegasus, which infamously uses zero-day exploits that work exploit against the latest iOS versions.

Speaking of Pegasus, last month TechCrunch's Lorenzo Franceschi-Bicchierai wrote that Apple is not aware of any successful hack of an iPhone where lockdown mode was enabled. Lockdown mode reduces the attack surface on iOS by limiting its functionality and this shows how effective it is at blocking advanced spyware like Pegasus even if the reduced functionality makes it less popular with many users, including some who are targets of things like Pegasus.

If you're concerned about security of Macs, and Mac malware in particular, you will hopefully be familiar with Patrick Wardle's Objective See, which offers free tools for protection and forensics and keeps track of all the new Mac malware. To look back on 2023, Patrick listed all the Mac malware found during the year. Unsurprisingly, a lot of them target users of cryptocurrencies, but there are also some more interesting samples that are worth looking at, such as NokNok which appears to be developed by the Iran-linked Charming Kitten (APT42) group and whose targets included a US-based Think Tank.

When analysing (potentially) malicious URLs, it's always good to keep in mind that URLs merely point to a resource somewhere on the web and that it's possible that this resource changes behaviour over time. A blog post by Trellix lists some ways how this is used to evade detection and then describes a new evasion method, where a URL returns harmless content when a security product analyses it and malicious content when it is subsequently opened by the human target. It's good to keep such examples in mind when you investigate URLs: just because you don't see anything malicious happening when you open it (in a safe environment, hopefully) it doesn't mean that the same happened to everyone else.

Non-security things

A book I enjoyed: over the Christmas holidays, I read Ghaith Abdul-Ahad's A Stranger in Your Own City, which covers Iraq in the two decades since the 2003 US-led invasion. It is one of the best books I read last year and a must-read for anyone interested in the countrty or wider region. Abdul-Ahad is a journalist who started working for Western media from the start of the invasion, which makes him both an insider and an outsider and gives him the right perspective to tell this story. It's not a happy story but one that needs to be told and I'm grateful to Abdul-Ahad for doing so. No matter how bad the situation in a country is, a Western invasion is always able to make it worse.

A song I liked: Odezenne - Souffle le vent (Bandcamp - Spotify - YouTube).
Wikipedia describes the sound of Bordeaux's Odezenne, which I discovered in a playlist of French hiphop, as "notably eclectic", which is the kind of thing you say when you don't know how to describe music. In any case, I find their synth-y hiphop, and this song in particular, pretty addictive and listening to it is good for my French.