Insider Insights

R. Paul Wilson On: How To Avoid Falling Victim To Trojan Malware

R. Paul Wilson On: How To Avoid Falling Victim To Trojan Malware
By R. Paul Wilson July 12, 2022
4 minute read

It’s no secret or surprise that most of us carry an entire suite of surveillance devices in our pocket.

But while most people assume this software and technology is available only to the user to use (and abuse) many of us have learned that bad actors have found ways to access those devices.

Through multiple means, software can secretly be loaded onto your phone, tablet or computer that will allow all sorts of access to your data, camera, location, and microphone.

The question is how these ‘viruses’ get onto your devices and how to avoid falling victim in the future.

Dodgy Apps That Steal Your Data

If you’re reading this, there’s an excellent chance you’re already hip to how seemingly simple software applications downloaded from the internet can contain hidden programs designed to capture private information and share it with unknown sources.

Perhaps the most famous of these were a flurry of ‘flashlight’ apps that activated the LED next to the camera on your phone so you could find your keys (and the lock) at three o’clock in the morning.

While these apps only appeared to turn a light on and off, many were also making requests for access within your device that can only mean they were harvesting private data.

According to some reports, many apps were requesting an average of 25 five permissions in order to function, none of which were required to activate the flashlight itself.

One app was downloaded and installed over 1 million times and had 76 requests to access contacts, camera, microphone and other areas of your device you would rather not share with strangers.

Some requested to record audio, access contact lists and even write to those contact lists.

At best, these apps were engaging in an intrusion of privacy, sharing data with unknown recipients for unknown purposes but at worst they might be actively monitoring everything you say, do and see.

Many phone operating systems now include a flashlight app that does exactly what it claims but as hackers get more sophisticated, malware can be found in all kinds of apps and on all platforms.

Android vs. OS X

It’s pretty clear that Android apps suffer a lot more from malware since the process of adding new software to the Google Play store is less stringent and has fewer checks than the Apple App Store, but unexpected activity can be found on apps from both sources.

Malware is not only installed as part of another app but can be injected onto your device if you click on a link or website that can access vulnerabilities in your device.

Beware of any app, game or utility that contains ads as your data or behaviour may be shared with companies providing the developer with ad revenue.

And you should think twice before downloading any app from any unknown developer.

Software For Both Good And Evil

trojan malware

Injecting millions of phones with some form of covert software is not just the pastime of small groups of hackers looking to sell your data or watch you get dressed in the morning.

Governments around the world have been licensing software that can access almost any phone.

This can be injected onto OS X devices using previously unknown flaws in the operating system that allow the malware to be secretly installed and gain full access to the device, even remotely.

This same software was also found on Android devices and has been used by all kinds of users, from members of the intelligence community to private companies all with seemingly good justification.

But the software in question has already turned up in several episodes that make its very existence a real concern for all of us.

After journalist Jamal Khashoggi was murdered and dismembered, investigating journalists found multiple attempts to place this advanced form of surveillance software on phones belonging to people close to Khashoggi, including his wife.

Whether or not they were successful is uncertain but phones were certainly targeted with links to inject this malware so it’s entirely feasible that Mr. Khashoggi’s own phone and those of his wife and close contacts played a part in his ultimate demise.

This same software is used globally to secure secrets and trace targets and while the company that maintains the software claims no responsibility, it is certainly offering a tool for both good and evil.

It’s important to note that the software providers denied any involvement in the Khashoggi affair and while this may be true, their product can obviously be used for reasons they might never endorse.

Always Be Alert

The problem with breaking safeguards designed to protect the privacy of everyday users is that once a tool is created for nation states, the cracks that tool create in the general safety of a device and the software operating within it can be far-reaching.

New and creative methods for circumventing software protections are appearing every day.

While some are based on ingenious code with concealed purposes, there’s one very common factor in almost all such breaches of private security: You.

Flashlight apps with onboard malware only works when people choose to download and install without really thinking about where such apps come from.

Links to inject intelligence-gathering malware only work when they are clicked without questioning who sent them, why, and for what purpose.

How many times have you opened a link sent by a friend without wondering if it might not be from who you think it is?

The problem is that even if you’re over-cautious, there’s that one time you click without thinking because a nasty link appears in concert with legitimate activity and seems to be part of another conversation or communication.

Many people who get conned by opening a bogus link to their bank do so because they were already in contact with their bank and this link seemed to make sense at the time.

The people who sent that bad link probably sent millions of emails and only need a few to get lucky either because the victim is ignorant of their own online security or was just talking to the same bank that was being spoofed in that dodgy email.

You’re Being Tracked Everywhere

So be aware that your personal, financial, and live data might compromised at any time thanks to that expensive little spy in your pocket.

Or perhaps by the phones in your friends’ pockets, or on the poker table, or beside you on a plane, or behind you in a coffee shop – or anywhere you might be in modern life.

I should probably say there’s no need to be paranoid, but the truth is— there’s plenty of reason to be paranoid.