A recent article from Wired: “Hacker Eva Galperin Has a Plan to Eradicate Stalkerware” about Eva Galperin’s efforts to get antivirus vendors to appropriately label the spyware used by perpetrators of Intimate Partner Violence (IPV) caught my eye and made me wonder whether the Mobile matrix of the MITRE ATT&CK framework contains all of the techniques used by this malware. Since the techniques used by perpetrators of IPV have a lot in common with the techniques used against reporters and other activists, as well as with techniques used for digital surveillance for covert operations, I thought chances were good that it is covered.

“Both IPV professionals and survivors feel that they do not possess adequate expertise to be able to identify or cope with technology-enabled IPV, and there are currently insufficient best practices to help them deal with abuse via technology.”

The first thing I did was to try to collect more information about the exact techniques used in the wild. A brief survey shows that interest in this topic is increasing, led by ACM’s 2018 Computer Human Interactions Conference on Human Factors in Computing Systems which included papers:

  • “’A Stalker’s Paradise’: How Intimate Partner Abusers Exploit Technology“, and
  • “Digital Technologies and Intimate Partner Violence: A Qualitative Analysis with Multiple Stakeholders”

both of which are by the authors Diana Freed, Jackeline Palmer, Diana Minchala, Karen Levy, Thomas Ristenpart, and Nicola Dell. These authors also wrote the paper cited by Wired “The Spyware Used in Intimate Partner Violence”. The latter paper goes into detail about techniques used to market the spyware and the techniques they used to separate out benign, consent-based tracking apps (for tracking kids and employees) from the spyware. While it has some details about the actual operation of the spyware, that is not the main focus of the article. The paper references a Motherboard article on Flexispy, which led me to find this excellent and exceptionally funny write-up about hacking Flexispy’s infrastructure and stealing the code (two years ago), which ultimately led to Fortinet’s analysis of the Flexispy code: “Deep Technical Analysis of the Spyware FlexiSpy for Android“.

“Digital Technologies” enumerates the forms of spying performed by the abuser as “physical stalking facilitated by access to digital location services [33], virtual stalking by remotely accessing cameras on victim devices [31], monitoring of victim contacts on social networks and email [11], and tracking by way of surreptitiously installed spyware on victim devices [24].“ The MITRE ATT&CK framework enumerates a set of techniques for “Collection” which largely overlaps these techniques:

  • “access to digital location services” maps to T1430 Location Tracking
  • “Remotely accessing cameras” maps to T1429 Microphone or Camera Recordings
  • “monitoring of victim contacts on social networks and email” maps to T1432 Access Contact List. However, email collection is in the Enterprise matrix and not in the Mobile matrix, the enterprise technique is T1114 Email Collection. The concept of accessing social media apps shows up in Flexispy (which supported capture from Facebook, Instagram, Snapchat, Telegram, Tinder, Hangouts, Hike, Kik, Line, qq, Skype, Viber, wa, and WeChat), but appears to be missing from the ATT&CK Mobile framework.
  • “tracking by way of surreptitiously installed spyware on victim devices” brings to mind the tactic of defense evasion. The defense evasion technique of hiding the app’s icon so that the survivor does not realize that the app is installed on their phone also shows up in the original article. This technique also appears to be missing from the Mobile ATT&CK framework and has been submitted for evaluation.

Turning back to the technical analysis of FlexiSpy, many of the techniques described in this paper are covered by the Mobile ATT&CK Framework. The following excerpt describes at a high level what the FlexiSpy app is doing. Annotations have been added to show the attack techniques that I would expect to see in the Mobile ATT&CK framework.

“In order to support all spy features, it’s required that the android device is rooted.[a1] The spyapp setups the startup script. When the device is reboot, the startup script could be executed to start some daemon processes,[a2] we have analyzed these daemon processes in part 2.FlexiSpyuses FileObserver to monitor database file[a3] and shared preferences file[a4] in private folder in IM apps. Generally, in IM software on mobile device the chat messages are stored as database file. Some databases might not be encrypted like Skype app, it’s easy to execute some SQL sentences to gain the sensitive info related to chat message[a5] after rooting the android device. Other databases might be encrypted like WeChat app, it seems that it’s more secure, but the private key is still calculated via reversing engineering the IM app. Once the private key is got, you can decrypt the database using it….Even when I uninstall FlexiSpy for android app (package: com.android.systemupdate), the spy activity is always ongoing.[a6] I tested Skype and WeChat app after uninstall the spy app “com.android.systemupdate”, it’s still successful to monitor the chat message for Skype and WeChat. In part 4, we can see the spy functionality is in these daemon processes.“

  1. [a1] Although the Mobile ATT&CK framework has references to rooted phones (T1408 Disguise Root/Jailbreak Indicators), it does not describe a technique of gaining physical access to the phone and then rooting the phone. It isn’t completely clear why this attack is omitted, but it is pretty common in the industry to omit physical attacks on devices. The Wired article points this out as a gap between the way the Security industry handles threats and the way that threats play out in the real world for stalking victims. It is especially acute in this case since the attacker may actually own the phone and have provided it to the victim.

  2. [a2] Covered by T1402 App Auto-Start at Device Boot

  3. The Mobile ATT&CK framework covers this type of activity with a fairly broad technique T1409 Access Sensitive Data or Credentials in Files. We could quibble over whether a database of chat logs is a file, but to me that is a distinction without a difference and this technique is sufficient.

  4. If we don’t quibble over the difference between file and database, should we then argue that “shared preferences file” represents something else altogether? In this case, since the app is just monitoring the shared preferences, this activity is covered under file monitoring. I would argue had the app been altering the preferences, then a new technique would be needed, but that is not the case with this app.

  5. Gaining access to 3rd party chat information seems like a new level of intrusion – the Mobile framework calls out accessing call logs, contacts, and sms messages separately from accessing data in device logs and file. Third party communications apps take the place of all of these functions. Again, I can see an argument for lumping this in with the file access technique, but I think there is a real need for the framework to call out malicious apps accessing social media (Facebook, Twitter, etc.) and 3rd party communication (Line, WeChat, Signal, etc.) content for the purpose of stalking the victim, as this app does in this case.

  6. This is a very interesting property of this app – even after deletion, it continues monitoring. I would like to see more information on this aspect – does this behavior survive a reboot? Does it survive an application update? Given that other apps have been reported to exhibit this same privacy invading behavior, this technique should be represented in the Mobile ATT&CK framework, but it seems to be missing.

All in all, I would say that while we did find some gaps in the Mobile ATT&CK Framework, there is enough there so that FlexiSpy could be detected if a mobile anti-virus app had full coverage for detecting these techniques. Now that MITRE has started evaluating defensive software against the Enterprise Matrix, perhaps Mobile evaluations could be next. This would go a long way towards providing a systemic, standards-based mechanism for helping Eva Galparin achieve her mission and make us all a little safer.