Miami TV Station Shows How Easy it is to Spy on Cell Phone Calls, Read Others’ E-Mail

Stephen Stock, investigative reporter at WFOR-TV in Miami, sent me a story he just aired that shows how easy it is for somebody to plant “malware” on your cellphone. The code allows the “spy” to read every e-mail or instant message you send. The spy can also listen in on your conversations without your knowledge. And even if you turn the phone off, the spy can call in and listen.

It took only about 90 seconds for the spy to load the “malware” on another phone. What’s more surprising, the spy doesn’t even have to touch your phone. The corrupting code can be delivered by Bluetooth wireless technology. The code is only four lines long.

Stock reported:

“To find out exactly how this all works, the CBS4 I-Team bought and installed several versions of spyware on anchor Jawan Strader’s blackberry. We did all of this with his knowledge and participation.

“During the installation and running of some versions of the software the I-Team ran into several glitches. Sometimes the software allowed us to ‘spy’ and sometimes it didn’t.

“The I-Team discovered this type of spyware doesn’t always work on all cell phones. The older and less sophisticated the phone, apparently the harder it is to use them to ‘spy.’

“But once the I-Team got the software working, the capability was scary. The I-Team could read all of Jawan’s e-mails. The I-Team read all of his text messages.

“I-Team investigator Stephen Stock also got alerts on his cell phone every time Jawan got a call, an e-mail or a text. That way Stock could monitor Jawan’s incoming communication at all times.

“And even though Jawan met … behind closed doors with news director Cesar Aldama and assistant news director Nick Bourne, even with the blackberry turned off, investigator Stock could still dial in and listen to the conversation while standing several miles away.”

I interviewed Stock via e-mail to get more answers that could help you tell this story:

Al Tompkins: How common is the malware?

Stephen Stock: It is very common. A simple search on the Internet yields many offshore companies that will sell you this software to load onto people’s phones. Sources within federal law enforcement and the intelligence community tell me that this type of technology has been around for more than 15 years. It’s just now being used by “the public” in this manner.

Who seems to be the most likely target?

Stock: The companies that sell this malware/spyware often make the pitch to husbands or wives who suspect their loved one is cheating on them. They also “pitch” to parents to “monitor” their children’s activities using this technology. According to Tim Wilcox of International Investigations, Inc., out of Indianapolis, this spyware is also being used by some companies to monitor employees using company- issued cell phones, in civil litigation by parties trying to “learn more about the other side” and even by some companies to “learn more” about a competitor’s bids in [a] competitive bidding process or to learn more “propriety information.”

Do I understand the story right that you don’t have to touch my phone to load this code into it?

Stock: Yes. The most common way to load this spyware onto a phone is to actually get your hands on it and download the application. It can take less than a minute, and only seconds if you know what you are doing.

But, yes, Assistant Professor Richard Mislan of Purdue University tells me that this malware can be sent by someone with skill and knowledge in this technique by an e-mail attachment — a type of Trojan horse in an e-mail attachment that if opened can almost instantly be loaded onto your cell phone remotely.

How can I stop you from loading malware onto my phone?

Stock: It’s very hard to stop if someone who wants to load the spyware onto your phone knows what they are doing. As my live tag indicated, there are several things you can do to help prevent this.

Always use a password to log onto your cell phone and change it often. That one password can slow down and even stop attempts to get spyware on your phone. With a password, the “bad guy” can’t get access to your program applications and can’t remotely access your applications. Now, if you then open an e-mail attachment that contains a Trojan horse, it doesn’t matter what your password is, as your phone is already compromised.

So that’s step two. Never open e-mail attachments from people you don’t know or even attachments you don’t recognize from people you know, using your cell phone.

Third, don’t leave your phone out of your sight in public. One expert was able to load the spyware on a fellow reporter’s phone when she stepped out of the newsroom to go live on the air. Another one loaded the malware on a reporter’s phone when that reporter went to the bathroom.

In fact, to be perfectly safe, the experts tell me the best way to use a cell phone is to buy a cheap throwaway phone from Wal-Mart or other retail outlet, use it a couple of months and throw it away, then buy another phone with another number.

People have actually bought brand-new phones, hoping to defeat this … but then they use their same SIM card, move it from the old phone to the brand-new phone, and transfer the spyware (on the SIM card) to the new phone.

Short of taking my phone to an expert to get it checked out, is there any way for me to know if you have tapped my cell phone?

Stock: The simple answer is no. As the story shows, this malware “hides” among millions of lines of code. And Tim Wilcox and Daniel Smith tell me that unless you know what to look for, it is darn near impossible to find. In fact, the experts themselves sometimes spend months trying to find those short lines of code that hide the spyware program behind it. Other spyware actually allows a malware search program to find it and destroy it. But guess what? This doesn’t work.

Why? Because the malware program that is actually working in the background is a different program. So while you think you’ve found that bad bug and destroyed it, it has actually fooled you and the programmer and you haven’t actually destroyed the real program responsible for the spyware. You’ve just destroyed and gotten rid of a Trojan horse meant to fool you.

Remember, there are hundreds of these types of malware out there, and so finding the exact one among millions of lines of code on your cell phone can be a big task.

Is it a crime to do this to somebody’s phone?

Stock: Yes. It is illegal to do this without a warrant in the United States. That’s why these companies that sell this malware are offshore. And many of their websites carry a disclaimer saying “it is not intended to be used illegally,” etc.

But Tim Wilcox says he gets three to four complaints from “victims” every day. He says his experience and research show there are 5 to 6 million people with spyware on their cell phones at any one given time.

Not only are some people using this illegally in the private sector, as our research showed, federal investigators are also using this technology without a warrant and without establishing legal probable cause.

Hard as it is to believe, according to several different court cases in Texas, West Virginia, Pennsylvania, New Jersey, Maryland and New York, federal agents have been caught using this spyware technology and other technology like it to spy on private citizens without getting a warrant, without legal probable cause and without even using the provisions of the Patriot Act. And we’re talking about spying on American citizens in real time — not getting warrants to get past phone-call records or past location pings on cell-phone towers.

The ACLU predicts this issue will go all the way to the U.S. Supreme Court. And its leaders in Washington worry that the public doesn’t understand or fully appreciate the implications of the ability to spy on them.

We have made it easy to comment on posts, however we require civility and encourage full names to that end (first initial, last name is OK). Please read our guidelines here before commenting.