The Bug in Your Pocket: Remote Listening Applications for Mobile Phones

Posted by MarkWeingarten on Jun 10, 2011

We've heard much recently about information that is being tracked by mobile phone companies (see our recent post) and app developers. However, there are more overt security threats that are potentially more dangerous.

One of these threats is referred to as either a “roving bug” or a “remote listening” application. It is essentially the same concept as a conventional audio bug, except that it requires no hardware other than a smartphone. Once installed, remote listening software enables a 3rd party to call a phone, activate its speakerphone capabilities, and secretly transmit any sounds picked by its microphone to another phone number, where it can be monitored and recorded.

While this is happening, the bugged phone does not give any indication that it is in use, and the app can be hidden or look like an operating system update. Disturbingly, some applications enable audio to be transmitted even when the bugged phone is powered off.

This type of software was used by the FBI to monitor communications of suspected mafia members and was determined by the US district court of South Dakota in 2006 to be a legal means of surveillance under the federal wiretapping law in the United States.

Surprisingly, “roving bugs” are currently legal for use by citizens in the United States and are sold online, ostensibly to monitor children or “catch cheating spouses”. They are even popular enough to warrant a list of the “best”. One popular application’s website includes this quote:

“Thanks to [name of product deleted] I finally figured out my wife was cheating on me with my brother. I had a bad feeling about this for over a year. After the divorce, my life is so much better...”

How are “Roving Bugs” Installed?

Many of the commercially available programs require physical access to be installed. This is used as a defense by the producers of these products who claim that they cannot be classified as malicious applications if they are installed purposefully. However, the fact that the installed programs are generally hidden makes one wonder about who is installing them and whether the owner’s permission was a factor. In fact, FlexiSpy (completely legal in the US) is currently classified as spyware by Symantec and as a Trojan application by F-Secure.

Roving bug applications can also be installed remotely. According to an article in PC World:

“One way to entice a BlackBerry user to download spyware onto their smartphone is by offering a free application that appears to be a game or some other harmless software, but in fact carries a dangerous payload. Enticing slideshows are even easier to get users to accept...”

Alternatively, phones are now being sold with remote listening applications pre-installed in them. An Italian organization called Endoacustica is marketing these as a way to “protect your kids from drugs and bad companies...” As noted on its website:

“It's possible to program a privileged number in an inner secret menu of this spy cell phone. When the spy cell phone receives a call from this number, instead of ringing as a normal cell phone, it will go into remote listening mode and we'll be able to listen to environmental conversations. During remote listening the cell phone will look as in stand-by conditions and it's not possible to perceive that there's an environmental listening going on. When any other number calls the spy phone, it rings and operates as a normal telephone.”

Endoacustica also currently offers one model that is advertised to work as a roving bug specifically when switched off. Interestingly, the phones sold by this company, while fully featured, would not be considered smartphones.

Ways To Protect Yourself

While these products are generally marketed as means to covertly monitor the communications of one’s family members, it is easy to imagine the threats they could pose to high-risk individuals, such as activists, journalists, and human rights defenders. Thankfully, there is currently no evidence to suggest widespread use of remote listening applications by repressive governments. However, for those concerned about the possible risks, we have the following suggestions:

  • Download apps from trusted sources only.
  • Be sure you know the sender before opening attachments, especially multimedia files.
  • Periodically take a look at the apps installed on your phone, and uninstall any that you don’t recognize.
  • Don’t leave your phone unattended. Ever.
  • Consider a wipe of your phone if you are suddenly experiencing sudden dramatic battery drain or periods when your phone is heating up unexpectedly.
  • In particularly sensitive situations, don’t leave your phone where it could potentially pick up audio, Remove the battery if you have it near sensitive conversations.

Lastly, keep your eye out for Part Two in this series, in which we will investigate the technical capabilities of a number of these applications, evaluate the risks posed by each, and provide additional recommendations.

Image via Flickr user P^2 - Paul

Tagged With:

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><p><br> <b><i><blockquote>
  • Lines and paragraphs break automatically.

More information about formatting options