Spyware: What It Is and How to Prevent It

Protecting Yourself From Spyware

Your business has a strong security culture: but is it safe from the silent menace of spyware? 

Today’s threat actors are using spyware to steal both corporate and military secrets — fueling the $12 billion dollar mercenary spyware industry. 

Alarmingly, corporate espionage is no longer confined to traditionally critical industries like defense or pharmaceuticals.  

According to the FBI, economic espionage costs the U.S. economy hundreds of billions of dollars annually and any company with a proprietary product can be a target.  

What Is Spyware?

On April 10, 2024, iPhone users in 92 countries woke up to the troubling message that they were the likely targets of a mercenary spyware attack.  

If you’re an Android user, don’t celebrate yet: the NSA warns that both Android and Apple iPhones can be susceptible to zero-click exploits that infect devices with spyware. 

According to the 2023 Hiscox Cyber Readiness report, 70% of SMBs worry about insecure handling of data — and for good reason. Businesses with fewer than ten employees have experienced a 36% increase in attacks in the last three years. 

Read on to find out what security vulnerabilities spyware exploits and your best defense against this type of malware. 

Definition of spyware

First, what does spyware do? 

In a nutshell, spyware is malicious software that monitors your online usage without your consent.  

It runs quietly in the background — recording keystrokes, purchasing history, browsing habits, network traffic, authentication credentials, and payment info. It then transmits all of the above data to third parties. 

How Spyware Works

Threat actors use two primary methods to plant spyware on your device: 

Social engineering. This refers to deceptive tactics that trick users into making critical mistakes that put their most sensitive data at risk.  

For example, in an evil twin phishing attack, the hacker sets up a fake Wi-Fi access point that mimics a free public Wi-Fi connection provided by a library, airport, mall, or college campus.  

The hacker also sets up a counterfeit captive portal that prompts an “update” before using the Wi-Fi network. However, the “link” you click is spyware in disguise.  

Other social engineering methods include pharming, whaling, spear phishing, vishing (voice phishing) and smishing (SMS phishing). 

In such instances, hackers pose as banks, trusted organizations, legitimate websites, or delivery services to trick you into installing spyware disguised as updates.  

According to VIPRE’s 2024 Email Security report, users become victims when they fail to recognize spoofed URLs of top companies like Microsoft, Apple, DHL, Google, DocuSign, Amazon, and Dropbox.  

Exploits that take advantage of security vulnerabilities. Commercial surveillance vendors (CSV) that sell spyware capabilities were responsible for 60% of 37 zero-day vulnerabilities that led to data exfiltration from browsers and mobile devices in 2023.  

Even more disturbing, 50% of all known zero-day exploits can be attributed to CSVs that install spyware in the Android, iOS, Chrome, Firefox, and Microsoft Defender platforms. 

Common examples of spyware

By now, you may be wondering, “What are the types of spyware?” or “What are common examples of spyware?” 

Modern spyware generally falls into these categories: 

• System monitors such as keyloggers  
• Browser hijackers  
• Trojans such as banking trojans, mobile spyware, and infostealers

Spyware attacks vary in complexity and the types of data they target, but all pose significant risks to your business.  

Types of Spyware

Not all spyware is illegal. Some forms of spyware that are legal include: 

Parental control software: Parents can legally use parental control apps to monitor their children’s online activities. Examples include: 

• Net Nanny: available for iOS & Android; includes web filtering and social media activity monitoring.  
• Qustodio: available for iOS, Android, Macs, PCs, and Chromebooks; includes text & call monitoring, content filtering, app blocking, and screen time limits

Employee monitoring software: Businesses use these tools to monitor employee activity on corporate devices to ensure compliance with internal policies. Examples include: 

• Insightful: monitors time employees spend productively at their workstations 
• Veriato: protects sensitive corporate data and intellectual property

Law enforcement tools: Government agencies and law enforcement use these tools for surveillance and forensic analysis. Examples include: 

• Cellebrite: extracts data from mobile devices for forensic analysis, which provides an auditable chain of custody for defensible evidence in court 
• Magnet Forensics: streamlines forensic investigation workflows with a digital forensics platform  

Unfortunately, the majority of commercial surveillance vendors are selling spyware for malicious purposes, leading 15 countries to join the U.S. in placing export controls on spyware technology. 

So, how do hackers use spyware?  

Keyloggers and screen recorders

Keyloggers track every keystroke you make, capturing login credentials, screenshots, images, text messages, and other sensitive information.  

Meanwhile, screen recorders take real-time screen captures or recordings of your screen activity.  

In 2023, the BlackMamba keylogger bypassed an industry-leading endpoint detection and response (EDR) system to steal usernames, passwords, and credit card information. The spyware then exfiltrated this data to a malicious Microsoft Teams account.  

The attack wasn’t immediately detected because BlackMamba is a polymorphic keylogger, which resynthesizes its keylogging abilities each time it executes.  

This type of keylogger represents the new era of large language model (LLM) exploits that install spyware on host systems. 

Adware and browser hijackers

Browser hijackers can force your browser to redirect to malicious sites or search pages that churn out manipulated search results. Hijackers can serve up ads, as well. When you click on a link, you may unintentionally install spyware on your device. 

Notably, browser hijackers are known as adware (advertising-supported software) when your search generates persistent, unwanted pop-up ads.   

The main difference between browser hijackers and adware is this: browser hijackers directly modify browser settings, while adware works within a browser to generate revenue for adware creators through ads. All browser hijackers are adware, but not all adware are browser hijackers.  

The world’s first browser hijacker, CoolWebSearch, first appeared in 2003 and was notorious for its persistent and intrusive nature. Today, browser hijackers can change your default search engine to malicious ones like Poshukach or Search Marquis.  

Poshukach can infect Windows, Mac, and Android platforms, serving up intrusive ads that act as a vector for infecting your device with spyware and trojans. Learn how to remove Poshukach safely from your device.  

If you find yourself redirected to Search Marquis on Chrome or Safari, your Mac may be dealing with a browser hijacker. You can remove it safely with the right tools.     

Trojans and backdoors 

Trojans disguise themselves as legitimate software, deceiving internet users into downloading and installing them.  

Once installed, they create backdoors that allow cybercriminals remote access to your personal data, login credentials, and payment info. 

For example, torrenting may be legal in the U.S. But, illegally downloading P2P files of copyrighted music or movies can expose you to spyware, which acts as a backdoor to your device. 

Meanwhile, IceID is a banking trojan that uses man-in-the-browser attacks to steal financial data, take over banking accounts, and automate fraudulent transactions. 

Mobile spyware or malware is another type of trojan. Since 2019, APT (advanced persistent threat) groups connected to North Korea, Iran, and China have used mobile spyware to steal trade secrets from East Asian, Western European, and North American telecommunications and chemical manufacturing entities. 

The most infamous example of a trojan or backdoor is Agent Tesla, which initially spread through malicious email attachments. This .NET-based Remote Access Trojan made its first appearance in 2014 and was implicated in several malicious COVID-19 email scams. Currently, hackers are combining Agent Tesla with Taskun (an Agent Tesla facilitator) to target Microsoft Office and Windows products. 

How Spyware Infects Your Devices

Drive-by downloads

Drive-by downloads occur when you unknowingly visit a malicious website that downloads spyware onto your device.  

For example, TA571 threat actors perpetrated drive-by download attacks by delivering malicious payloads like NetSupport, Matanbuchus, Amadey Loader, DarkGate, and Lumma Stealer to browsers.  

Here’s how it works: You see a fraudulent Google Chrome update request when a web page fails to download. When you click on “how to fix,” you’re told that you must install a “root certificate.” 

You’re then directed to copy a PowerShell script onto your Windows Clipboard and to run it in a Windows PowerShell Admin console. This script secretly launches a spyware download to your device. 

TA571 threat actors are also using fraudulent Microsoft Word and OneDrive errors to install spyware on user devices. 

Email attachments and phishing scams

Spyware can also spread through email attachments.  

These emails often appear to be from trusted sources, tricking users into opening attachments or clicking on malicious links.  

According to the VIPRE 2024 Email Security report, HTML attachments accounted for 52% of all malicious attachments; PDF attachments came second at 26%. Most troubling of all, .eml attachments made the list for the first time, at 20%. EML malicious payloads can bypass basic email security solutions — and they increased tenfold in Q4 2023.  

Untrusted Software Sources

Downloading software from untrusted or unauthorized sources is a common way for spyware to infiltrate your device.  

These sources often bundle legitimate software with malicious programs. For example, spyware authors or developers include adware as part of a free software package. The spyware loads without your knowledge, serving up a plethora of unwanted pop-up ads and secret transfers of your data to third parties. 

In 2017, the Fireball adware infected 250 million systems and created havoc on corporate networks worldwide. Learn how to remove adware safely. 

Recognizing and Detecting Spyware

Amidst growing digital dangers, the global parental monitoring app market is slated to grow from $1.1 billion (2023) to $2.3 billion (2030). 

These consumer-grade spyware apps are often touted as safe and revolutionary. However, if you or your employees use these apps, your mobile devices could become conduits of data exfiltration. 

Thus, your ability to detect spyware is key to protecting your business and trade secrets. 

Below, we reveal the three most common symptoms of spyware. 

Unusual computer behavior

One of the first signs of spyware infection is unusual computer behavior. This can include unexpected crashes, random error messages, or strange desktop icons appearing on your operating system’s main interface.  

If your cursor moves erratically or a flurry of applications open without input, it could also indicate a spyware infection.       

Slow performance and excessive pop-ups

Spyware often causes your device to slow down significantly. For instance, iPhones slow down significantly and experience battery drain issues when infected with spyware. 

You may also notice an increase in pop-up ads.  

In fact, ad-based spyware threats are increasing in both frequency and severity. 

For instance, malvertisers are injecting malicious code into legitimate ads to distribute spyware such as Aurora Stealer. When users click on these compromised ads, it can trigger a series of unwanted pop-ups or redirects.  

Spyware like Aurora Stealer is launched when users click on popunder ads on adult content websites. The primary purpose is to collect valuable data that can be used to perpetrate financial fraud or identity theft. 

Unexpected network traffic

Monitoring your network traffic can help detect spyware. If you notice a significant amount of data being sent or received without active online activity, it could be a sign of spyware uploading your data to third parties.  

For a multi-layered defense strategy, consider integrating the following open-source tools: 

• OpnSense (firewall and routing platform) 
• Zeek (network traffic analyzer) 
• Suricata (high performance intrusion detection and prevention system) 
• Arkime (network analysis and packet capture system) 
• Wazuh (security platform with XDR and SIEM protection for endpoints and cloud workloads)

Preventing Spyware Infections

Your first line of defense against spyware is prevention. Read on for our recommendations. 

Keep your operating system and software updated

Regular updates are key in protecting against spyware. They involve security patches that fix vulnerabilities exploited by malicious programs.  

Outdated software can expose your business to malware, spyware, and ransomware. In fact, organizations with poor patching practices experience seven (7) times more cyber breaches than those with an A-grade patching cadence. 

Use reputable antivirus and anti-spyware programs

Investing in reputable antivirus and anti-spyware programs is essential. Antivirus programs are predominantly used to identify and remove viruses, trojans, and other types of malware. 

Meanwhile, anti-spyware programs are used to identify and remove malicious spyware. 

However, some anti-virus software also protects against ransomware and spyware, notably BitDefender Total Security, McAfee Total Protection, and Norton 360 Deluxe. 

Norton and Malwarebytes are highly recommended for their comprehensive detection and removal capabilities for both desktops and laptops. 

And, with BYOD policies leading to the proliferation of iPhones and Android smartphones in the workplace, top antivirus tools like TotalAV, Norton 360, and Avira Antivirus can be critical in protecting your most sensitive trade secrets.  

Exercise caution when downloading and clicking on links

Always exercise caution when downloading software or clicking on links. Verify the legitimacy of the source and avoid downloading from unknown websites.  

Be wary of unsolicited emails and messages containing links or attachments. Following these practices can significantly reduce your risk of spyware infections. 

Removing Spyware from Your Devices

It’s important to remember that spyware can’t transfer data without an internet connection. Once you discover spyware, the first thing to do is to disconnect your device from the internet before removing it. 

This leads to the important question: How do I remove spyware?  

There are several ways to do this: 

• Frequent scans 
• Manual removal 
• Device factory reset

Scan your device with anti-spyware software

If you suspect a spyware infection, the first step is to scan your device with anti-spyware software.  

These programs can detect and remove most types of spyware. Regular scans at least once a week can provide continuous protection.  

For mobile phones, you can use the iVerify app to check for spyware. If you have an iPhone, use Apple’s new Lockdown Mode feature to block spyware exploits. 

For desktops and laptops with macOS, Apple leverages three features to detect and remove spyware: XProtect, Gatekeeper, and Notarization.  

Manually remove suspicious programs and browser extensions 

Sometimes, manual intervention is necessary to remove spyware. Check any installed apps or browser extensions for anything suspicious — and uninstall or disable them.  

You can also use a free spyware removal tool like Avast or reboot your phone in safe mode. 

Resetting your device as a last resort

If spyware persists despite your efforts, implementing a factory reset can be an effective solution.  

This action will remove all data and installed apps, so remember to back up important files before proceeding.  

While this may be a drastic measure, it ensures that all traces of spyware are eliminated from your device. 

Measures to protect against spyware are strengthened with one more weapon in your arsenal: identity access management via a robust password manager.  

Here’s how:  

1. Zero knowledge encryption: Anti-virus and anti-spyware tools can detect and remove spyware from your devices. Meanwhile, LastPass secures your sensitive business data with zero knowledge encryption. We use AES-256 encryption and 600,000 rounds of PBKDF2-SHA-256 to encrypt the key to your personal vault — and you are the only person who can decrypt it.  
2. Data theft prevention: Spyware poses a significant threat by capturing keystrokes, passwords, social security numbers, and payment info. LastPass secures all your info and reduces this threat considerably. 
3. Industry-leading passwordless authentication: LastPass is the first password manager to achieve FIDO2 server authentication, making passwordless login even more secure for your business. We also lead the industry in offering biometric passwordless authentication and authentication with FiDO2 certified hardware keys like YubiKey.  

Even as new threats converge on the cyber-threat horizon, you can have uncompromised security and peace of mind. With LastPass Business, you’ll actively defend against spyware attacks so you can focus on what you do best — growing your business. Start your free trial today.  

FAQ

How do hackers use spyware?

Hackers use spyware to steal both corporate and military secrets. They leverage several types of spyware for this.

• Keyloggers can track every keystroke, intercept classified communications, and steal login info.
• Browser hijackers can serve up a multitude of unwanted ads or force browsers to redirect to malicious sites.
• Trojans can infect devices and create backdoors to steal trade secrets, login credentials, and customer data.

Does spyware work without internet?

No, spyware can’t work without internet.

The primary purpose of spyware is to steal and exfiltrate sensitive data. Without an internet connection, data transfers can’t occur.

How do I remove spyware?

You can remove spyware with these methods:

• Using anti-spyware software to scan and remove spyware
• Manually removing suspicious programs and browser extensions
• Implementing a factory reset of your device

After removing spyware, use a password manager like LastPass to securely create, store, share, and manage login credentials. This prevents hackers from accessing your most sensitive data.