An iPhone compromised by Wolf Intelligence malware, itself a product from a Las Vegas entrepreneur, who sold spyware to governments and consumers.
Laura blames Adderall for her ex-fiance’s increasingly violent tendencies. Having moved to the Bay Area not long after the turn of the 2010s, he began working for one of the hundreds of location tracking apps for smartphones, typically pitched to parents for keeping tabs on their kids. To deal with the pressures of a California developer’s life, he took to the pills, she said. “All these guys come out to the Bay Area and all they’re rated on how many lines of code they can write.” (FORBES has kept her real name out of the story at her request). “The way you keep writing is take more and more Adderall.”
The addiction awakened a dormant rage in her partner, according to her narrative. Laura, who was co-founder at a tech company, told FORBES she was soon on the receiving ends of his violent bouts: when he held her against the wall various times, when he destroyed the TV with a bike lock because she put the wrong channel on, when he bust her leg so bad she walked with a limp for a week. When she realized it was time to leave, Laura made excuses about doing laundry, packed a bag of belongings in an Ikea bag and escaped in a taxi.
After a short time at a shelter, she said she received a call from him: he let her know he was tracking her movements. “He didn’t come to the shelter, he used it to threaten and harass me by sending text messages… At the time, I was still very afraid of him and so him knowing where I was, was terrifying.” She started to move every two or three weeks, often to different hacker houses where she could carry on working. In an Adderall-induced rant, he later admitted to installing on her phone hidden developer versions of the same location tracking app he’d worked on, according to Laura. She swiftly trashed the device.
Laura isn’t alone amongst women in suffering, in part, because of such surveillance software. In a 2015 Women’s Aid survey of 693 women, 29 per cent said they had spyware or GPS locators installed on their phones or computers by a partner or ex. In 2014, NPR surveyed 70 women’s shelters, finding 85 per cent were working with victims whose abusers tracked them via GPS, or what’s often referred to as “spouseware.”
Where do those surveillance tools come from? A FORBES investigation has unearthed evidence that often behind such easy-to-use spyware are opportunistic salesmen who’re peddling not just to jealous spouses and paranoid parents for small fees, but whose powerful spying software is also sold to police and intelligence agencies for hundreds of thousands of dollars. Though the cyberweapons creators we investigated have never publicly disclosed this, their digital trails prove that often the malware used to snoop on terrorists and pedophiles is much the same as that used to control partners in abusive relationships.
Not only are lawmakers, lawyers and women’s rights activists horrified at the blatant militarization of personal surveillance, they’ve called on the U.S. government to take action on the sale of spyware in America, something many have long considered illegal.
“Stalking apps enable predators to threaten the safety and privacy of the most vulnerable Americans,” Senator Ron Wyden told FORBES. “The GPS Act, which I first introduced with Congressman Chaffetz in 2011, specifically criminalizes tracking a person’s location without their consent. I’m going to make a new push to pass that bill, but in the meantime, FTC and DOJ should step up and investigate companies that try to profit off of this predatory behavior.” Senators Wyden, Jason Chaffetz and John Conyers on Wednesday introduced The Geolocation Privacy and Surveillance (GPS) Act, which covers both warrantless government tracking and consumer-level surveillance.
“Opportunistic, would-be spies are trying to make millions re-badging commodity ‘spouseware’ that can be purchased for under $100,” said Morgan Marquis-Boire, one of the world’s best-known malware experts and security chief at First Look Media. Since 2015, Marquis-Boire and FORBES have researched connections between professional malware businesses. “These cowboys of creepware operate with little regard to basic product quality or customer due diligence.”
‘Spouseware is no toy’
Such behavior is evident from top to bottom in the international malware market. Even the biggest mobile surveillance companies are borrowing from spouseware coders.
In one 2012 leaked email (in Italian) from the Wikileaks archive of hacked data from Italy-based government malware maker Hacking Team, the company claimed the Android spy tool of FinFisher, one of its fiercest rivals, looked similar to FlexiSpy, a cheap product manufactured by Thai firm Vervata. An ex-Hacking Team employee, who asked to remain anonymous, said the analysis showed FinFisher and FlexiSpy were “nearly identical with few changes.” (FORBES could not independently verify Hacking Team’s findings). And yet the costs for buying the latter were far cheaper. Leaked price lists for other FinFisher intrusion tools showed they sold for upwards of €100,000 ($107,000) back in 2009. FlexiSpy sold for $349 per year in 2012, and now ships at $68 a month.
FinFisher, one of the original suppliers of so-called “lawful intercept” spyware, has repeatedly been criticized for selling malware to countries with poor human rights records such as Bahrain, Egypt and Ethiopia. It had not responded to calls and emails asking for comment. FlexiSpy spokesperson Marc Harris said: “We were shocked to see our name mentioned in the context of Hacking Team communication. All we can say is that we have never had any dealings with governments, as our products are designed purely for consumer use.”
FinFisher could have bought and analysed the FlexiSpy code for its own use. In February 2012, FlexiSpy launched a reseller program, actively encouraging surveillance companies and governments to buy its code for whatever use they needed, and allowed them to add their own branding.
Hacking Team, which has sold services to the FBI, Mexico and many others for up to and over $1 million per contract, was a customer of multiple consumer services too, including FlexiSpy, mSpy and MobileSpy. The ex-Hacking Team employee told FORBES the firm subscribed to learn about new intrusion techniques for its government-only suite, something leaked emails confirmed. “Hacking Team routinely bought commercial tools available to understand what type of features they were offering and to get new ideas,” the source said.
“Although often discounted as ‘toys’, they weren’t toys at all… Those guys had some quite clever ideas and the capabilities of commercial tools, exploitation part excluded, were quite close to those of both [Hacking Team] and FinFisher.”
Killer and the Wolf
But it’s the little-known minnows of the cellphone interception game who’re going the extra mile by selling government-grade spy tools to both consumers and nation states. Take Josh Alner, a barrel-chested and bearded Las Vegas tech entrepreneur, who has tried to crack the $25 billion mobile software market since the 1990s with a bar simulation app. In the late 2000s, he took a surprising detour to bolster his fortunes by going into the spyware market.
The attraction was clear: the computer and cellphone surveillance industry is worth an estimated $5 billion. Mobile malware often sells to law enforcement and intelligence agencies for anything upwards of $500,000 apiece. With that in mind Alner acquired a new form of iPhone malware, one that bypassed Apple security to allow installation of non-authorized apps. He purchased it from a Vietnamese developer whom he declined to name (Marquis-Boire believes it to be a development house called Tigi; Alner said that was not correct). Marketing the spy kit as a “lawful intercept” tool, with the branding Tracer+, he attempted to sell to police at home and abroad via his new enterprise, Killer Mobile. To maximize profit, though, he also sold a version of Tracer for personal “government-grade surveillance,” marketed at parents who want to keep a close eye on their children, selling it for as little as $49 a month.
Josh Alner, founder and owner of Killer Mobile, whose iPhone spy tools were offered to some of the world’s biggest mobile surveillance companies. Technical evidence indicates the same code was sold to consumers.
Struggling to get the law enforcement side off the ground in the U.S., Alner looked abroad. In 2014, he pitched to Hacking Team, despite criticism of the Italian firm’s sales to regimes with poor human rights records – Bahrain, Egypt and Russia, to name a few. After Hacking Team looked elsewhere, Alner spoke with a German company, Wolf Intelligence, which was attempting to crack the same market. Wolf chief Manish Kumar was impressed with the iOS malware’s ability to work even on non-jailbroken iPhones (where vulnerabilities are exploited and Apple’s control of the device stripped away), and he promised to demo the tool across the world.
That included a test for FORBES, in which the iPhone malware was disguised as a WhatsApp clone. It looked legitimate, incorporating all contacts, chats and calls from the legitimate WhatsApp account. It then sent back all further WhatsApp communications, as well as SMS texts and standard calls, to a central hub, a website hosted by Alner’s company.
The Wolf partnership also came unstuck, however, as Kumar couldn’t secure any buyers; law enforcement agencies were looking for completely silent hacks, not ones that required user interaction. Apple updates throughout 2016 also rendered the techniques used by Tracer all but unusable, Alner said. “The tech you’re referring to is absolute crap now, Apple locked down their OS so tight, you’d have to be an idiot to install something like this.” (Prior to my contact with Alner, Marquis-Boire disclosed our findings to Apple. He said the company was receptive).
Alner has given mixed messages about his success in selling to national agencies. In his pitch to Hacking Team he claimed “current government clients” used his iPhone malware, disguising it as WhatsApp. But he told me a different story: “We’ve quite literally never closed a deal of the type you’re referring to, not for lack of trying.” (Amongst other contradictions, he also claimed to have never had contact with Hacking Team, despite the emails being publicly available on Wikileaks). Whatever the truth, he still sees potential for expansion of his government business; Tracer has now morphed into FoxPhone, marketed as as lawful interception software since February last year.
Though the company couldn’t flog Alner’s code to governments, Wolf did secure business elsewhere. It’s only known deal, a $2.5 million contract with Mauritania that fell apart.
Kumar, a soft-spoken New Delhi-born cyber weapons dealer, told me he’d also shown off his cornucopia of spy tools – from iPhone and Android malware, to systems that can automatically detect and hack individuals using software to encrypt their connections – to various governments. They included Thailand and Malaysia, both countries with histories of repressive surveillance tactics. He also held talks with Israel’s elite surveillance companies in 2016, in a bid to have Wolf kit bundled with other spy tech, such as Ability Inc’s $20 million Unlimited Interception System (ULIN) for snooping on mobile communications.
But Kumar has a history he isn’t too keen to talk about: spouseware sales. His old employer, Indian company Leo Impact, offered spouseware under its SpyPhoneWorld.com banner, even though its main line of business was supposed to be cyber defense. The Leo site is now shuttered, but the Internet Archive showed the spy software (also once advertised by Kumar in Hacking Team emails) promised to help customers “catch a cheating partner or control and monitor child, employee phone remotely.” Kumar said he could showcase his consumer malware during our early conversations in spring last year, but later distanced himself from any such activity. He didn’t respond to requests for comment on the Leo Impact offering.
FORBES also obtained Android malware and a BlackBerry spyware manual from another government surveillance supplier with Indian origins, Aglaya, which again can be linked to the consumer malware world.
In the last three years, Aglaya has tried to push those mobile tools and some more extravagant cyberwarfare technologies to government agencies. FORBES first came across the company at one of the biggest arms fairs in the world, DSEI, held in London in 2015. Its military services include what Aglaya CEO Ankur Srivastava called a “stealth protocol” for hacking power station control systems, known as SCADA devices, in a way that was “undetectable by any commercial firewall.” (Multiple cybersecurity experts told me they were dubious of those particular claims). He also claimed to have access to a trove of zero-days – software vulnerabilities unknown to others and unpatched, which can fetch up to $1 million or more – while an Aglaya manual for online trolling and disinformation campaigns was recently published by Vice Motherboard.
Srivastava told me he only sold to Indian intelligence agencies. But Aglaya’s Android malware has links to one of the consumer surveillance market’s biggest providers, mSpy. Marquis-Boire found that one of two Android spyware samples he believed belonged to Aglaya also received commands from a server hosting the domain mobilebugstore.com. Visiting mobilebugstore.com redirected to an mSpy website. And when FORBES looked at the domain registration history for mobilebugstore.com, it brought up just one name from 2010: Vinod Kumar (no relation to Manish Kumar). A quick Google search for that name and Aglaya brought up sites listing a Vinod Kumar as a partner at the Indian firm. mSpy confirmed mobilebugstore.com was run by an affiliate, but had no record of Vinod Kumar or Aglaya as a partner.
Despite the links, both mSpy and Aglaya denied any business relationship. Marquis-Boire said that given the evidence, “the claim that there is no link between the two companies strains credulity.”
Surveillance, abuse and the law
The percolation of state surveillance tools into the home gives rise to two significant concerns. First, there’s the evidence such tools, commonly referred to as “spouseware” are used in abusive relationships. “It’s incredibly common in domestic abuse cases,” said Polly Neate, CEO of Women’s Aid. “Control is the absolute heart of domestic abuse, that’s what it’s all about, and so it’s not surprising perpetrators are finding new ways of controlling a person.”
Second, any company shipping such tools within the U.S. could breach the Wiretapping Act, which makes it illegal to intercept communications without authorization or a court order. Nate Cardozo, the Electronic Frontier Foundation’s senior staff attorney, said: “If a prosecutor were to make a case they [Killer Mobile] were breaking Wiretap Act, I would not like to be representing the defendant.”
Alner disagreed that his tool would have broken any laws, as such snooping is allowed when on minors and employees with consent, and he claimed it was pulled from the U.S. market three years ago. Spyware creators also include statements in their terms of service to insulate themselves from liability. Killer Mobile, for instance, wrote in its terms that it had “zero tolerance” for illegal use of Tracer and took no liability for any unlawful or illicit use of any of its applications.
According to Cardozo, however, those precautions wouldn’t help in a defense should prosecutors be able to show the software was used in breach of the Wiretap Act. And in cases of domestic abuse, it often doesn’t matter if the victim has permitted their partner to install spyware on their devices, said Cindy Southworth, executive vice president of the National Network to End Domestic Violence. “The level of consent that’s being gained just isn’t meaningful in the context of domestic abuse and coercive control… If you’re really scared of somebody and they’re telling you to install this stuff, there’s nothing you can do about that,” she added.
A FlexiSpy tweet encourages jealous spouses to spy on their partner.
That the tools are used without consent is undeniable. Beyond Laura’s story and other public examples, Marquis-Boire found proof the Killer consumer product was in use, after the company mistakenly leaked data from a target’s phone, including all their call records and SMS messages. They were accessible by just visiting a link hosted on killermobilesoftware.com, the same site where government snoops could look at targets’ data, as Alner told Hacking Team in 2014.
The link contained an email for the buyer. In response to an email enquiry, the Tracer customer said they’d bought Killer software to secretly monitor a relative they suspected of taking drugs. The tool came recommended from a friend who hired a detective to monitor his wife because he believed she was cheating on him. Alner first said he could prove that the data wasn’t from a real customer, but then changed his mind, saying he wouldn’t allow them to buy Killer kit again.
Catching the creepware dealers
The U.S. government hasn’t had any significant successes in catching merchants of illegal spyware in recent years. And those selling spy software to the general public have been able to avoid legal action by simply removing advertising material that encouraged spying on spouses. They may have learned that trick from an FTC case against CyberSpy Software, which settled with the government to stop marketing its RemoteSpy product for use on people without their consent. It didn’t admit to any criminal wrongdoing and didn’t face charges.
There’s only ever been one criminal conviction for the advertisement and sale of a mobile device spyware app. In 2014, the creator of StealthGenie, 31-year-old Danish citizen Hammad Akbar, was told to pay a fine of $500,000. At the time, assistant attorney General Leslie R. Caldwell said: “Make no mistake: selling spyware is a federal crime, and the Criminal Division will make a federal case out if it.”
But there’s been no comparable action since, even as companies brazenly continue advertise their spyware for snooping on spouses, as FlexiSpy has done over the last month.
Southworth thinks she knows why: “We can’t get the FBI to take cases. They’re focused on ‘real terrorism’ not terrorism in the home… It’s violence against women, it’s not a priority,” added Southworth, who trains police on investigating such tools. “There are hundreds that should be prosecuted.”
Marquis-Boire has published a Medium post listing the different malware he and FORBES obtained for this report. Click through if interested in pursuing the technical leads.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.