Feds Bust Mobile Spyware Maker

FBI Sounds Stalker Warning, But Proving Illegal Intent Tough
Feds Bust Mobile Spyware Maker

The FBI has arrested the CEO of Pakistani software development firm InvoCode, which develops a mobile spyware app called StealthGenie, on charges that he advertised and sold the software for illegal purposes. But one legal expert says getting a conviction in the case won't be easy.

See Also: From Metadata Bottlenecks to On-Demand Insights

InvoCode CEO Hammad Akbar, who's based in Lahore, Pakistan, was arrested in Los Angeles on Sept. 27 on charges of conspiracy as well as selling and advertising interception technology. InvoCode marketed StealthGenie as "the world's most powerful cell phone spy software." It sold versions that were compatible with Android, BlackBerry and iOS devices and that could be installed by someone who had physical access to an unlocked device.

U.S. government officials have highlighted how StealthGenie could be used to violate privacy. "This application allegedly equips potential stalkers and criminals with a means to invade an individual's confidential communications," says Andrew McCabe, who earlier this month was appointed the assistant director in charge at the FBI's Washington field office. "They do this not by breaking into their homes or offices, but by physically installing spyware on unwitting victim's phones and illegally tracking an individual's every move."

"Selling spyware is not just reprehensible, it's a crime," declares Leslie R. Caldwell, the assistant attorney general for the Justice Department's Criminal Division.

The StealthGenie website now resolves to an empty page after a federal judge issued a temporary restraining order on Sept. 26, authorizing the FBI to disable the site. But according to a cached version of the site, the software can be used to monitor live calls; read all text messages, e-mails and IM messages stored on the device; and track GPS coordinates, among other features. The company's website says it has "over 100,000 satisfied customers."

The Department of Justice alleges that InvoCode designed and sold its app for the purpose of spying on people without their consent. Federal prosecutors say this is "the first-ever criminal case concerning the advertisement and sale of a mobile device spyware app." The Justice Department also filed an injunction against Akbar, requiring that he and his employees cease selling or advertising the software.

In the indictment against Akbar, which was filed Sept. 26 and unsealed Sept. 29, the prosecutors claim jurisdiction over StealthGenie because InvoCode advertised and sold its app using server space leased from Amazon Web Services that's located in Ashburn, Va. After undercover FBI agents purchased an Android version of StealthGenie in December 2012, they also found that it was likewise using Amazon Web Services to store all intercepted data and communications.

Making the Case

Akbar has been charged under an interstate statute that prohibits manufacturing, distributing, advertising or possessing software - or devices - that are "primarily useful for the purpose of the surreptitious interception of wire, oral or electronic communications."

But the case, including the use of that statute, is far from clear cut. "The statute has a real problem, because it makes it illegal to make software that's designed to allow somebody to do something that's legal," says security and privacy expert Mark Rasch, a former federal prosecutor who created the computer crime unit at the Department of Justice.

"This is the electronic equivalent of the possession of burglar's tools - instead of going after the guy who owns or possesses burglar's tools, you're going after Stanley or Home Depot," Rasch says. "It would be like making it illegal to sell jimmies - a device whose primary design is to help people jimmy a car door. Well, repo men and locksmiths use those all the time."

Disclaimer: Not for Illegal Use

The StealthGenie website also included a disclaimer that the software was only to be used ethically by "parents who wish to monitor their underage children or for employers who wish to monitor their employees with their written consent." The disclaimer added that InvoCode would not be held liable for any illegal use of its product.

Rasch, however, says such disclaimers mean little in court. Even so, prosecutors would have to prove both intent and conspiracy - referring to two or more people agreeing to commit a crime - against Akbar and his associates. "Absent a showing that the seller of this software intended it to be used for illegal purposes, it's difficult to show a conspiracy or intent," he says.

The indictment does accuse the company of touting its product for illegal purposes. "Language and testimonials on this website focused significantly on potential purchasers who did not have any ownership interest in the phone to be monitored, including those suspecting a spouse or romantic partner of infidelity," according to the indictment.

The indictment includes an alleged copy of the InvoCode business plan, which says that the company - based on its market research - expected 65 percent of its customer base would comprise the "spousal cheat market," referring to spouses or romantic partners who suspected their spouse or partner of cheating.

According to the indictment, StealthGenie also includes the ability to:

  • Record all incoming and outgoing voice calls;
  • Intercept live calls on the monitored phone;
  • Call the phone and remotely activate a feature "to monitor all surrounding conversations within a 15-foot radius";
  • Read a user's incoming and outgoing e-mail messages and SMS messages;
  • Access voice mail messages;
  • Review the device's address book, calendar, photographs and videos;
  • Remain difficult or impossible for a device user to detect.

Despite Assistant Attorney General Caldwell's pronouncement that all spyware is illegal, in fact there are a number of occasions where surreptitious monitoring software can be legally used, or where monitoring software must be used. "For example, employers - pursuant to a policy - may be permitted in some jurisdictions to surreptitiously monitor their employees," Rasch says, for example for BYOD purposes. "Some regulatory environments, like the SEC and regulations of broker-dealers, require monitoring. And parents frequently and almost routinely monitor - in some way - their children's activities. In fact, the Federal Trade Commission recommends they do so, as does the National Center for Missing and Exploited Children."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.