What is spyware?

How does spyware work?

Spyware can make its way onto a device without the end user's knowledge via an app install package, file attachment or malicious website. In its least damaging form, spyware exists as an application that starts up as soon as the device is turned on and continues to run in the background.

At its most damaging, spyware tracks web browsing history, passwords and other private information, such as email addresses, credit card numbers, personal identification numbers or banking records. All this information can be gathered and used for identity theft or sold to third parties. Information can be collected using keyloggers and screen captures.

Advanced spyware often employs techniques such as encrypting stolen data before transmission, obfuscating its presence to avoid detection by antivirus software and modifying system files to disable security programs.

How do spyware infections occur?

Spyware infections can affect any PC, Mac, iOS or Android device. Some of the most common ways for computers to become infected are the following:

• Downloading materials from unknown sources.
• Accepting pop-up advertisements.
• Opening email attachments from unknown senders.
• Clicking on phishing links embedded in emails or ads.
• Using outdated software, which often contains vulnerabilities that spyware exploits.

Spyware is most commonly distributed by getting potential victims to click on a link. The link can be in an email, pop-up window or ad. Malicious code can also be embedded on legitimate websites as an advertisement. Other ways for spyware to infect a machine include via drive-by download -- where spyware is downloaded just by visiting a website or viewing an HTML email message -- phishing links or physical devices.

Even legitimate websites can become a threat if compromised by hackers who insert malicious scripts into ads or downloadable content.

Types of spyware

Spyware is not just one type of program. It is an entire category of malware that includes adware, keyboard loggers, Trojans and mobile information-stealing programs.

Adware

Malicious adware is often bundled with free software, shareware programs and utilities downloaded from the internet or surreptitiously installed onto a user's device when the user visits an infected website. Many internet users were first introduced to spyware in 1999 when a popular freeware game called Elf Bowling came bundled with tracking software. Adware is often flagged by antimalware programs as to whether the program in question is malicious or not.

Cookies that track and record users' personally identifiable information (PII) and internet browsing habits are one of the most common types of adware. An advertiser might use tracking cookies to track what webpages a user visits to target advertising in a contextual marketing campaign.

For example, an advertiser could track a user's browser history and downloads with the intent to display pop-up or banner advertisements to lure the user into making a purchase. Because data collected by spyware is often sold to third parties, regulations such as the General Data Protection Regulation have been enacted to protect the PII of website visitors.

Keyboard loggers

Keyloggers are a type of system monitor that cybercriminals often use to steal PII, login credentials and sensitive enterprise data. Employers may also use keyloggers to observe employees' computer activities; parents to supervise their children's internet usage; device owners to track possible unauthorized activity on their devices; or law enforcement agencies to analyze incidents involving computer use.

Hardware keyloggers resemble a USB flash drive and serve as a physical connector between the computer keyboard and the computer, while software keylogging programs do not require physical access to the user's computer for installation. Software keyloggers can be downloaded on purpose by someone who wants to monitor activity on a particular computer, or they can be downloaded unwittingly and executed as part of a rootkit or remote access Trojan.

Trojans

Trojans are typically malware programs that are disguised as legitimate software. A victim of a Trojan attack could unknowingly install a file posing as an official program, enabling the Trojan to access the computer. The Trojan can then delete files, encrypt files for ransom or enable other malicious actors to have access to the user's information.

Mobile spyware

Mobile spyware is dangerous because it can be transferred through Short Message Service or Multimedia Messaging Service texts and typically does not require user interaction to execute commands. When a smartphone or tablet gets infected with mobile spyware that is sideloaded with a third-party app, the phone's camera and microphone can be used to spy on nearby activity, record phone calls, and log browsing activity and keystrokes. The device owner's location can also be monitored through the Global Positioning System (GPS) or the mobile computing device's accelerometer.

How do you prevent spyware?

Maintaining strict cybersecurity practices is the best way to prevent spyware. Some best practices are the following:

• Only downloading software from trusted sources.
• Reading all disclosures when installing software.
• Avoiding interactions with pop-up ads.
• Staying current with updates and patches for browser, operating system (OS) and application software.
• Not opening email attachments or clicking on links from unknown senders.
• Using only trusted antivirus software and reputable spyware tools.
• Enabling two-factor authentication (2FA) whenever possible.

To further reduce the probability of infection, network administrators should practice the principle of least privilege and require remote workers to access network resources over a virtual private network that runs a security scan before granting access privileges.

Using a pop-up blocker or ad blocker also helps avoid spyware. Mozilla Firefox and Google Chrome have built-in pop-up blockers, and ad blockers can be added as a browser extension.

Mobile users should avoid downloading applications from outside their respective app stores and avoid jailbreaking their phones, if possible. Since both make it easier for spyware to infect mobile devices.

IPhone users can enable 2FA at no charge to protect all the data on their smartphones and prevent mobile spyware attacks. 2FA can also be used in a variety of other common services, including PayPal, Google, Dropbox and Microsoft 365, as well as in social networking sites, such as Instagram, Snapchat, Facebook and X, formerly Twitter. Most major banks have also started implementing 2FA in their websites and mobile apps. Some services have even increased their authentication process to three-factor and four-factor authentication.

How do you remove spyware?

In order to remove spyware, device owners must first identify that the spyware exists in their system. There are several symptoms to look for that can signify the presence of an attack. Indicators include the following:

• The device runs slower than normal.
• The device consistently crashes.
• Pop-up ads appear whether the user is online or offline.
• The device starts running out of hard drive space.

If users determine that spyware has infected the system, they should perform the following steps:

1. Disconnect the internet connection.
2. Check the device's programs list to see if the unwanted software is listed. If it is, choose to remove it from the device. After uninstalling the program, reboot the entire system.
3. If the above step does not work, run a scan of the system using a reputable antivirus software. The scan should find suspicious programs and ask the user to either clean, quarantine or delete the software.
4. The user can also download a virus removal tool or antispyware tool and allow it to run through the system.

If none of the above steps work, then the user has to access the device's hard drive in safe mode. However, this requires a tool that enables the user to access the spyware folders and manually delete them. While this sounds complicated, the process should only take a few minutes.

Spyware on mobile devices can also be scanned for using security programs. Mobile device owners can also back their data up and then reset the device to its factory settings.

Antispyware tools

Some antispyware tools only perform when the scan is manually started, while others are continuously running and monitoring computer activity to ensure spyware cannot record the user's information. Users should be cautious when downloading antispyware tools and only download tools from reputable sites. Product reviews can also help users determine which tools are safest.

Some antispyware tools are the following:

• Malwarebytes is an antimalware and spyware tool that can remove spyware from Windows, macOS, ChromeOS, Android and iOS. Malwarebytes can scan through registry files, running programs, hard drives and individual files. Once a spyware program is detected, a user can quarantine and delete it. However, users cannot set up automatic scanning schedules.
• Microsoft Defender is a Microsoft antimalware product that is included in Windows. The software is a lightweight antimalware tool that protects against threats such as spyware, adware and viruses. Defender includes features such as protection against phishing sites, real-time threat detection and parental controls. Defender users can set automatic quick and full scans, as well as set alerts for low, medium, high and severe priority items.
• Trend Micro HouseCall is another antispyware tool that does not require user installation, so it uses minimal processor and memory resources and disk space. However, like Malwarebytes, users cannot set automatic scans.

What are common examples of spyware?

Well-known examples of spyware are the following:

• CoolWebSearch uses security vulnerabilities found in web browsers to take control, change settings and send browsing information to spyware authors.
• DarkHotel is a targeted spear phishing spyware that selectively attacks business hotel visitors through the hotel's Wi-Fi network.
• Pegasus is advanced spyware used to exploit zero-day vulnerabilities in smartphones, capable of intercepting calls, reading encrypted messages and activating cameras or microphones.
• Emotet was one of the most prevalent threats in the 2010s. It acted as a Trojan that stole banking credentials from its victims.

In addition, smartphone spy apps enable different people to track the phone user's activity. While most of these tools were created with the intent of letting parents monitor their child's phone use, their abilities have been grossly abused.

These apps act as mobile spyware and enable external users to access the phone's microphone and camera to view their surroundings, listen in on phone calls and access the phone's GPS location, passwords and mobile apps. Some well-known spy apps are Spyera, FlexiSPY and TheOneSpy.

Emerging spyware threats

The evolution of spyware has introduced advanced threats that pose significant challenges to users and organizations. As cybercriminals develop increasingly sophisticated techniques, the landscape of spyware is shifting, making detection and prevention more complex.

Stealth spyware

Stealth malware in the form of spyware programs are designed to operate undetected by traditional antivirus software. By embedding themselves deep within system files or disguising their processes as legitimate system operations, stealth spyware can avoid detection for extended periods. This type of spyware is often used to monitor user activity continuously, capturing sensitive data, like login credentials, emails and browsing history. It can also alter or disable security settings to prevent its removal. For example, rootkit-based spyware has been known to hide within system kernels, making it nearly invisible to standard security tools.

AI-driven spyware

Artificial intelligence (AI) is revolutionizing spyware capabilities. AI-enabled spyware can analyze user behavior, adapt its operations to mimic legitimate processes, and evade detection by recognizing and bypassing specific security protocols. One notable advancement is AI-powered keyloggers, which can identify critical information, such as banking passwords, even if users employ advanced security measures, like virtual keyboards. Additionally, AI-driven spyware can dynamically modify its code to avoid signature-based detection methods used by antivirus programs.

Spyware as a service

The rise of the dark web has facilitated the emergence of spyware as a service, a type of malware as a service. This business model enables cybercriminals to sell prepackaged spyware tools to individuals with minimal technical expertise. For a fee, users can access spyware kits equipped with user-friendly interfaces, making it easier than ever to deploy spyware campaigns. These kits often include features like remote installation, real-time data extraction and even customer support for purchasers. Spyware as a service has democratized spyware deployment, increasing the prevalence of attacks and lowering the barrier to entry for cybercriminals.

The need for more advanced countermeasures

The growing sophistication of spyware necessitates the use of advanced detection and prevention tools. Behavioral analysis tools, for instance, can identify unusual system activity that may indicate the presence of spyware. Endpoint detection and response systems provide real-time monitoring and automated responses to potential threats.

Furthermore, educating users about the risks of spyware and encouraging proactive cybersecurity practices, such as regular software updates and the use of strong, unique passwords, is critical. Organizations should also conduct regular security audits and invest in next-generation antivirus solutions equipped with AI and machine learning capabilities to counter evolving spyware threats.

The continuous evolution of spyware underscores the importance of staying vigilant and adopting comprehensive security strategies to protect personal and organizational data from this ever-growing threat.

Learn more on how to prevent spyware through best practices, including using a layered defense or content filtering. See how to protect against malware as a service. Also, protecting your endpoints is critical for maintaining security. Learn why endpoint detection and response technologies are essential for endpoint protection. Explore how to protect, detect and remove malware from mobile devices.