Main content

Is there a spy in your pocket?

Imagine if hackers could remotely install spyware on your phone that gave them access to everything – including encrypted messages – and even allowed them to control the microphone and camera? Well, this isn’t as far-fetched as it sounds.

In File on 4, presenter Paul Kenyon examines compelling evidence that software is being used to track the work of journalists, activists and lawyers around the world. Who is doing it? Why? And what can be done about the potential spyware in all of our pockets?

Software so powerful it’s classified as a weapon

Mike Murray is a cyber security specialist from in San Francisco, a company that helps governments, businesses and consumers keep their phone and their data secure. He explains how the most sophisticated espionage software ever developed works; software so powerful it’s classified as a weapon, only to be sold under strict conditions.

“The operator of the software can track you with your GPS,” says Mike. “They can turn the microphone and camera on at any point and record everything that’s happening around you. It steals access to every social media app you have; it steals all your pictures, your contacts, your calendar information, your email, every document you have.”

“It literally turns your phone into a listening device that they can track you with - and it steals everything on it.”

Spyware has been around for years but with this we are entering a whole new world. This software doesn’t intercept data in transit, when it is normally already encrypted, but when it's still on your phone, taking over every function. And the technology is so advanced it’s near impossible to detect.

The capture of a Mexican drug lord

Mexican drug lord El Chapo had a multi-billion dollar empire. After escaping prison he was on the run for six months, helped and protected by his extensive network. He only communicated through encrypted phones, supposedly impossible to hack. But the Mexican authorities had purchased new, advanced espionage software, and it is believed they managed to infect the phones of those in his inner circle, which led them to his hideout.

The capture of El Chapo proves that this type of software is an invaluable weapon in the fight against terror and organized crime. Countless lives have been saved and violent extremists stopped, all from security companies hacking into encrypted phones and apps.

But what’s to stop the purchasers of these weapons turning them on anyone they choose? Is anyone who upsets their government in danger of being hacked?

Is your TV spying on you and should you care?

With so much technology capable of spying on us, should we be worried?

The British blogger who was targeted

Rori Donaghy is a blogger who set up a Middle East campaign group and website. He was reporting on human rights abuses in the United Arab Emirates, from the treatment of migrant workers to tourists falling foul of the law. His readership was just a few hundred people, and his headlines were nothing more incendiary than those appearing in the news everyday.

It was when he moved to work on news website Middle East Eye that something odd happened: he started getting strange emails from unknown senders, containing links.

Rori forwarded one suspicious email to a research group called the Citizen Lab, based in the University of Toronto, which investigates the misuse of digital espionage against journalists and human rights workers. They confirmed that the link was to make him download malware on to his device, but also to inform the sender what type of antivirus protection he had so that the malware wouldn’t be detected – a real mark of sophistication.

Rori’s pursuers turned out to be a cyber espionage company working for the UAE government in Abu Dhabi, monitoring groups the government believe to be extremists and risks to national security. They had even given the small-time, British blogger a code-name – “Giro” – and had been monitoring members of his family as well as his every move.

The targeted civil rights activist

Ahmed Mansoor, a renowned, award-winning civil rights activist, has been a target of surveillance by the UAE government for years. In 2016 he got a suspicious text, which he also shared with The Citizen Lab.

Using a blank iPhone, the research team clicked on the link. What they saw amazed them. They witnessed the smart phone being remotely infected and data streaming out of the device. The iPhone is meant to be one of the most secure phones on the market but the spyware – one of the most sophisticated pieces of software of this type anyone had ever seen – had found a wormhole in the Apple system. Apple was forced to issue an update for every one of its phones in the world.

It’s unclear what information was gathered from Mansoor’s phone but he was later arrested and jailed for ten years. He is now in solitary confinement.

The Embassy of the United Arab Emirates in London told File on 4 that their security institutions strictly adhere to international standards and domestic law but, like all other countries, it does not comment on intelligence matters...

What your phone is doing to keep you glued

How your smartphone catches and keeps your attention.

The targeted journalist

In October 2018, journalist Jamal Khashoggi walked into the Saudi embassy in Istanbul and never re-emerged, killed by agents of the Saudi regime.

A friend of the journalist, Omar Abdulaziz, found that his phone had been hacked - he says - by the Saudi government.

Omar believes that this hacking played a large part in the eventual murder of his mentor. They were in touch regularly and had many discussions about politics and shared projects.

For a long time the Saudi government had access to these discussions and any exchange of documents or files between them.

The Saudi Government’s response is that while it’s been reported that there is malicious software aimed at mobile phones in circulation, there’s no evidence to suggest that Saudi Arabia is behind it.

A hack closer to home

In May 2019 there was a high profile security breach of WhatsApp messenger – an app that many of us use to talk to friends and family on a daily basis.

If you thought the hack just meant that someone could listen in to WhatsApp calls, think again. The app was merely the entry point into the phone’s software. Once open, the hacker could download a payload of spyware. The recipient wasn’t even required to click a link – the device was accessed just by making a call, and then hanging up. This is known as zero click technology.

Whatsapp quickly released fixes for it’s 1.5 billion users but no one knows who was behind the hack. WhatsApp was targeted this time, but what app and who will be targeted next?

Are smartphones harming kids?

Do we need to "do something" about the effects of smartphones on teenage children?

Fighting back

Developers of this kind of spyware require special export licenses – just like with defence contracts. It’s sold with the sole purpose of stopping serious criminals. But the Citizen Lab have created a whole dossier of what they believe are abuses by client governments.

And are the software developers to blame for these abuses too? Unlike other weapons, like guns, the developer remains active in the service and maintenance of the spyware after sale. So are they culpable when the software is misused?

The lead player in the lawful interception market is an Israeli company called the NSO Group. It has been around for almost a decade and makes hundreds of millions of dollars a year. Abdulaziz’s lawyer is taking the company to court over the alleged hacking of his client’s phone. It’s a significant moment, and will help to determine what role the software companies play once their software has been sent out.

NSO declined to a request for an interview but in a statement say their technology provides licensed government agencies the tools they need to prevent and investigate serious crime, and that their technology has saved many lives.

Meanwhile, the lawyer has started receiving mysterious WhatsApp calls…

Should you be more polite to your digital helper?

Barking orders at something that talks back can be a little uncomfortable.

How long until spyware can’t be detected at all?

The ultimate aim of the lawful interception industry – the Holy Grail if you like – is to develop spyware that is 100% undetectable. If they achieve that, no one can report misuse because no one will know. We’ll all be in the developers’ hands as to whether they are operating lawfully or not.

It might sound like the stuff of James Bond, but there are real consequences in this new world. The threat is real and it’s something we all need to bear in mind for the future. Text message or email from an unknown sender? Don’t click on the link, whatever you do…

More from Radio 4