-1

I suspect that my Google pixel (Android 9) phone has some sort of a spyware installed. There are no obvious symptoms like overheating, extreme data usage, or battery draining at an unusual rate. But I have very good reason to believe that both my phone and computer (Ubuntu 18.0.4) are being monitored.

I am using Charles Proxy on my Ubuntu machine (which may and likely is also infected). My phone connects to Charles, and then I am using Wireshark to capture all the outgoing traffic from my phone.

So far, I have not seen anything really suspicious when analysing the network. There doesn't seem to be any odd activity when the phone is silent, or when I am just typing in a notes application. But I would like to know, if my method here is correct, and sufficient to capture the packets potentially leading to a spyware of some sort.

The way I see it, if for example a key logger has been installed then the key stroke information has to be sent out at some point, and so it shouldn't be able escape Wireshark.

I am very new to security/network security. So I am wondering is my method above correct?

Please let me know if this is not the right way to go about this, or perhaps if you can kindly direct me to links/books/any resource which would allow me to know for sure my devices are free of spyware.

The potential attacker in this case, is someone fully capable of writing a sophisticated software. He is a senior software developer with resources to hire a talented hacker. I have been on the same network as him in the past (have formatted and factory reset devices since then) and has had physical access to my computer at some point, but not phone.

JohnSnow
  • 105
  • 4

1 Answers1

2

So far, I have not seen anything really suspicious when analyzing the network.

While monitoring the network should show the attackers activity if the attacker is using the network to exfiltrate information, the problem is to know what is suspicious or not.

For example, is an access to Twitter suspicious if you are using the Twitter application or visiting a web site which embeds some Twitter messages or similar? You might think that such access is the expected behavior but an attacker might actually use Twitter or other common communication targets as control channel or to exfiltrate data. And any data exfiltration (like with a keylogger) does not need to be immediately when the information are gained but it can be collected and then sent deferred to blend into expected network activity.

In other words, unless you know in deep detail what activity you expect, an sophisticated attacker might just blend into normal traffic and you might not detect his malicious activity just by monitoring the network. This does not mean that all attackers are sophisticated enough to hide their activity this way, but that you cannot be sure that innocent looking traffic is really innocent.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • I was actually afraid of this, but thought not to mention to see if it would come up. Thank you for that. Sounds as though it would be extremely hard to narrow it down this way. Maybe a format, or buying fresh devices would be the best option at this point. – JohnSnow Jan 27 '19 at 09:08
  • Then what would be the way to handle this @Steffen Ullrich? any ideas? I mean I could buy a new pc, but if I can't determine the cause here, then I am bound to face the same problem. – JohnSnow Jan 27 '19 at 09:19
  • @JohnSnow: this is a different question and should not be asked in a comment. By itself it would be too broad but [several](https://security.stackexchange.com/questions/138606) [questions](https://security.stackexchange.com/questions/44750) deal with the topic. In general: find out how the attacker gained access and close it and make sure that there are no other ways into your system. Using a minimal and up-to-date system with only the essential software on it which you've gained from a trusted source and also protecting it against physical access by others helps a lot. – Steffen Ullrich Jan 27 '19 at 09:43
  • I appreciate you advice and time. – JohnSnow Jan 27 '19 at 18:51