Resilience Tech Logo (7)

Mercenary Spyware and Mitigation

A Quick Dive into Mercenary Spyware and Mitigation Techniques for African Activists

The menace of spyware has become an every-day conversation and a major pain-point for the global internet freedom community. How can activists, journalists and civil society in general do good work to ensure a free and just society for all, and bring governments to account, when the same government has unfettered access to their devices using sophisticated mercenary spyware tools?

The answer to this is, “extremely difficult.” If your adversary is always many steps ahead of you, there is very little you can do to win.

So how can activists and civil society combat the menace of spyware? In this article, we look at mercenary spyware and some mitigation strategies.

What is Mercenary Spyware?

These are specially designed spyware (often by private contractors or government allies or actors), created to infiltrate and surveil specific individuals or groups using new exploits and modular techniques so that they remain undetected in a victim’s device.

Types

Mercenary spyware- as with other types of spyware- can be designed in several ways (such as adware and keyloggers), but the most common of this are infostealer and rootkit spyware, due to the level of details it gives the attacker, and the associated difficult in detecting them.

Infostealer: An infostealer is as its implies- a spyware designed to steal sensitive information from a victim’s device. The notorious NSO spyware, Pegasus, is an example of an infostealer spyware (combined with other spyware type capabilities). 

Rootkits: These are a significantly more notorious type of spyware due to their ability to not only collect sensitive data from a victim’s phone, but to also execute commands and alter the functionality of the victim’s device. Recent example of this is the LightSpy spyware designed by Chinese threat actor group

What Should Activists and Journalists Do?

    1. Analysis by Experts: Unlike traditional malware that requires you to click on a malicious link, download a file to your phone or computer, and their presence manifested in the form of frequent crashing or slowness,..Mercenary spyware is more stealthy, and this means that their presence on your phone will often not cause any malfunction or trigger any alarm bells- this is why they are particularly endearing to nation states who employ them to target activists and journalists. The only way to truly know, therefore, if a spyware is lurking on your phone is to have a forensic expert analyse it for traces of spyware. Not a lot of analysis has been done in Africa on the extent of spyware usage, with reports since 2021 only revealing Morocco, Rwanda and Togo as patronizers of the Pegasus spyware. But is this all, or we just have not searched hard enough for traces and evidence of usage? We at Resilience Technologies believe that a lot more African states use spyware technologies to surveil journalists and activists who may not have any idea this is going on. If you are a journalist or activist with a big voice doing notable work on the continent, we advise you to have your phone analysed for spyware traces, and the Access Now helpline (help@accessnow.org) is a good place to get this type of support.
  • Use Apple Devices: If possible, use an iPhone and the other Apple devices. Yes, most spywares like Pegasus target iPhones, but this has also made Apple extra aware and intentional about investigating, analysing, closing up vulnerabilities, rolling out updates and alerting its customers quickly when there is a threat (including leading the charge for funding civil society to combat the threat of spyware globally). In a world where attackers try to always be one step ahead of their victim, this is one of the best types of response activists can hope for. Compare this with the Android counterpart and the difference in terms of holistic security and response is staggering (Note: Android is an open source project, meaning their source codes are public and attackers can very quickly find their vulnerabilities and exploit them)
  • Use High-End Antivirus Solutions: Some antivirus are better and quicker at detecting and rooting out spyware than others are. BitDefender, Kaspersky and Avira are some decent solutions to consider.
  • Report: Although a stealthy spyware like Pegasus will leave no tell-tale sign on your device, other less sophisticated spyware just might. So if you notice unusual activities on your phone, such as browser redirecting to a new search engine, apps crashing, phone battery running down at an unusual pace…please report this activity to a cybersecurity professional for an assessment (you can contact Resilience Technologies at info@rtafrica.org for a free security consultation)
  • Understand Phishing and Avoid Clickbaits: Before making their moves, attackers usually research their targets and send them convincing information or invites which they often have to click to view or RSVP. This is a sure-fire way to get spyware on your device. Investigate every email you receive to be sure of the recipient, and as a rule of thumb; avoid every link sent to you by unknown users on social media and even WhatsApp.