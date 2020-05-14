If you have come this far, you may have been looking for a tutorial or guide on how to spy on an Android mobile. Well, we are sorry to say that you will not find it here, but you will see how these tools work, how much they cost and, of course, what can happen to you in legal terms.

We have researched and tested different alternatives to see if they are real and meet expectations, and the truth is that … yes. The software exists, works, and is available to anyone who is willing to pay for it. But of course, we have also spoken with a lawyer specialized in Criminal Law who has made it quite clear to us that we can go to jail up to four years for using itSo it might not be a very good idea. But let’s not get ahead, let’s start at the beginning.

At Xataka Android we do not encourage or encourage the use of this type of tools. For journalistic and informational reasons, we wanted to reflect on how these applications work and what can be achieved, highlighting, above all, the legal consequences.

Spy on an Android mobile, so we have

A simple Google search is enough to discover countless programs that promise to spy on Android phones. It is curious, in fact, that the vast majority of companies that offer them have a well-kept website, with very white messages and that imply that it is normal that you want to use their software. For example, some companies say it is parental control software, used to find out where your children are and “have peace of mind” or to monitor employees who may put your company at risk.

Yes, none is responsible for how you use it. They provide you with the tools, how you use them is something that already depends solely and exclusively on you. Some of the applications make it clear in their legal terms that you can only use it on a personal mobile phone or that you own, that you have explicit written permission of the user to monitor and that you know you must comply with the laws of your country. All of this to end with “you assume full responsibility for installing and using this software” and that “the company, seller or distributor is not responsible for any legal violation or consequence of using it”.

“Some reasons for spying on someone could be that parents need to protect their children from cyber threats, the couple who wants to see if their spouse cheats on them, or the business owner who wants to check employee loyalty and see if they are filtering important commercial agreements or not “- Arguments of one of the websites that offer spyware.

And how do they work? It doesn’t have much of a mystery, but they do have the slight drawback that you must have, yes or yes, access to the victim’s mobileThat is, you must have in your possession the mobile you want to spy on. In fact, it’s funny how really simple and fast the configuration process is, just a couple of minutes if you are moderately agile and know what you are doing.

All the services have in common that you must install an APK file on the victim’s mobile.

All these services have two components: a client on the mobile and an online control panel. In order for the tool to work, the company provides you with an APK file that you must install on the mobile to spy. When you do, this software monitors all the activity of the device and allows you to check its status remotely through the control panel. Obviously, the mobile must always be connected to the Internet.

The first thing spy tools ask you to do is disable Google Play Protect

When you install an APK file like this, Google Play Protect detects that it is a malicious file whose behavior resembles, if not the same as, that of a Trojan on a PC. After all, it has built-in functions like a keylogger (to track keystrokes), location access, etc. Therefore, the first thing they ask you before installing the APK is that deactivate Play Protect, since otherwise the mobile would detect certain suspicious activity and warn the user or, directly, uninstall the application at any moment.

The first thing that the applications ask us is that we deactivate Google Play Protect to prevent the device from detecting the malicious application.

Also, when you disable Play Protect, you have to grant you all the permissions you have and for having: location, SMS and MMS, calls, contacts, record audio, take photos and videos, access photos, multimedia content and files and calendar. You should also deactivate the battery optimization (so that Android does not close it when it is in the background), activate the accessibility permissions (so that the app does not stop if the mobile is restarted, for example) and activate the device manager ( to prevent the phone from locking or enable remote file deletion).

The configuration process can change from one application to another, but all require that you give them all possible permissions, that you configure it as a device administrator, etc.

Once you have opened all the doors of the mobile, the application shows a button to hide the app drawer icon and start monitoring. And do not think that it is easy to find it in Settings> Applications, nothing is further from reality. The application camouflages itself with a technical name like “Sync Services”, “System Service” and the like. If Android were to notify the user that “Sync Services is accessing your location”, possibly they will think that it is something from the mobile and that it does not deserve more attention.

And it works, of course it works. After all, you’ve disabled all of your mobile’s security measures, so it’s literally at your mercy. Right here below you can see how we have managed to access the GPS location in real time from a test mobile with software that, by the way, is free.

With the software we can see the location of our victim in real time. The address has been blurred for privacy reasons.

This other software that you have here below allows take a photo with the internal camera every time the victim unlocks the device and access the screenshots that the user has taken. If you click on it you can download it to the computer and even know the exact geographical coordinates. This one, for example, I did when I unlocked the phone to see if the app was properly configured. You can also see how he has recorded the screenshots I have taken.

In the image above you can see how the application has taken a photo of me without knowing it when I unlock the screen. The image below shows the record of screenshots that have been taken from the mobile.

It is not the only thing you can do. In other software, you can activate the camera and take live photos, record ambient sound, check the messages received (WhatsApp, Telegram, Line or the app you want) through the notification log and the messages sent through a keylogger, access the gallery, view the call history, browsing history … You can access everything, absolutely everything, as long as you are willing to pay.

The software they are not exactly cheap. There is a high demand, so companies are not shy about setting fairly high prices. We are not going to say the name of the companies, but in the following table you can see the price ranges of all those we have investigated:

PRICES

SERVICE 1

Standard: $ 21.99 a month

Premium: $ 25.9 per month

Gold: $ 30.99 a month

SERVICE 2

Basic: $ 29.99 a month

Premium: $ 35.99 per month

SERVICE 3

Basic: 26.99 euros per month

Premium: 59.99 euros per month

Family package: 52.82 euros per month

SERVICE 4

Premium: $ 68 a month

Extreme: $ 199 every three months

SERVICE 5

Personal: $ 29.95 a month

Family: $ 49.95 a month

SERVICE 6

$ 7.90 a month

SERVICE 7

Premium: $ 29.99 a month

Ultimate: $ 39.99 a month

Some services offer discounts if you buy an annual subscription or month packages. Base prices are shown here.

The myths of mobile hacking

We see that it is completely possible to spy on an Android mobile (Some software also works on iOS using company certificates of dubious origin), although it is clear that, in one way or another, it is necessary to have physical access to the terminal. This does not mean that it is not possible to hack a device remotely through phishing attacks, for example.

These types of attacks do not require the user to install an app, but rather to bite into a trap. The most famous case was Celebgate, when hundreds and hundreds of celebrity photos were leaked after a hacker accessed their iCloud accounts. As it did? He sent an email pretending to be Apple and requesting that they log in to their accounts. He created a fake website, those affected entered their credentials on it and voila, the hacker obtained the users and passwords. The rest, as they say, is history.

Some “hackers” offer their services on milanuncios, ranging from hacking a mobile phone to clearing traffic tickets. They usually ask you to contact by WhatsApp.

There are several people who Advertise through pages as my-ads that promise to hack a mobile remotely. Well, this, and everything you want, such as removing DGT fines, getting opposition exams, hacking gambling sites and casinos … We called a few to see what they were capable of, but when they picked up the phone they stayed listening to us and saying nothing.

Be that as it may, what is clear is that using these kinds of tools is not a good idea. Beyond being unethical and morally questionable, if the person you are spying on catches you (because they see high battery consumption or data from a service they do not know and become suspicious, for example), they can file a complaint and send you to jail.

And what can happen to you legally?

Although the services are advertised as a parental control system, to be sure that your family is fine and other white glove arguments, it is evident that using the software without the other person’s consent is not legal. Be careful, do not install, use. That you install the application is one thing and that you use it to access personal data fraudulently are different things.

It doesn’t matter if it is your wife, your husband, your son, your daughter or a distant cousin, if the person discovers that you have been accessing their information without their consent and files a complaint, you risk going to jail. It will depend on the judge, the context and how it is interpreted, but the law is the law.

And what does the law say? To overcome doubts we have spoken with Federico González Barrera, researcher at the Department of Criminal Law at the University of Granada and a lawyer specialized in Criminal Law. As he tells us, “the possibility of obtaining personal data from a mobile application is a very interesting question that led to the reform of the Penal Code as of LO 1/2015”.

If information is extracted without the consent of the owner, the penalty could be imprisonment for 1-4 years and a fine of 12-24 months

With this reform “article 197 was modified”, adding four new articles “that are intended to guarantee the applicability of the ius puniendi [traducido literalmente como “derecho a penar”] before new legal-criminal phenomena such as the use of new technologies to steal personal data“

According to what he tells us, “article 197.1 regulates the basic and historical penal type, that is, the one that punishes the subject who seizes secrets that violate the privacy of another, without the consent of the taxpayer [la víctima]”This may include emails, messages, files … If done without the consent of the owner” would give rise to the applicability of this provision whose penalties are prison of 1-4 years and a fine of 12-24 months“This would be aggravated if, for example, these images were transferred to third parties, under article 197.3 CP.

Regarding the case at hand, “I think we should go to the novel articles 197 bis and ter, which incorporate so-called hacking crimes, the crime of interception of automated data transmissions and new criminal forms of use of computer instruments for the commission of crimes under art. 197. 1 and 2 CP. “

The first of them (197.bis.1) “typifies the crime of access to information systems”. Through this new modality, the lawyer continues, “the fact that a hacker allows any third party access to computer data or information systems is punished.” This crime is known as a “computer intrusion crime”.

“I think article 197 ter is the most accurate to answer the question you ask me,” continues González. “This precept has typified the preparatory forms of participation in the crimes provided for in article 197.1 and 2 CP” and for this criminal modality to take place “it is necessary that there be a prior phase of the crime, that is, that there be a subject active (author) that is proposed, before the commission of the crime stipulated in article 197 (to obtain data, images … with or without the consent of the author), facilitate the commission of these crimes to third parties from the creation of a computer program [como una app] or an access code that allows access to all or part of an information system. “

Companies wash their hands about how the user uses the software. It’s like accusing a knife maker of murder

But of course, we are talking about programs that, at least for the gallery, are sold as parental control software and are not responsible for how the user uses it. Understand it this way: A gun maker is not guilty of someone using his guns to kill, any more than a knife maker is. Another thing would be for the application to advertise as software to spy on and to commit the acts we have seen that can be done (that there are), and there things would change.

“Article 197 punishes with a penalty of six months to two years in prison to that subject who creates an app that facilitates access to information systems (be it a computer, mobile phone, tablets …) and that, in addition, said app allows the subtraction (with the consent or without the consent of the victim) of personal data that are protected by article 18.3 of the Spanish Constitution. “For example, if a programmer friend develops an application for you to spy on your partner, he would commit a crime punishable by between six months and two years in prison and you, for using it, with between one and four years in prison and a fine of between 12 and 24 months.