You are here


Intrusion technologies are capable of collecting, modifying and extracting all data communicated and stored on a device. To do this, malware, short for malicious software, must be installed on the device. Installation occurs when the user inadvertently opens a trojan, which is a disguised or concealed programme. Web browser vulnerabilities can also be exploited to run the trojan. Once the trojan is installed it embeds itself in all system functions, collecting and transmitting data to the operator of the trojan as the infected device operates normally from the user's perspective. This data can include a real-time recording of the user's screen; live audio and video feeds from the device's camera or microphone; and communications sent from the device, even passwords for services can be collected. Due to the staggering monitoring capability, intrusion technologies are eagerly sought after, bought and used by repressive regimes worldwide against their citizens.

The end goal of all intrusion technologies is the same: to install a trojan on a users' device. In its most overt form, an executable file is attached to an email and sent to the individual that is to be monitored. This executable file can be disguised as an image, Word document or PDF, appearing as formats that users open regularly. Using the confidence the user has in the legitimacy of these formats leads to the installation of a trojan on their device. Alternatively, code can be embedded in the attached file that exploits an unreported vulnerability and allows for the installation of the trojan.

Intrusion technologies can be deployed on the network level. Products offered by UK based Gamma International have the capability of being deployed on countrywide Internet Service Provider (ISP) networks or public Wifi hotspots.  Devices connecting to this network are sent notifications that software, such as Apple’s iTunes or Adobe Acrobat, requires updating. These updates contain a trojan that is then installed on the device. The infection infrastructure can also route traffic to official websites that appear legitimate and infect downloaded files with intrusion technology. 

Intrusion technology can be delivered to mobile phones through trojans disguised as a variety of applications. Trojans have been designed for the Android, iOS, Blackberry, Windows Mobile and Symbian mobile platforms. This intrusive tool may exist within an application that appears to function normally. 

The malicious file begins to install itself once it is delivered to and opened on the device. A detailed analysis by the Citizen Lab provides insight into how a common intrusion technology, Gamma International’s FinSpy, installs itself. The trojan first creates a directory (a structured list of device folders and files) and then copies itself to this directory. From there, it begins infecting system processes using a technique called "process hollowing". Common device processes like logging on and entering a password are temporarily suspended and replaced by malicious code. Embedding malicious files across the device makes detection extremely difficult. Worldwide, activists are routinely targeted by intrusion technologies. In the case of Dr. Ala’a Shehabi, a British born Bahraini pro-democracy activist, device installation was narrowly avoided. In another case, Tadesse Kersmo, an Ethiopian political refugee living in Britain, was subject to covert surveillance by a computer based intrusion technology that remained undetected until identified by Privacy International and a Citizen Lab research fellow. 

After installation the trojan collects data across the device and stores it locally, often encrypting the information to evade detection. Any information contained, viewed, or transferred by the device may be subject to collection. Intrusion technologies can monitor Skype communications, telephone calls, email, chat, the exact device location, webcams and microphones, and every password entered in the device. Intrusion technologies can also remotely switch on recording devices such as webcams or microphones and record the user without their knowledge. Collected information is then silently transferred through international networks of servers to the operator of the intrusion technology.

The majority of intrusion technologies require an action by the user to install the trojan. Maintaining updated software, making sure that links and updates being sent to your device are legitimate, ignoring updates that seem suspicious and not downloading files from unknown sources will lower your chance of being infected with intrusion technology. Extreme caution should be exercised when downloading files or updating software over a Wifi hotspot. These precautions will merely lower your chances of being infected by intrusion. If you are a target and the entity targeting is operating intrusion technology, there is little that can be done to protect you. It is for this reason that greater control should be exerted on the proliferation of such intrusive tools to regimes that would use them unlawfully to target activists, journalists and political opponents.