The dangers hiding on our smartphones
CTO Matt Boddy chats with Neil C Hughes on his fantastic Tech Talks Daily podcast.
[00:00:01.200] – Neil
Welcome to the Tech Talks Daily podcast, where you can learn and be inspired by real world examples of how technology is transforming businesses and reshaping industries in a language everyone can understand. Is your host, Neil C. Hughes. Welcome back to the Tech Talk Daily podcast. In nearly 1400 episodes. I thought we had covered just about every aspect of technology and the positive and negative impacts that it can have on our world. But after reading about the dangers that could be hiding on our smartphones and the impact it could have on businesses, I felt compelled to find out more.
But once I went down that rabbit hole, I learned how it’s not always criminals, but abusive partners that could also be tracking their present or ex-partners every single move by installing stalkerware onto a phone.
And Apple fans, if you think that you’re safe. We’re also going to explore how, even in the perceived safed walled garden of Apple’s ecosystem, the same threats are there. So today I want to explore what threats businesses face on their mobile devices, why 61 percent of businesses say they have no employee mobile protection whatsoever, and also the personal risk that we have on our personal devices. So I’ve invited Matt Boddy from traced onto the podcast. Matt is an ex MoD penetration tester turned mobile security specialist, and he has reversed engineered hundreds of samples of mobile malware and has reviewed the techniques used by cyber crooks to steal data or money from their targets.
So with all that information and knowledge, he’s now helped craft an A.I. based system to help thwart mobile malware and also want to find out more about what is exciting and intriguing backstory.
So buckle up and hold on tight so I can be more ears all the way to Oxfordshire in the UK so we can speak with Matt Boddy from Traced.
So a massive warm welcome to the show. Matt, can you tell the listeners who you are and what you do?
[00:02:16.350] – Matt
Thank you so much for having me on. Now it’s great to be here. So I’m the CTO at a company called Traced that we’ve relatively recently founded. I previously worked for the Ministry of Defense and Sophos, where I have such career highlights or maybe lowlights as dressing up as an elf for Christmas, which is online and will live with me forever. But now at Traced, we help the likes of consumers battle stalker on their devices, which is a really, really nasty threat for a lot of people.
And it’s so much easier than you think to get this this stuff on your device. And we also help protect business mobiles from from compromises as well. So it’s kind of a two pronged attack there. Yeah. So that’s a very high level view about me.
[00:03:06.750] – Neil
Well, I’ve got to backup for a moment now. You say used to work for the Ministry of Defence. Can you first of all, just tell me you’re not going to kill me at the end of this post?
[00:03:16.230] – Matt
Absolutely not, no, I was very much office based, I was a penetration tester. So I was largely just sat on my bum like I did for most of my career. And I’m testing devices that I could get into or couldn’t get into devices. So it was primarily around just cybersecurity. So I’ve been in cybersecurity for a little while and and I’ve just been nothing too elaborate there that I can say much more than that, I’m afraid.
[00:03:46.120] – Neil
No problem. Now, of course, most people are working from home and working from home at scale now and people are on their mobile phones be it their business device or their personal device from the moment they open their eyes and try and remove some of those spammy emails before they begin their day until the last thing that they do before they go to bed at night. So just to set the scene, what kind of threats are businesses facing on their mobile devices right now?
[00:04:14.040] – Matt
Yeah, it’s a lot bigger than you’d think, because mobile devices, I’ve always I’ve always considered them to be considerably more safe than my Windows device. And you know, maybe five, five or six years ago, if I were to receive a spammy or dodgy email, I would have been much more happy to open it on my Android device than I would have been to do so on my my Windows device or iPhone even.
But actually, there’s been a lot more of these emerging threats rearing their head recently and showing us that it’s not just the Windows or Mac devices that we need to be worry about, worried about. Things like Pegasus that affected the likes of Jeff Bezos. There’s a there’s a BBC News article about Faustin Rukundo who was affected by Pegasus in an attempt to oppress popular opinion, but there’s lots of mobile threats out there affecting lots of people.
And when you think about it, your mobile device is carrying a lot of data all about you – it’s a little window into your life, it’s a very different threat than your Windows device would be or your Mac or your PC or laptop, or whatever it happens to be running, whether it’s Linux, Mac, Windows. Your mobile device is going to affect you in a very different way because the data that’s residing on that device is very different.
So if we take a Windows device, for instance, a business device, you’re likely to have some word documents which contain some sensitive information on there. So that’s what you’re trying to protect and that’s what ransomware goes after, for instance. It goes after those important documents that if you lose them, it would take you quite a few days to recover them. Or let’s say when the NHS was hit with ransomware, a lot of their equipment was out of action because it was networked and it was it was running some sort of Windows device backend. And that meant that when the files on that device were encrypted, it was completely disabled from being usable.
Now, on your mobile device, what you’re carrying is far, far more than that. You’re carrying your location at all times. You’re carrying that device with you in your pocket, so it knows where you’re going, it knows your pattern of life. And we’re just starting to see the effects of things like location starting to to work through – of sharing your location with apps. There’s a Netflix film called The Social Dilemma, which talks all about the kinds of information you’re sharing with Facebook willingly and what they’ve managed to do with that.
Now, there’s other things that you’re sharing with your mobile. There’s pictures, there’s your camera, that are accessed all the time. They give a 360 view of everything that’s around you. There’s your microphone. So the microphone that’s on your device is extremely powerful. It can pick up everything that’s being said within its vicinity. So, for instance, for a business, if you’re sat in a meeting room with your phone in your pocket, you’ve got a microphone that’s able to listen to absolutely everything that’s going on in that meeting.
And that’s in every in every business. There is some sensitive information being discussed in meeting rooms. My mum works at a school and she would talk about sensitive information about children constantly. And she and all of her colleagues will have their phones in their pockets. And how do they know that those devices aren’t compromised? How do they know that those devices aren’t listening to everything they’re saying?
Now, Verizon did a really good security report recently on mobile devices where they found that 72 percent of all employees use public Wi-Fi. And NetMotion data showed that the average mobile device connects to two to three insecure Wi-Fi hotspots every single day.
So these these devices that we’ve got on us all the time, we are scratching the surface right now on the kind of threats that are out there for mobile devices. There’s so much information that we’re carrying around in our pocket, more than we’ve ever carried before. And the threats are just starting to emerge. And there’s a lot of them. The scariest of which (and there’s not really a good enough solution to deal with that) is stalkerware.
Now, stalkerware is something that can be really easily downloaded and installed on a device. It can be used against Apple devices, iPhones. It can be used against Android devices. I spoke to somebody the other day that has been affected by stalkerware and she had an abusive partner. And this partner just started to track her every movement, everything she was doing.
And she didn’t understand how on earth this partner was able to get such a glimpse into her life, into everything she was doing. He knew where she was at all times. Absolutely everything she was doing. And suddenly these messages started to pop up to her friends and colleagues and she wondered how on earth these messages were being sent to her colleagues. These abusive messages were being sent to her work colleagues when she had fallen out with her partner. It almost got her fired from her job.
I spoke to another person as well that said that she was looking at her phone and suddenly these messages started to appear in the text screen – just in the free text field within within a texting app – messages started to populate. And this was on an iPhone and they were wondering how on earth their partner was messaging them directly there to let them know that they had full control over everything they were doing. And it’s this stuff called stalkerware that’s enabling them to do it. And it’s really intrusive, really invasive stuff.
One of these people that I spoke to said that she’s been physically abused before in a relationship but never quite experienced something like the intrusiveness of this software that was able to to track everything that was going on in her life. And that’s something that we really wanted to put a stop to with Traced. Basically, we really want to do what we can to help victims of this and stop this from affecting their lives in such a way.
[00:10:34.590] – Neil
And I’m so glad you’ve raised that now and especially that you mentioned the iPhone as well, because I think a lot of people will automatically assume that the walled garden of Apple is a safe place to play and they cannot be harmed by much of what you’ve just described, which, of course, is completely untrue. And I think for the most part, most people are blissfully unaware of the dangers. And I also read Snowdon’s book recently, Permanent Record, and to highlight the points that you were making that he said, would you sooner have somebody in your home for two hours unsupervised or 10 minutes with your phone?
And I think that highlights it perfectly too. But I’m curious, though, bearing in mind everything that you’ve just told me, why is it you think that 61 percent of businesses still say that they have no employee mobile protection whatsoever, especially when they’re dealing with, like you said, sensitive corporate data?
[00:11:26.050] – Matt
Absolutely. It’s because it’s difficult. I think it’s really difficult to actually to protect your mobile devices. There’s a lot out there. There’s a lot of software out there that claims to do it. And and a lot of it does do it. But it’s fiddly, like I’ve recently used one of the most popular enterprise mobility management solutions to protect some devices. And it’s really hard to do. You don’t get visibility as to whether you’ve protected a threat on that device. You may know whether the device’s software is out of date, which is a good first step. But it’s not like on Windows or on Mac, where you’ve got a very established field of antivirus software. You know that when you get a Windows device, one of the first things you should do is put some antivirus on it or use Windows Defender, if you like.
Just making sure that it’s scanning for malware and stopping viruses whenever it can, is a good practice. We don’t have that default set up, good practice on mobile devices and the best thing that people can do. So it used to be what was called mobile device management, but is now commonly known as enterprise mobility management. I’ve set one of these suites up recently to protect devices, and it is immensely complicated to actually get right and know that it’s working on mobile devices and this is partly because of this walled garden that we’re living in where you can’t see anything that’s outside of your app by default.
And that’s really good security practice, but it gives business a lack of visibility on those mobile devices. So as a business, it’s really difficult to see what apps are installed and know whether they’re malicious or not.
Now, mobile threat defense is trying to take all of the apps that are on your devices… (Now, admittedly, it can only do this on Android because it’s a slightly less stringent walled garden that Android has got at the moment.) They let you access the mobile, the apps that are installed on the device. And that means that, for instance, at Traced we’re able to use a deep learning engine to detect whether those apps are malicious or not. So basically, it’s really difficult for businesses to actually protect their devices properly. It’s intrusive. Employees don’t like the fact that the IT department may have access to their location at all times.
I know with the stalkerware example, for instance, it may be that somebody in the IT department will have a little bit too much privilege over the user’s device and they could click a button to be able to get that location back of that device at any time. So it may be that the user doesn’t want to install that for a totally understandable reason. Now we in the IT industry, I think we sometimes overlook the needs and the wants of the user and think that they’re just being muppets when they don’t install something on their device. But actually, there may be a completely legitimate reason for it. They don’t want to be overlooked entirely. They don’t want their location to be accessible at 9:00 p.m. on a Friday or Saturday night instead of just nine to five Monday to Friday. So it’s because of this kind of intrusive nature of what we’ve got out there at the moment, it may be not quite enough for people right now.
And I think as well, the other issue is that the pendulum kind of swings to the lowest hanging fruit. So ransomware being the biggest threat that we’re facing right now in the world, that’s where the pendulum is at at the moment. Because it’s a well-established piece of malware that does really affect businesses when it hits.
But these emerging threats that are coming through tend to be looking and focusing way more towards mobile. There are a lot more threats that are coming through which are also attacking the mobile device.
And it means that in the IT departments of the world, we need to be one step ahead of these attackers. And when this pendulum starts to swing from Windows and Mac devices across to our mobile devices, we need to be ready to catch them and stop them where they stand.
[00:15:35.120] – Neil
And when you say we need to be one step ahead, am I right in saying that it’s not just about detecting apps like that stalkerware that you mentioned a few moments ago? It’s much bigger than that, isn’t it?
[00:15:46.190] – Matt
It’s really difficult on a mobile device to get the visibility you need. So in a previous company I worked for, they had an MTD suite and it didn’t actually pass back the information of malicious apps. MTD stands for Mobile Threat Defense by the way, that mobile threat defense suite didn’t pass back the information about those malicious apps that it was detecting to the management team or to the IT team, meaning that apps could be being blocked on those devices, but there was no visibility over what apps were blocked, how those apps got on there, are they persistently reinstalling themselves constantly, somehow? What’s happening?
And with no oversight like that, it’s really difficult to stop these things from happening in future. So just detecting these apps isn’t enough, and not having the visibility isn’t enough either. So what needs to happen and what we’ve done here at Traced is we’ve created a method of seeing when events occur on a device. So, for instance, when your camera’s accessed, when your microphone is accessed, when an app is installed, how it got installed – all of that information allows us to bring context around the events that occur on the device to get them to stop so that they won’t happen again in future.
[00:17:05.860] – Neil
So can you also tell me a little bit more about how you’re tackling all those problems that we’ve just talked about with Traced and what makes the Traced solution different from all the others out there?
[00:17:15.060] – Matt
Okay, yeah. So the way in which we’ve we’ve designed this is patent pending. So we’ve got that those events that we’re detecting, we’ve tried to secure some intellectual property around it because we’re still quite a small team right now. But what we do is we alert the users of Traced to high risk apps, high risk activity on the device, which is crucial because knowing that your microphone was accessed at 3:00 in the morning whilst your phone was sat on the side is important to knowing the kind of capability that an attack has got on your device.
So that’s one of the crucial parts of Traced, especially when it comes to the likes of stalkerware, for instance, where you need to know how much is my life being violated at the moment by this malware or this threat that’s on my device?.
So then once we’ve given you that information, we provide you with a path to remediate that. And that’s something we’re working on at the moment. Right now we provide a few options: you can uninstall the app. You can change the permissions to stop it having access to your camera, your microphone, etc. You can kill the background processes of that to try and stop it from running there on that device.
Now, that is the first step that we’re taking. We’re trying to intuitively make this simple for people so that anybody can make these decisions. But it’s difficult to get there. The user interface work is not easy.
[00:18:43.180] – Neil
And what about the role of machine learning and why is that so important in detecting suspicious apps?
[00:18:49.660] – Matt
Yes. So machine learning is really, really good at learning from the past. What we’re doing is we’re using a deep learning neural network to learn from the past to basically catch the future malware.
And this isn’t a silver bullet that it’s going to be able to tackle and catch absolutely everything out there. And we’re not pretending that it is. Which is why there’s multiple layers that we’re putting in place on the device. But what it does do is it provides a better method than signatures that a lot of antivirus companies still use on mobile devices to catch threats, which means that they’ll just detect the threats that they know about. So a threat which they have seen, they will catch that particular threat.
Now, machine learning the way in which it works is we’re using a neural network, which basically is called a neural network, because it is based around the way in which your brain works. So if your brain has seen thousands of people before or tens of thousands of people before and met them, known them, got to know those types of people, you get to know what kind of characters, you get to judge characters, and what characters you’d like to socialize with and the types of people that you’d like to be your friends.
And that’s how machine learning works. It looks at thousands of examples of something that you’ve seen before and then it gets to judge what looks like previously known malware, what looks like previously known goodware, and then it judges and puts things into those buckets of good or bad. So that’s how we’re using deep learning neural networks right now on mobile devices. But it’s going to filter into every section of what we’re doing, machine learning, because using these methodologies, it means that you can really judge things for the very first time as if you’ve seen them thousands of times before.
It’s like you’ve got your own data analyst or your own malware analyst sat on your device looking at every single thing that’s coming through and pointing out the bad looking ones, the things that look like malware based on thousands of pieces of malware that it’s analyzed in the past. The same is going to go for events as well.
[00:21:03.550] – Neil
And something I always try and do on this daily podcast is find a little bit more about the guest and where their passion for tack on wanting to make a difference with technology came from. And you did mention when you first came on that you do have an intriguing back story. So can you tell me a little bit more about your time as an MoD penetration tester turned mobile security specialist and how you reverse engineered hundreds of samples of mobile malware reviewing the techniques that were often used by cyber crooks to steal data or money from their targets because it feels like there’s a big story there.
Yes, so the Ministry of Defense, I can’t really talk about my work there, but I can talk about my work at Sophos, which which is quite interesting, the way in which I was looking into emerging threats, things that were coming out. I was looking into the likes of threats that most Windows and Linux devices faced on a daily basis. So how many times, if you’ve got a Windows device sat there, are getting you logged into, for instance, is what I looked into and the research is published all over. Well, it was published on Sophos’s website. The most recent stuff that I did is on Sophos.com/RDP.
And we did that that research just before BlueKeep came out. And it was really interesting to see that something that we were looking into, this emerging threat that we were looking into suddenly became the weapon of choice for ransomware. Ransomware was getting into businesses just by using RDP.
Now, I can’t talk too much about the other research I did prior about mobile devices and whatnot. But actually, when you look at mobile devices in the way that they work, it’s clear that that is the next emerging threat. We’re just touching the tip of the iceberg with with mobile threats right now, with the likes of The Social Dilemma and whatnot. We are understanding the very, very high level threat that is going to be affecting us.
I’m sure that in five years time will look back on 2020 and think, wow, that was going on. We’ll think, wow, all of these threats, that machine learning is missing, the signature engines are missing even more so. All of these things that are going on, that are going to be completely unknown about until five years from now when some very clever researcher finds out about these particular things, the same as the way that Pegasus has come out of the bag recently – where we’ve seen that Pegasus is this is this really intrusive malware that has access to your camera and microphone at all times. And it’s been used to actually infect journalists’ devices. And by infecting journalists devices, it’s actually suppressed quite a lot of people. It was also used in, I believe it was used in China as well to suppress an entire population of people over there, to stop them from having a voice and to spy on them everywhere that they were going. So there’s these terrifying threats that are out there right now.
And it’s something that we really want to do something about. So at Traced having this kind of two armed approach, we’re not charging consumers anything for Traced on their devices, we want to give people protection for free, for their for their devices. We don’t think it’s a privilege to have mobile security as an individual. And we’re just trying to charge businesses and we’re trying to do this in a new way where we don’t charge an absolute arm and a leg for for it as well, because we’re not going to put into place initially these big sales processes. We’re just going to have transparent pricing on our website to say it costs X amount per device per month or per year. And if you want it, just click, buy it. Now, if you want to try it, spin up a trial that would just spin you up an instance on AWS immediately.
So having having this, and I’ve gone off on a little bit of a tangent here, but having this two pronged approach is really helping us, helping us to to help others, I think just by funding it through the businesses and actually having that ability to protect people from these emerging threats as a free service.
[00:25:37.690] – Neil
And for anyone listening that would like to find out more about how Traced works, could you possibly just walk them through how easy it would be to to get them up and running and what would be waiting for them when they do open up that demo?
[00:25:50.260] – Matt
Yeah, absolutely. So we’re trying to keep this as simple as possible. And if you want to just try the app out, the consumer app, you can go to the Google Play store or go on the Apple App Store and search for us, search Traced, install it, just go through the onboarding and turn the service on and you’re done.
It’s really quite quick, very simple, very easy. And we’re trying to keep it as light as possible on the front end. So, you know if you’ve got a problem or not, but then there’s a lot of depth to it. So if you want if you are a malware analyst or just a really intrigued techie, you can find out information that you wouldn’t otherwise be able to find out about apps installed on your device.
And then if you’re a business and you’re wanting to try out our Control platform, you really want to take control of your business. You want to take control of your mobiles within your business, whether they’re bring your own device or whether they are corporately owned devices and you just want to protect them and manage the risk level of those devices, then we’ve got the Control platform where you can just go to our website, which is Traced.app and click spin up a 14 day trial so you can just try it out for free completely, and then you can just immediately start enrolling devices. It’s it’s that easy. It really is. We’re trying to keep it as simple as possible so that we don’t add to the confusion that’s already in the industry. So that’s how they can get their hands on it.
[00:27:26.320] – Neil
And it’s a fantastic journey you’ve been on, especially how you’ve learnt about the complex ways in which the sophisticated attack appear. And then you’ve created the simple solution to fix them. But I’m curious, what have been the biggest lessons that you’ve learnt throughout your career with your work?
[00:27:43.500] – Matt
Yeah, so for me, it’s the biggest lessons I’ve learned is that I really want to do something that I can feel proud of. And and the previous jobs I’ve found that I’ve got to the point where I’ve perhaps not been so proud of the work that I’m doing, not just dressing up as an elf for Christmas time and and spreading joy and cheer, but also the actual job itself. There’s a lot of ways you can just just go through the daily work and just help a business get very rich, which isn’t that rewarding. But what I really enjoy is if we could make an impact, if we can make a difference in some people’s lives, especially with this stalkerware that is really nasty, the way in which it intrudes in people’s lives is just is horrific.
So if we can make even the slightest bit of difference to these people affected by this, then then it will definitely make the journey worthwhile. So that’s one thing that I’ve definitely learned throughout my time in the industry, is just that sometimes it can feel quite unfulfilling. The work that you’re doing in IT security or in the IT industry sometimes. And what’s made it really fulfilling is being able to carve our own path and and really help people out with it I think.
[00:29:13.570] – Neil
And a beautiful moment to end on. But before I do let you go, could I just ask you remind everyone listening of where the can find Traced online and equally the best way of contacting your team, if we do have any businesses listening.
[00:29:24.940] – Matt
Absolutely. Yeah. So if you want to get in touch about about the commercial offering, then there’s firstname.lastname@example.org. You can just drop us an email and we’ll help you out through a trial. But realistically, the way that you do it is just going on to the websites. So go to traced.app and you can spin yourself up a trial. If you want to buy, you can buy it through the website. The pricing is there on the website so you can know about it immediately.
If you want to get in touch with me at all, I’m on Twitter at @infosecboddy. So, yeah, just just drop me a message. If you’ve got any suggestions about the app at all, if you think that there’s something we could do that could really help, just send in a message on Twitter. My direct messages are completely open for that. So I’d be really interested to hear everyone’s thoughts, what they like, most importantly what they dislike so that we can improve and make ourselves better. And then the Traced Twitter is @tracedapp. So yeah. Or drop us a message there. I’m on the end of that as well with everyone else. So it will all get funneled back to us somehow. Please do get in touch if you’re interested.
[00:30:31.850] – Neil
Well, I’ll add all those links just so people can find you nice and easily. I’ve loved with you today, especially hearing how you carved out your own path there to make a difference through technology. That’s one area that I think we share our passions with. But there’s also another as well, which is when we’ve walked away from this technology malarky and making a difference, maybe we can both meet up somewhere and just dress up as an elf at Christmas and spread a little cheer. Maybe we can do that, but thanks for joining me.
[00:31:00.950] – Matt
Sounds fantastic, I’d love to, thank you very much, Neil. It has been a pleasure being on here. And thank you for having me.
[00:31:07.700] – Neil
What a lovely guy Matt was there. And consider my eyes officially open to the dangers of stalkerware and all those other threats that could be hiding on our phones. And yes, even if you are under the illusion that Apple’s walled garden will keep you safe, it would appear that those threats can be on any device.
I also enjoyed learning how machine learning is being used to detect those suspicious apps, but also why detecting apps isn’t enough. And the problem is so much more than that. But if you have any experience with any of the topics that we talked about today and even if you’ve had a partner that has installed stalkerware onto your phone, I’d love to hear more about that. And I’d love to get you to share your experience on here to help others and let them know what they can be looking out for, too.
So, as always, my email address is my open door, which is a email@example.com. Each and every one of you are welcome to message me. You can also message me on LinkedIn, Twitter, Instagram. Just look for at Neil C Hughes. And it’s also a contact form on my website, techblogwriter.co.uk
Thank you to Matt for joining me today. What a great back story he had there as well. Love to find out more about his life as an MoD penetration tester but I’m not going to push that because, hey, I might have a nasty accident. But seriously, though, I’ll return again tomorrow with another guest who knows what subject we’ll tackle. I’ll leave that as a surprise. But a big thank you for listening and until next time don’t be a stranger.
Thank you for listening to the Tech Talks Daily podcast with Neil C Hughes. Remember, technology works best when it brings people together.