Spyware Developer Pleads GuiltyHow Case Could Set a Legal Precedent
The CEO of a Pakistani firm that developed a mobile spyware app called StealthGenie has pleaded guilty to U.S. charges of selling and advertising an illegal "interception device."
See Also: The Evolution of Email Security
Hammad Akbar, a Danish citizen, was arrested on Sept. 27 in Los Angeles (see: Feds Bust Mobile Spyware Maker). After accepting the guilty plea on Nov. 25, the court immediately sentenced Akbar to time served and ordered him to pay a $500,000 fine, according to the U.S. Department of Justice. He was also ordered to forfeit the source code for StealthGenie to the government.
"Akbar is the first-ever person to admit criminal activity in advertising and selling spyware that invades an unwitting victim's confidential communications," says Andrew McCabe, FBI assistant director in charge. "This illegal spyware provides individuals with an option to track a person's every move without their knowledge. As technology evolves, the FBI will continue to evolve to protect consumers from those who sell illegal spyware."
The case against Akbar could be one step toward criminalizing the monitoring behavior that many, including law enforcement agencies, have recommended that parents use for their children, argues security and privacy expert Mark Rasch, a former federal prosecutor who created the computer crime unit at the Department of Justice.
Akbar was indicted under federal statute 18 USC 2512, "which makes it a crime to manufacture, distribute or even advertise software, hardware or another device if it is 'primarily useful' for the surreptitious interception of communications," Rasch says.
"We certainly could see more investigations and prosecutions," he says. "But worse, it means a company that makes software that, for example, is designed to monitor children's activities to keep kids safe, in a way that the children don't know the monitoring is going on - that's now a felony under this interpretation of the law."
The case could also have a chilling effect on potentially new and useful technologies to keep children safe, protect computer networks and prevent fraud and abuse, Rasch contends.
Dozens of "spyware" monitoring programs are on the market, threat intelligence firm iSight Partners says in a recent report. "While some of these apps are developed by underground actors, many are produced by apparently reputable companies and marketed to law enforcement agencies," the report notes.
And the FBI, in its Parent's Guide to Internet Safety, recommends parents "monitor your child's access to all types of live electronic communications - i.e., chat rooms, instant messages, Internet Relay Chat, etc. - and monitor your child's e-mail." While the bureau doesn't tell parents how to do that, it's difficult to monitor communications without using monitoring software.
Federal prosecutors say Akbar was the CEO of InvoCode and Cubitium, companies that advertised and sold StealthGenie online. The spyware could be installed on a variety of different mobile phones, including Apple's iPhone, Google's Android and Blackberry. Once installed, it could intercept all conversations and text messages sent using the phone, authorities say. The app was undetectable by most users and was advertised as being untraceable.
Akbar admitted that StealthGenie had numerous functions that allowed it to intercept both outgoing and incoming telephone calls, e-mail, text messages, voice mail and photographs from the smartphone which the spyware was installed, according to authorities. The app could also turn on the phone's microphone when it was not in use and record sounds and conversations that occurred near the phone. These functions could be enabled without the knowledge of the user of the phone, according to federal prosecutors.
The purchaser of the spyware needed to have temporary possession of the target phone in order to install the app, the Justice Department says. Once the app was activated, it was started as a hidden service and launched when the phone was powered on.
The StealthGenie website included a disclaimer that the software was only to be used ethically by "parents who wish to monitor their underage children or for employers who wish to monitor their employees with their written consent." The disclaimer added that InvoCode would not be held liable for any illegal use of its product.
But the Department of Justice alleged that InvoCode designed and sold its app for the purpose of spying on individuals without their consent.
In the indictment against Akbar, the prosecutors claimed jurisdiction over StealthGenie because InvoCode advertised and sold its app using server space leased from Amazon Web Services that's located in Ashburn, Va. After undercover FBI agents purchased an Android version of StealthGenie in December 2012, they also found that it was likewise using Amazon Web Services to store all intercepted data and communications.
On Sept. 26, a temporary restraining order authorized the FBI to temporarily disable the website hosting StealthGenie. The court later converted the order into a temporary injunction, and the website remains offline.
Akbar admitted to distributing an advertisement for StealthGenie through his website on Nov. 5, 2011, and to selling the app to the undercover FBI agent.