The ugly aspects of divorce are well known in Yaron Edan’s investigation firm. For years, couples fighting divorce battles have been hiring Edan to collect information about the opposition. But one case, a few weeks ago, was different. The man who came into the office was about to leave his partner, but he didn’t want Edan to uncover incriminating information about the woman. He already had the information. What he needed was someone to make it “kosher.”
“He came with WhatsApp messages from her phone and asked me to back up what he’d discovered in them with evidence,” says Edan, a former member of the intelligence community who also consults on security matters. “I told him that I didn’t want to see the material and asked him how he obtained it. Turns out he found espionage software on the internet and purchased a subscription, not for the swimming pool or the theater, but for phone tapping. For a monthly payment he acquired the right to bug any phone he chose. And I’m not talking about old-fashioned technology that requires physical access to the phone: I’m talking about remote insertion of a Trojan horse virus that can suck all the data from the device.”
Someone eavesdropping on his own partner? A marginal phenomenon, you might think. But what I discovered in conversations with private investigators is that this practice is becoming more and more common, with an increasing civilian use of spyware. Often, the “spies” are business rivals or employers snooping on their staff.
“We live in a totally insane reality,” says attorney Rami Tamam, who specializes in crisis management in cases of cyberattack. “Things that until not long ago only the state could do are suddenly commonplace via AliExpress. You can find them easily and cheaply, including on Hebrew-language sites. You see products that wipe out privacy completely.”
In the past, “if you wanted to put someone under surveillance,” says Tamam, formerly a senior investigator in Lahav 433, an Israel Police unit often compared to the FBI, “you had to attach a hidden GPS to the bottom of a car. It cost a fortune and could only be done by court authorization. Today anyone can buy the appropriate software for $20, and that’s the end of it. It’s a revolution.”
For his part, Avi Dor, a private eye who’s experienced in handling divorce cases, has also noticed that people are using spyware these days to monitor the whereabouts of their partners. “I get at least five phone calls like that a week,” Dor says. “Of course, I reject them all outright because it’s not legal. Most of the requests come when at least one of the partners has already decided to leave. In a divorce battle, everyone wants to collect intelligence ahead of the financial and custody-related issues, and the end justifies the means.”
Dor says he rebuffs such clients, but the truth is that if you want to tap your partner’s phone, you don’t need the middleman. Spy software and applications intended for monitoring phone calls are available to everyone on the web, are just one call away or even sold in stores.
One such business enterprise, called WorldShop, is located in the central Israeli city of Petah Tikva. On display in the show window is professional espionage equipment, a camera camouflaged as a watch and other sophisticated monitoring systems. In addition to the physical items, the store also offers a variety of spy-phone apps, software that can be used to undertake comprehensive surveillance of a cell-phone owner. A spy-phone app will report the target phone’s location, open its access to WhatsApp and SMS messages, enable conversations to be overheard, provide access to the photo gallery, and even photograph and record the physical space in which the phone is located, by operating its camera and microphone remotely.
I told the WorldShop salesman that I wanted to insert spy-phone software in my partner’s phone. He explained the product’s specifications (“It’s professional software that private detectives work with”), cited somewhat high costs compared to other available options on the web, and explained that for installation I’d have to bring the phone to the store, because, “At the moment there’s no remote-installation technology, they’re still working on it.”
I said that given the fraught relationship between us, getting the phone from my partner would be tricky. “Tell her the phone broke down or wait for her birthday and buy her a new one,” the salesman suggested. I asked whether I would be in my legal rights if I were to use the software. “We cover ourselves,” he replied. “The clients sign a letter of obligation to the effect that they are using the software exclusively for legal activity.”
I asked to see the letter. The product in question is referred to there as “Backup software for a cellular phone.” The term “spy phone” appears in small print, apparently in order to play down its real purpose. The fact that one hides the software in the phone’s innards is explained by the need “not to interfere with the device’s user.” Additionally, the client is required to declare that the phone in which the software will be installed belongs to him.
Signing this letter is a means for the seller to ensure that if the client uses the software for unlawful eavesdropping, it’s the latter who will bear the legal consequences. The law in this connection is clear: Listening in on a conversation without the consent of at least one of the parties involved in it is illegal and can result in a five-year prison term.
Plenty of companies advertise similar services and products on the web. I contacted one, called, simply, Spy-Phone. I told their representative, who identified herself as Danit, that I wanted to tap my wife’s mobile phone. “I can’t sell the software to you, it’s against the law,” said Danit, adding that the product is intended for “business owners and parents of children.” I said that I had the same sort of legitimate aims in mind, which set her fears at rest.
Danit now launched into a passionate selling mode: “There’s actually nothing that goes through the phone that you won’t receive: text messages, contacts, calendar, photo gallery, location, a report of the room, all the apps, Facebook, Messenger, WhatsApp, Instagram, Telegram. You can also photograph the browser. Whatever interests you.”
She then named a price – 1,000 shekels (about $275) a month, with a significant discount over time if the monitoring continues – and explained that infecting a smartphone with malware is possible only via physical access. “We’ll be with you on the line and explain what to download.”
In a phone call to another company, Trico, I said I wanted to insert espionage software in the phone of one of my employees. The company’s representative, Sarit, related proudly that her firm “offers service to clients ranging from the ordinary citizen to companies and celebs whose songs you hear on the radio.”
Sarit emphasized that physical access to the phone would be required, but that in this case the service could be provided by her, personally, in the client’s home. “I do it in 20 minutes,” she said. “You get on-the-spot service and a real-time test to see that it’s working.” When she said that the company’s server is located in Cyprus, I asked why that was relevant. “Well, it’s not something in this country, under the laws of the State of Israel, or anything like that,” she said.
I opted for Danit and called her back. Before that, I got a relative to let me use his phone for my experiment. Danit guided me skillfully and quickly in neutralizing the firewalls and downloading the spyware. Finally she sent me a link to a site in which the data to be collected would be stored, to begin a one-day trial period.
The results were above and beyond: For 24 hours I knew where my relative was at any given moment, I could read his WhatsApp correspondence, record all the conversations he had, and document by myself, in photos, situations in which he was present.
‘Turned into a saint’
A few types of apps are available in the civilian espionage market. At the bottom of the ladder are apps whose installation requires physical access to the phone. The more sophisticated option is activated via a link that’s sent to the target phone in a text message or by email, from a source posing as a legitimate entity. Clicking on the link will generate an error message and also implant the malware. At the top of the pyramid are apps that exploit breaches in the device’s operating system but do not require the victim’s involvement.
A company called Force Majeure – “Cyber & Digital Forensics, Information Security, Data Recovery” – offers several options for the customer to defend him or herself from being spied on via the phone. According to the company’s website, the phenomenon “has become a countrywide problem that violates privacy ruinously and grossly.” Dan Levinson, senior vice president for strategy, relates that Force Majeure deals with attacks of this kind on a daily basis.
“We had a client who was in the first stages of a divorce procedure and wanted to hide the existence of assets, especially properties abroad, from his wife,” Levinson says by way of illustration. “When he discovered that a large portion of the assets had been revealed, he suspected that his phone had been hacked. Our tests showed that spyware was in fact present in the phone.”
A similar and no less creative stratagem was adopted by a young man against his partner when they were on the verge of splitting up. “After the relationship finally broke down, the guy hacked the woman’s phone – she owned a prosperous business – and sent to himself a fake break-up email that she had supposedly written him,” Levinson relates. “The message said something along the lines of, ‘Thanks for being with me and for all the support, it’s all thanks to you. If not for you, the company I founded never would have developed the way it did.’ He wanted to obtain rights in the company or a cash grant after the separation, so he tried to fake evidence of his involvement in the business.”
A few years ago, Shay Madar, a private investigator from Yeda Investigations, which specializes in cybersecurity, encountered an unusual story in which it was the adulterer – the husband – who inserted spyware into his wife’s phone.
“She came to see me not because of spying in her smartphone, but because she suspected that her husband was cheating on her,” Madar recalls. “Oddly, the husband started behaving properly immediately after our meeting. He thought a few steps ahead. He eavesdropped on her, heard that she was planning to trap him, and turned into a saint.”
At that stage, Madar continues, “we wondered why he had suddenly become such a good boy. We checked her mobile and discovered it was being tapped. The whole field was then in its infancy. These days I make sure clients don’t enter my office with their cell phones. And when a person suspects that spyware has been installed in their phone, I caution them not to use the device to contact me.”
Lawyers who handle cases involving family law are having to develop an awareness of the new technology. On one occasion, relates attorney Dorit Dagan Olkinicky, from the Galili Dagan firm, a client approached her with information gleaned from spying on his partner’s phone. “He told me that it wasn’t he who had installed the software, but his brother. I explained to him that it was very unlikely that he would be able to use such evidence in court, and that there was a far greater likelihood that he would be charged with criminal wrongdoing.”
There was also a client in a divorce case who had been a tapping victim, says Dagan Olkinicky, “who didn’t understand how her husband knew at any given moment what was happening with her, down to the very recesses of her soul. I referred her to an expert and it turned out that a Trojan horse virus had been infiltrated into her mobile phone and was intercepting her calls and messages. Fortunately for her, she didn’t have much to hide.”
Such surveillance is also widespread in the business sector. Frequently, a firm will be spied upon by a competitor, although intra-company hacking is also fairly common. A case in point is Ephraim, CEO of a large public organization based in the center of the country.
“The initial suspicion arose when I started to hear things from people in the organization that they weren’t supposed to know,” Ephraim says. “Suddenly, things that were said in small executive meetings began to leak out. I wanted to believe that there was an innocent explanation – that a member of the executive board had leaked things innocently. When this repeated itself, and the remarks from the executive meeting became more specific, I realized that something was wrong.”
Ephraim turned to Force Majeure, which checked all his technological devices, including his phone. They immediately spotted suspicious data transmission from his email: Files sent to him were intercepted by an external browser and opened even before he himself had managed to look at them.
“That discovery was a catastrophe from my point of view,” Ephraim recalls. “You can’t imagine how sensitive the material in my emails is: financial reports, correspondence with lawyers, employee reviews, thoughts about the staff, salary slips, information about bonuses. Potentially there could also be external damage: [revelation of] a client list, a list of suppliers with whom you might be dealing at different rates. Information like that could topple an organization if it were leaked.”
At this stage, Force Majeure laid a trap for the person who was the beneficiary of the breach. He turned out to be a veteran employee of the firm, albeit not in a very senior post.
Ephraim: “We summoned him to my office for a clarification and he confessed immediately. He claimed that he was afraid of being fired, and he had spied on us in order to be able to blackmail the company in case he was let go. Right away we contacted the police and decided to be completely transparent about the case. It shook the company to its foundations. The staff started to ask questions. What about the information concerning them? Who got to see their personal requests? Our reply was: ‘Guys, we were attacked, we’re dealing with it through experts and top lawyers.’ To say that I sleep well at night? No. Since then I’ve been assuming that my correspondence is exposed.”
Opposite cases – of managers tapping employees’ phones – have been encountered by Tal Pikrevitz, a former police officer whose firm engages in business intelligence. Employers engage in this practice, he says, even though it ignores court rulings asserting that an employee’s cellphone is his own private property, even if it’s a company phone. Legally, employers cannot access an employee’s private communications, unless the employee is informed in advance that he’s being monitored and gives his consent.
“The directive [to monitor a worker’s phone] doesn’t necessarily come from the owner or from the board of directors,” Pikrevitz notes. “Staff at a very important company showed me concrete proof that the head of its security unit was tapping their phones. Beyond the criminal aspect and the infringement of privacy, the employees being monitored were members of the workers committee, which adds the element of an effort to undermine the right to organize and makes the case even more serious.”
If phone tapping is illegal, how do software firms get away with selling spyware openly? One explanation is that many espionage apps are marketed as a means to help parents keep tabs on their children.
“Parental monitoring is the standard excuse of all the inventors of spyware,” Rami Tamam explains. “Every such item will be sold with a detailed disclaimer stating that its use for certain purposes is prohibited, but it’s clear that if there is a legal loophole, the product can be distributed everywhere. It’s like a knife: You can use it to slice a tomato or you can use it in other ways.”
Anyone who thinks his phone has been targeted by such “other ways” can have it checked by a cybersecurity firm or a private investigator with the requisite expertise.
Some attacks are based on what’s known as “social engineering.” The attacker or his proxy engage in a manipulation that causes the intended target to perform an operation that makes his phone penetrable. This might be achieved by exposing his password, getting him to click on a malicious link or inducing him to install spyware camouflaged as a legitimate app. In many cases, such attacks are aimed at a mass of users simultaneously, in the hope of landing at least one – hence the name for them: phishing.
Sometimes the phishing is targeted. According to Yair Amit, one of the founders of Skycure, a cybersecurity company that provides protection for mobile phones, attacks launched by business competitors may target specific, usually senior staff members in an organization, whose phones contain significant information. In personalized hacks, the malware is tailored to the victim’s profile. For example, it is installed by means of a message announcing a sale at a nearby supermarket, or the opportunity to receive relevant information from his health maintenance organization. Experts estimate that the cost of a commissioned attack ranges from a few thousand dollars to $200,000. The hackers are hired mercenaries whose names become known to the client by word of mouth.
“The greater the need for more sophisticated means and the higher the profile of the target, the more expensive the attack becomes,” observes Oded Mey-Raz, director of marketing and sales at Kaymera Technologies, a mobile security company. “Let’s take as an example energy companies that are bidding for contracts worth billions of dollars. Obviously, if you can eavesdrop on an official with the competition, someone who’s conducting the negotiations with the local government, his cards are open to you, and that can be worth hundreds of millions. In a case like that, the cost of a Trojan horse is small change that’s worth the investment.”
Espionage means are becoming accessible even to smaller sized companies, Tamam, the lawyer, notes. “Take, for example, the owner of a small business who suspects that his competitor is part of a cartel and wants to find hard evidence. If doing away with the competitor is worth 600,000 shekels ($165,000) to him, why shouldn’t he invest 40,000 or 50,000 shekels to monitor his phone?”
Clients who want to secure their phone sometimes come from unexpected places, says Kaymera CEO David Sarfati. “If in the past the clients were mainly from public organizations and executives at large corporations, recently we’ve been getting private clients, including even journalists and regular citizens, who want mobile security, without explaining why. All they say is, ‘I don’t want people listening in on me.’”
Local purveyors of spyware take pride in their apps being the product of “original Israeli development.” In fact, the country’s cyber industry occupies a key place in the espionage world. An investigation published last October by Haaretz found that Israeli companies had exported spyware to dozens of countries lacking in strong democratic traditions. The software was used by dictators to spy on citizens and to persecute opponents of the regime. Now it turns out that increasing numbers of Israeli firms are also supplying similar services in the private market, both domestically and abroad.
As is the case at firms involved in foreign exports, the staff at companies serving the private market in this realm also consists in large part of former personnel in intelligence units of the Israel Defense Forces, who are now utilizing the know-how they acquired for sometimes dubious purposes. According to Skycure’s Yair Amit, who served in the army’s celebrated Unit 8200, “People who serve in those bodies have the ability to identify and develop new products on the basis of the knowledge they acquired in those systems. Things thus shift from the state level to the civilian realm.”
In many cases, the developers of these tools of attack and counter-attack (known in the trade as “black-hat hackers”) served side by side in the same unit. According to Dan Levinson, from Force Majeure, which was also founded by Unit 8200 veterans, “Most of our employees are graduates of intelligence and cyber units who are not confused between what they did in the army – black-hat attacks for positive goals, in order to save lives and avert terrorism – and their new role in civilian life. There’s a tremendous temptation to engage in black-hatting in the business and political world. Because that’s where the big money is: in executing attacks, not preventing them. To be a good defender, you need to think like an attacker but be committed to certain values and have a strong conscience.”
Guy Mizrahi, another 8200 graduate, who terms himself a hacker, co-founded Cyberia, a local company, no longer in business, that developed offensive cyber products for governments. He sleeps very well at night, he says.
“The choice of the offensive position is no less legitimate than engaging in information security,” he observes. “If no companies developed offensive tools, the field wouldn’t move ahead and security bodies wouldn’t be able to improve [their technology]. In the end, we manufacture tools that help prevent crime and terrorism, save lives and do good things for humanity. The state defines who is allowed to sell these means and who is not. I’m not shrugging off responsibility, but no one complains about companies that make knives.”
‘Motivation and money’
Until not long ago, the iPhone was considered more immune than those operating on the Android system to random hacking and amateur break-in attempts. But a series of successful hacks of iPhones owned by some prominent individuals raised questions about the level of security provided by Apple. In Israel, the phone of Kahol Lavan leader Benny Gantz was hacked; abroad the most famous victim has been Amazon CEO Jeff Bezos.
Apple still has the advantage, says Guy Mizrahi, who is now vice-president for cyber at RayZone Group, which develops intelligence products for governments. “If the threatened I’m facing is a private detective or an app that collects information about me, you could say that I will be calmer if I have an iPhone. But in the end, it’s all a matter of motivation and money. The threat from a state is a whole different story.”
But according to Mey-Raz from Kaymera, “Apple has developed a ‘gated community’ image thanks to its amazing marketing capabilities. In the past that was actually the situation, but the technology is constantly improving, and today there are many more breached zones. Improvements in services involving screens and cameras no longer allow Apple to be a gated community. In any case, to insert a Trojan I don’t have to upload to App Store. There are other ways.”
One of the best known contractors in this realm is the Israeli firm Cellebrite, which specializes in developing means to breach cellphones and takes pride in its ability to hack any iPhone, including the most advanced models. Cellebrite works with various governmental organizations worldwide, including security and intelligence bodies in the United States. A Forbes investigative report last February found that the company’s advanced hacking instruments are available for resale on eBay for a few hundred dollars – another example of how technologies that were once thought to be confined to use by states have spilled into the private domain.
Golan Wishniya, owner of WorldShop: “We sell our software only to clients who declare that the telephone in question is theirs, or in the case of the custodian of a minor. We give the client explicit instructions, and if he nevertheless commits an offense, we cannot assume responsibility for it. The employee you met is a salesperson. I am the technician, and as a lawyer I am knowledgeable about the law. I make a point of interrogating every client about his intentions behind the installation.”
Sarit, from Trico: “I don’t recall the conversation, but if we’d met and done the installation, I would have had you sign a form in which you declare that the telephone is your possession and would have ascertained that you were telling the truth.”
A spokesperson for Spy-Phone stated: “Our policy is unequivocal: not to cooperate with illegal usages. We are not lawyers, but to the best of our knowledge the law stipulates that the product can be sold in the case of a non-independent person. For example, we have clients who want to install a program in [the phones of] their aged parents in order to avoid a situation in which they will be exploited. We don’t have a real capacity to catch people who deceive us, and our point of departure is that most clients are being truthful.”