Threat Intelligence

    Spyware: What It Is and How to Protect your Business

    Spyware is hard to detect and even harder to remove. Learn how it works and how to protect your company.

    by Mercedes Cardona

    Key Points

    • Attackers use spyware to steal and sell data from businesses.
    • They show no signs of slowing down, with remote workers providing additional points of entry.
    • Companies can protect themselves by training employees, deploying anti-malware defenses and keeping current with their operating systems and security software.


    Spyware is one of the oldest cyber threats. It is also one of the most prevalent among attackers looking to access sensitive business data, sell that data, or gain control over employee devices like smartphone microphones to eavesdrop on meetings.

    Spyware commands headlines to this day, whether it’s governments and activists trading accusations that it’s being used for political espionage,[1] businesses and consumers coming under attack, or security researchers discovering new types of spyware. Recent examples include a spate of attacks on industrial enterprises using spear phishing emails with malicious attachments.[2] Other victims have been targeted using fake “system updates” to take over their Android devices.[3] 

    Spyware is typically planted in networked devices and computers via malicious email attachments, unpatched software vulnerabilities and rogue apps, popups and browser extensions. Once installed, it uses keyloggers, screen captures and other means to identify login credentials, monitor internet activity and otherwise spy on employees and steal sensitive information.

    Companies can protect against spyware much like other malware, with defenses including secure email and web gateways, automated management of software patches and frequent awareness training for employees. For example, Mimecast’s secure gateways block malicious emails and protect against illegitimate downloads.

    The challenge of defending against spyware attacks is that they often go unnoticed. Spyware programs infiltrate business networks and devices, quietly collecting and exposing sensitive data while employees go about their daily tasks unaware. With companies adopting more devices and extending their attack surfaces in hybrid work environments, it’s crucial to understand how spyware works, how to recognize the threat and how to protect against it. 

    What is Spyware?

    Spyware is a form of malware, or malicious software, that infects victims’ computers and mobile devices to then collect data about them or their employers. That data might include a person’s username and passwords, browsing history, downloads, emails and payment information. For businesses, the threat extends to sensitive customer data, financial information and confidential files. 

    How Does Spyware Work?

    Before exploring how spyware collects and exposes business data, it is worth describing how attackers break in. Spyware attacks use a variety of methods including:

    • Email and messaging: As attackers’ No. 1 choice for delivering malware, email has been widely used for spyware, relying on user interactions such as the downloading of infected attachments. More recently, smartphone messaging apps have even carried “zero-click” exploits, which require no interaction from users.[4]
    • Patch management shortcomings: Software vendors regularly release patches to plug vulnerabilities in their products. Prudent businesses waste no time in updating their operating systems to stay one step ahead of the cyber attackers. Many rely on cloud-based software applications that provide automatic updates, which include the latest security patches.
    • ‘Malvertising’: The Android spyware mentioned above is an example of how attackers use deceptive advertising, promising helpful software but actually tricking people into downloading programs that are embedded with harmful spyware.

    Once it has penetrated a business’ perimeter, spyware works like a mole, quietly collecting data and monitoring employees’ activity. Many attackers then sell this information to interested third parties who use it to gather intelligence, launch ransomware attacks, or otherwise target businesses and their customers. 

    What About Mobile Spyware?

    Spyware attacks both mobile devices and desktops. In fact, attacks can be more damaging and difficult to catch on a phone because the small screen makes it difficult for users to keep an eye on multiple programs at once, much less notice unusual activity in their operating systems.

    Mobile spyware targets a range of personal data, from SMS to call logs, emails, app usage, browsing history and even photos. Attackers may also steal a victim’s contact details so they can target more people in that person’s inner circle, including fellow employees. 

    As mobile phones become more advanced, the types of information attackers can access grows. Advanced mobile spyware has been known to record sounds using a victim’s microphone, track their GPS data and even control their devices remotely using stolen login information. This is a major concern for businesses that deal in confidential information or intellectual property, where a leak can have major implications for their customers and the wider public. 

    Another insidious threat has emerged in recent years: zero-click spyware. Where traditional spyware attacks rely on victims actively downloading a harmful file, zero-click spyware can install itself directly on a victim’s device without any interaction on the receiving end. As one cybersecurity expert put it, zero-click spyware is “a weapon against which there is no defense.”[5]

    Common Types of Spyware

    In addition to exploiting a range of vulnerabilities, spyware also uses many techniques, including:

    • Trojans: Often delivered via email, Trojans can act as a delivery vehicle for malware including spyware. Trojans disguise themselves as trustworthy files or software updates to get past defenses on their victims’ devices. 
    • System monitors: System monitors, or keyloggers, can collect data on virtually any activity on a target user’s device. From keystrokes to online chat, browsing history or downloaded programs, system monitors can be comprehensive in the breadth of their information gathering.
    • Infostealers: Once they exploit vulnerabilities in a target device, infostealers seek out sensitive information that attackers can then store on their own servers, or in another location on the infected device for quick access. This data can include usernames and email addresses, passwords, web browsing history, system information and files such as documents, financial spreadsheets and media files. 

    Recent Spyware Examples

    Spyware attacks have taken many forms over the decades, but a few have lodged themselves in the memory of businesses and governments for their scope and impact. Here are some 21st century spyware programs that continue to evolve and cause problems for companies to this day. 

    • Pegasus: One of the highest profile zero-click spywares, Pegasus earned notoriety after it was used to access devices owned by journalists, political activists and business executives. 
    • CoolWebSearch (CWS): A veteran of the spyware world, CWS redirects its victims to a new homepage when they go online and then presents them with a barrage of pop-up ads for sites they would otherwise deem unsafe. To add to the risk, CWS also changes victims’ browser permissions to mark these sites as “safe,” so that they are no longer blocked by default. 
    • HawkEye: Like many keyloggers, HawkEye captures a range of employee activity and data, including keystrokes, login credentials and sensitive details about their work.

    Tips to Detect and Remove Spyware

    Spyware exploits existing vulnerabilities in a target’s systems, making it difficult to detect and remove. It is deceptive by nature and works quietly behind the scenes to gather intelligence for as long as possible. That said, devices infected with spyware do exhibit some tell-tale signs, including: 

    • Reduced performance and speed, sometimes accompanied by unexpected crashes and error messages in applications that previously worked smoothly.        
    • A sudden drop in available hard drive space, indicating that the spyware has been saving duplicate files on the drive for retrieval.  
    • Browsers that redirect employees to pages they did not navigate to. 
    • The appearance of desktop icons that were never there before.
    • The appearance of new browser plugins or toolbars that were never previously installed.
    • Constant (and increasingly frustrating) pop-ups.        

    Businesses must be vigilant in running malware scans to identify and remove any malicious spyware. At that point, employees should be encouraged to change their passwords, in case they’ve already been stolen, and alert any partners that might be affected by the breach. 

    How to Prevent Spyware

    The best way to minimize the effects of spyware attacks is to prevent attacks before they occur. It is impossible to avoid exposure to malicious ads or emails, but with the right combination of anti-malware software and employee training, businesses can stop their teams from engaging with spyware posing as helpful software or messages. Specifically, companies should: 

    • Deploy anti-malware software.
    • Ensure all operating and security solutions are updated regularly.
    • Train employees to spot and avoid suspicious emails and pop-ups, and be wary of any attachments from unknown sources.
    • Similarly, train employees never to open messages or push-notifications on their mobile device if they don’t recognize the sender. 

    secure email gateway with advanced malware protection helps identify and filter malicious messages before they reach employees, while also analyzing URLs in any email or attachment and even converting suspicious attachments to a safe format.

    The Bottom Line

    Like any infection, spyware can be devastating if left unchecked. While there is no way to eliminate the threat completely, companies can build strong defenses with security technologies, good patch management and employee awareness training. Dive deeper to learn about Mimecast’s advanced malware protection and employee awareness training.   

    [1]European Lawmakers Launch Investigation into Use of Pegasus Spyware by EU States,” TechCrunch

    [2]Spyware Blitzes Compromise, Cannibalize ICS Networks,” Threat Post

    [3]A New Android Spyware Masquerades as a ‘System Update,” TechCrunch

    [4]Google Says NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen,” Security Week

    [5]NSO Group’s “Zero-Click” Exploit Among Most Technically Sophisticated Ever – Google,” Rappler


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top