Your smartphone holds your secrets.
Text messages. Emails. Banking passwords. Hackers can steal just about any personal information that can be used to rob you or snoop on your activities by accessing your smartphone.
Cases with compromised smartphones are a growing part of investigations conducted by the Custer Agency, a Boise private-investigation firm. Neal Custer, the president and CEO, said he investigates thefts perpetrated over clients' phones. His agency also uses digital investigation techniques to build cases for divorce and other domestic litigation.
"We've found all kinds of things, from child pornography on a husband's phone to evidence of hiding financial assets to emails that reveal affairs," Custer said.
A rise in cybercrime led Custer to open a subsidiary, Reveal Digital Forensics & Security, in 2011, to handle the computer and communications cases.
Dylan Evans, vice president of the forensics business, said clients sometimes come to Custer with an eerie feeling that somebody is tracking their whereabouts or knows more than they should about the client or the client's business. Increasingly, Evans finds that clients' smartphones have been hacked to relay information to another party, often to untrusting spouses or partners.
"Someone notices their battery is draining quickly or their phone starts working slower and they get suspicious," Evans said. "Usually, it's because someone installed surveillance-ware, worried about them cheating."
YOUR PHONE IS WATCHING
Surveillance software can send duplicates of text messages, emails and photos to the installer or relay your location using the phone's GPS device, Evans said. It can access cameras and recorders of infected phones to remotely allow the installer to take photos or eavesdrop on conversations.
Snoops usually install surveillance software by picking up the phone from someplace like a desk or nightstand, Evans said. They then download the software they've previously purchased and created an account for. The process takes less than five minutes.
"The (snoop) has already purchased the app and has the account set up," Evans said. "They know the make and model of the phone. They get the phone in their hands. They install the program and it becomes spyware."
Evans said some antitheft apps can be used as surveillance software when a snoop installs them on a victim's phone.
Most of the cybercrime using smartphones that is investigated by the Boise Police Department involves stalking, spokeswoman Lynn Hightower said. Detectives analyze the phones of potential stalkers to verify allegations, she said.
"The evidence (gleaned) via telecommunications devices may be included in evidence that shows the repetitive behavior and fear necessary to prove stalking," she said.
Compromised smartphones are also a tool of corporate espionage. Evans said one large Boise business he declined to identify smelled something fishy after a competitor underbid a multimillion-dollar contract by a slim amount. A sweep of the corporate boardroom for bugs turned up nothing.
Evans and Custer investigators analyzed the board members' smartphones. They learned one board member left his company phone charging in his office overnight at the insistence of his wife, who didn't want her husband taking his work home with him. Investigators found that phone had been sending copies of text messages, including those the board members sent to submit bids. Evans said those messages were being relayed to a third party, most likely the company that won the bid.
A piece of well-placed surveillance software can be worth millions of dollars to a company if it reveals a competitor's bids or corporate strategy, Evans said.
"It's not a big investment to do a background check on a competitor's cleaning crew, to find someone with a criminal history that's maybe a little unscrupulous, and to offer them $5,000 to borrow a phone for five minutes," Evans said.
The best way to protect against surveillance software or theft is to set a password to open the phone interface, Evans said. He also recommends installing virus protection software on smartphones, though he said all of the programs on the market have vulnerabilities.
"I still recommend running them," Evans said. "You just can't expect them to be the Holy Grail for security."
Traditional identity-theft software might seem less creepy than surveillance software installed on your phone by a spouse. But old-fashioned identity theft viruses enable hackers to rob you all the same.
Dianxiang Xu teaches master's-degree students in Boise State University's Computer Science Department how to write programs without vulnerabilities. He said the department is developing an undergraduate minor so that more students can learn about protecting against cybercrime.
Many smartphone users infect their own phones by downloading apps that perform their stated function while hiding nefarious software that gleans passwords or other personal information, Xu said.
Xu said other apps tell you they will glean information from your phone in the agreements that users check off on when opening the program for the first time. He advised not to agree to letting your phone share contact lists, GPS locations and other information that apps often don't need to function. That information is often sold to advertisers, though more malicious software can hack into bank accounts or email accounts.
"You should always look at the permissions," Xu said. "People have a tendency to hit, 'Agree, agree, agree.' We grant potential risks whenever we download apps, particularly if you're not familiar with the source."
Evans said free versions of popular games such as Angry Birds carry risks. Game developers release free versions loaded with ads to try to entice players to buy the full, ad-free versions. Those ads can carry malicious software without the game developer's knowledge.
"Make sure whatever app you are downloading is pretty well reviewed and doesn't just have one five-star review by the developer," he said. "It could easily come bundled with something you're not expecting."
Moscow app developer Goldenshore Technologies LLC was slapped by the Federal Trade Commission in 2013 after the discovery that its app, Brightest Flashlight Free, tracked consumers' data without their knowledge.
In a settlement, the developer agreed to change its practices. No fines were imposed.
Evans said consumers need to fight the urge to download apps impulsively.
"People say, 'I want a calorie counter.' They add the app. They run the app. They need to do the research and find one that works and not one that is something else. They need to treat their smartphone more like a computer and less like a toy."
Zach Kyle: 377-6464, Twitter: @IDS_zachkyle