These common spyware programs illustrate the diversity of behaviours found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs that are frequently installed together may be described as parts of the same spyware package, even if they function separately.
Spyware programs
CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.[1]
FinFisher, sometimes called FinSpy is a high-end surveillance suite sold to law enforcement and intelligence agencies. Support services such as training and technology updates are part of the package.[2]
Gator, replaced banner ads on web sites with its own
GO Keyboard, virtual Android keyboard apps (GO Keyboard - Emoji keyboard[3] and GO Keyboard - Emoticon keyboard[4]), transmit personal information to its remote servers without explicit users' consent. This information includes user's Google account email, language, IMSI, location, network type, Android version and build, and device's model and screen size. The apps also download and execute a code from a remote server, breaching the Malicious Behavior section[5] of the Google Play privacy policies. Some of these plugins are detected as Adware or PUP by many Anti-Virus engines,[6] while the developer, a Chinese company GOMO Dev Team, claims in the apps' description that they will never collect personal data including credit card information.[7] The apps with about 2 million users in total were caught spying in September 2017 by security researchers from AdGuard who then reported their findings to Google.[8]
Hermit is a toolkit developed by RCS Lab for government agencies to spy on iOS and Android mobile phones.
HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.[9][10]
Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.[11]
Spyware such as Look2Me hides inside system-critical processes and start up even in safe mode. With no process to terminate they are harder to detect and remove, which is a combination of both spyware and a rootkit. Rootkit technology is also seeing increasing use,[12] as newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them.[citation needed]
Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the WashingtonState Attorney General's Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay.[13][14] The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers."[15]
Onavo Protect is used by Facebook to monetize usage habits within a privacy-focused environment, and was criticized because the app listing did not contain a prominent disclosure of Facebook's ownership.[16][17][18] The app was removed from the Apple iOS App Store. Apple deemed it a violation of guidelines barring apps from harvesting data from other apps on a user's device.[19][20][21][22][23][24]
Pegasus is spyware for iOS and Android mobile phones developed by NSO Group which received widespread publicity for its use by government agencies.
Zwangi redirects URLs typed into the browser's address bar to a search page at www.zwangi.com,[25] and may also take screenshots without permission.[26]
^"Winpipe". Sunbelt Malware Research Labs. June 12, 2008. Archived from the original on October 5, 2008. Retrieved September 4, 2008. It is possible that this spyware is distributed with the adware bundler WildTangent or from a threat included in that bundler.
^Some caution is required since FlashGet 3 EULA makes mention of Third Party Software, but does not name any third party producer of software. However, a scan with SpyBot Search & Destroy, performed on November 20, 2009 after installing FlashGet 3 did not show any malware on an already anti-spyware immunized system (by SpyBot and SpywareBlaster).