How the West is Weakening Its Own Fight Against Russian Data Theft

For decades, Russian influence in European countries has been the worst kept secret in the intelligence world. Europe has been particularly vulnerable to covert Russian activities, with Brussels, as the centre of the EU, having turned into “a spies’ playground.” The situation has only gotten worse since Russia’s war against Ukraine, but while the headlines are replete with news of Russian spies being identified, another means of Russian subversion is escaping the limelight: fake apps that function as spyware. As the threat of digital espionage is turning into an ever growing national security issue, will world leaders understand too late the dangers of spyware in the modern world?

Indeed, the ease with which the mobile phones of foreign officials or even regular citizens can be turned into a surveillance tool has radically changed the face of espionage in the 21st century. The use of fake apps loaded with spyware or malware is a growing problem since the beginning of the Ukraine war, supported by a network of more than 700 third-party download stores outside the official app marketplaces. MEPs have recently lamented the need for greater regulation of spyware such as Pegasus and malicious apps in the current security environment, although very little is expected to come off it on the EU level.

Measures that miss the mark

In truth, European policymakers have already made one major misstep which will make it harder to crack down on and weed out these dangerous apps. The Digital Markets Act (DMA), which came into force last month in the EU, will forcing tech companies to allow users to download their apps from third-party stores, as well as third-party apps from their own platforms. This, however, risks increasing the number of dangerous apps which make it onto people’s devices.

In theory, the law is a well-meaning attempt to curtail the power of “Big Tech” companies like Apple, Google or Microsoft, who often use their digital stores as a way to keep users hooked to their own software, while discouraging the use of software from other providers. In practice, it is a security nightmare which encourages the practice of “side-loading”, a term describing the use of third-party apps downloaded from unofficial sources.

Not every third-party app contains malware, but an increasing number of them do. Earlier this year it was revealed that the notorious cyber mercenary group Bahamut has distributed no less than eight different spyware apps under the guise of VPN products. Some of them were infected versions of popular products like OpenVPN and SoftVPN and almost impossible to distinguish from the real app. Once such an app is installed on a device, it can grant access to private data like passwords, messages, photos, contact lists and digital wallets to the creators of the malware, making it a powerful tool for spying.

Contagion effect in Japan?

Yet the EU is not along in digital security misconceptions. Japan, too, is contemplating following in the footsteps of Europe by further loosening the security standards of downloading apps. The Japanese government produced a report earlier this year in which it was concluded that in order to make the digital marketplace more competitive, users should be allowed to download apps from sources other than the established app stores of their operation system.

This recommendation was made despite warnings from the industry, such as the recent announcement by Meta, Facebook’s parent company, that it identified and kept off its platform hundreds of apps that carried malicious software. While the EU’s Digital Market Act already seems like a foregone conclusion, Tokyo’s lack of foresight is surprising.

Given how prolific China has proven in using spyware, Japan’s intentions seem baffling and could potentially produce far-reaching consequences for national security. The country has already been hit by a large wave of phishing attacks using a malware known as FakeSpy, which posed as the official application of the Japanese Post. FakeSpy, which is believed to be created by a Chinese cybercrime group, has since evolved to mimic the look of many other national post services, making it apparent that Japan was used as a testing ground for the spyware app before being deployed globally.

Stuck in the trenches of the digital front

The problem of side-loading will only increase in both complexity and urgency, given that the use of spy apps is not only coming but blatant. The practice has become so widespread that some brazen regimes are now using “official” apps made available for sporting events like the Beijing Winter Olympics or the Qatar World Cup to extract personal data from the phones of users.

With tensions growing between the West and the authoritarian regimes of Russia and China, the world is now closer than at any point in the last thirty years to the divided globe of the Cold War era. Unsurprisingly, instances of espionage and foreign interference are once again becoming prevalent, but this time many of the perpetrators are not shadowy figures in trench coats and fake moustaches, but rather work-from-home hackers who get paid in cryptocurrency. The digital front of the intelligence war is exploding and the EU’s evident unpreparedness to deal with the threat is deeply worrisome.

Constantly checking the quasi-monopolistic power of Big Tech is always a good thing but open the door to wanton security risks for the sake of competition is a short-sighted approach that will come back to haunt European – and Japanese – lawmakers. Democratic world leaders from Brussels to Tokyo should realise the danger posed by opening Pandora’s box on app security. A more stringent security awareness is indispensable in these trying times.

Image credit: Glen Bedsoe/Flickr