smart device apps, can they do what I describe?

Factual Questions
1

I think there is a real answer to my inquiry, so GQ here I am.

I read novels of various ilk in which surveillance on some person (the target) is needed. It is common for the ne’er-do-well private investigator or the NSA or whomever to install an app on the smart device (phone) of the target to provide surveillance info. In the novel I am currently reading the PI has installed the fictional “TrueSpy” app, which has the ability to (all data saved in the cloud):
(A) capture all text messages in and out;
(B) capture all incoming and outgoing phone numbers, and associated names;
© listen to and record both sides of phone conversations;
(D) listen to and record one or both sides of non-telephonic conversations by capturing the microphone input;
(E) locate the current target location via GPS;
(F) build a log of anywhere the target has remained fixed for X minutes.

In the preceeding scenario the smart device has the battery installed and the device is “on” or enabled. I would also be interested to know if being “off” made any difference.

I know smart device apps can do a lot of things, but is this over the top? Or should I remain smart device free so it can’t happen to me?

2

A normal app can’t, but if the phone is “jailbroken,” or the app is cleverly designed to break out of it’s sandbox, then, yes that ll sounds do-able.

3

I don’t know of something that exists that does that (but that doesn’t mean it doesn’t exist), but I don’t see why it couldn’t be made. None of those things seem particularly difficult to do.

Two things that, IMO, would be important are having physical access to the phone to install it since it’ll ask for all sorts of permissions and the target not realizing or caring that their phone is always hot to the touch and their battery is getting run down very quickly.

Also, if the person has an iPhone and you can get their iCloud password, you can always (well, usually) find their location as well as a handful of other things the phone automatically uploads to the cloud.

4

This is entirely plausible, except the D. The microphone in a phone isn’t very good at picking up omnidirectional sound, by design.

The standard Google Assistant App does all of these if you let it (though the Speech-to-text service might be a secondary app).

Installing something like this on a person’s phone would require access to that phone for an hour or so. That’s the least plausible part. No one can go more than an hour without looking at their smartphone.

5

Yowza! Maybe I’ll keep my head in the sand for a while longer. But I thought these comments made sense:

Joey P - “…having physical access to the phone to install it since it’ll ask for all sorts of permissions…”

Palooka - (about getting physical access) “That’s the least plausible part.”

I hadn’t thought of this. I bet this really is the least plausible aspect.

6

I think this is entirely plausible, and does not require physical access to the phone, nor an hour to install, and possibly no cooperation from the target.

The great big giant thing a spying app like that will require is an exploitable vulnerability in the phone, which allows the app to behave in the way described. Such vulnerabilities, both known and unknown, certainly exist today. There have in the past been remote exploits of phones, and there will be again in the future.

So, the sequence of events needs to be something along the line of the PI calling a company that sells such spying software and saying, “The target has a Galaxy S7 with the phone number…” The hacking company, after receiving a large payment, initiates a remote exploit on the phone, and uploads their software. The software then installs itself, uses the same or other exploits to gain elevated privileges, and begins running in the background.

There are cheaper options available today, which mostly are just spying apps that *do *have to be manually installed. Modern versions of Android and IOS will require setting permissions for some of the listed activities, and some of them may be blocked completely. For example, beginning with Android 9 Pie, regular apps will not be able to record phone calls.

Obviously always running software isn’t without consequences. It will almost certainly impact battery life, and may use enough data to be noticeable, though probably not if it is just sending audio, text, and location data.

Many phones have multiple microphones, some of which are designed to listen to ambient sounds. For example, I just set my phone across the room, and in a normal speaking voice I could say “OK Google” and interact with it. Which means, for at least while I temporarily enabled the feature, my phone is in fact listening to all conversations all of the time.

As has been observed many, many times. Smartphones are remarkably complete surveillance devices, which can be used for both good and evil. I really like to have my phone tell me at 3pm, “leave by 3:20 to make your 4pm appointment.” To do that it needs to read my calendar, know my location, and be aware of traffic conditions between where I am and my appointment. I’m not paranoid enough to trade that convenience for complete privacy. I am sure that AT&T, Samsung, Google, Tesla, State Farm, and perhaps others know where my phone is at all times. If AT&T knows, then so does the US government or any law enforcement agency that cares.

7

NSO’s Pegasus can do a lot of what is mentioned in the OP.

8

Don’t forget about the simplest security vulnerability: You ask the user to install the spy app themselves. Heck, you might even be able to get them to pay you 99 cents for it.

9

In Person of Interest they could do all that remotely just by pressing some buttons on their phone near their target. I always figured that was BS but gave it some leeway because of the premise (super hacker with supercomputer wired into everything).

I remember rolling my eyes when a hacker took over a webcam in 2007’s Live Free or Die Hard, but lo and behold a couple years later news stories came out about it happening IRL and everybody started putting tape on their webcam. So I’m a little less likely to go “THAT’S IMPOSSIBLE!” when it comes to tech nowadays.

But seriously, I bet you’d be shocked at how much google knows about you.