What is Spyware?

January 28, 2021

Spyware Defined

Spyware — short for spying software — is a type of unwanted, malicious software that infects a computer or other device and collects information about a user’s web activity without their knowledge or consent. This can include passwords, personal identification numbers (PINs), payment information and other sensitive data.

Spyware is one of the most pervasive threats on the internet. Spyware is a type of malware that most commonly infiltrates desktop browsers. However, it can also operate in an app or on a mobile phone. In fact, in recent years, mobile spyware attacks have become much more common and advanced as people rely on their phones to conduct banking activities and all forms of communication.

While spyware, by definition, operates without the user’s knowledge, some may have legitimate functions or be used legally. For example, a form of spyware leveraged by advertisers and data firms is often bundled in app downloads and disclosed in the fine print. Others, such as those hosted by employers, are designed to detect data theft, breaches or leaks linked to employees. Finally, spyware can be used by government agencies and law enforcement to gather information about an individual’s online behavior and activity.

Since spyware typically runs in the background of the operating system, it is difficult to detect and even harder to mitigate without advanced security tools and solutions.

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

Types of Spyware

There are several types of spyware. While all spyware programs share the common goal of stealing personal information, each uses unique tactics to do so.


Adware tracks a user’s web surfing history and activity to optimize advertising efforts. Although adware is technically a form of spyware, it does not install software on a user’s computer or capture keystrokes. Thus, the danger in adware is the erosion of a user’s privacy since the data captured by adware is collated with data captured, overtly or covertly, about the user’s activity elsewhere on the internet. This information is then used to create a profile that can be shared or sold to advertisers without the user’s consent.

Cookies, also known as HTTP cookies or internet cookies, were designed for web browsers to track and potentially personalize a user’s experience on a given website. There are two types of cookies: session-based and persistent.

Session cookies are stored in random access memory and not written to a hard drive. They are commonly used to improve a user’s web browsing experience — such as the back button — without the page having to reload.

Persistent cookies aid in authentication uses (remembering passwords) and tracking a user’s interaction with a website (e.g., what pages they click on or products they view).

An attacker can use cookies maliciously by infiltrating a user’s web session either when a user clicks on adware, or by secretly installing cookies on a user’s computer — also known as zombie cookies.


A trojan is a digital attack that disguises itself as desirable code or software. Trojans may hide in games, apps or even software patches. They may also be embedded in attachments in phishing emails. Once downloaded by unsuspecting users, trojans can take control of victims’ systems for malicious purposes. For example, a trojan can delete files, encrypt files or share sensitive information with other parties.


A keylogger is a type of spyware that monitors user activity. When installed, keyloggers can steal passwords, user IDs, banking details and other sensitive information. Keyloggers can be inserted into a system through phishing, social engineering or malicious downloads.

That said, keyloggers can also serve a legitimate purpose. For example, an employer may use a keylogger to observe employees’ computer activities; parents or guardians can also use these tools to monitor a child’s internet usage.

System Monitor

An advanced form of spyware, a system monitor captures virtually everything the user does on the infected computer or device. System monitors can be programmed to record all keystrokes, the user’s browser activity and history, as well as any form of communication, such as emails, webchats or social media activity.

Mobile spyware

Mobile spyware is a type of malware that targets mobile devices such as an iPhone or Android device. Much like traditional spyware, the mobile version operates undetected in the background and steals information such as passwords, photos, SMS messages, emails, call logs, contact lists and browser history.

Advanced forms of mobile spyware can also act as a keylogger, recording a user’s activity, as well as login credentials and passwords. Some forms can also access the device’s microphone, camera, GPS or other applications, essentially tracking and even recording the user’s phone conversations, location and movements.

Mobile spyware is especially dangerous because it can be deployed via short message service (SMS) or traditional text messages. In addition, mobile spyware generally does not require user interaction to execute commands.

How spyware works

Most spyware exists as an application that attaches itself to the operating system and runs continuously in the background whenever the device is turned on. During this time, the spyware program can complete any number of activities, such as:

  • Recording keystrokes (i.e., a keylogger) to gather anything that is typed, including user names, passwords, banking details, credit card numbers and contact information.
  • Tracking online activity including website visits, people they interact with and messages they send in order to create a detailed profile of the user.
  • Assume control of the computer or device and reset the browser’s homepage, alter search results or flood the device with pop-up ads.
  • Reconfigure the device’s security settings, including the firewall, to allow remote control over the device or intercept attempts to remove the spyware.

Even if the spyware application does not capture any personal information, its presence will generally slow down the computer or device, degrading its usability and functionality over time.

Where Might You Get Infected With Spyware?

Spyware is one of the most common threats on the internet, affecting both businesses and individuals. While many spyware attacks focused on Windows or PC users in the past, a surge in Mac users has increased iOS attacks, making Apple loyalists susceptible to this security risk.

Some of the most common ways for devices to become infected with spyware are linked to user behavior, such as:

  • Downloading pirated media, including music, video games, movies, books, software or paid content.
  • Downloading any unsolicited material, such as attachments, photos or documents, even from familiar sources.
  • Accepting or allowing a pop-up notification without reading the message or understanding the content.
  • Failing to read the user agreement when downloading legitimate applications or software.
  • Failing to stay current with updates and patches for browsers, the OS, applications and software.

However, a spyware attack can also infect a computer or device through security vulnerabilities or coordinated attacks, which the average user has little awareness of or control over. These can include:

Security vulnerabilities. Many devices or software applications contain errors in code (often referred to as “bugs”) that can be abused or exploited by digital adversaries to gain unauthorized access. Once inside, the cybercriminal may set up a backdoor, which is a point of access created by the threat actor in order to continue to enter the system in secret if and when the initial vulnerability is discovered and patched.

Phishing and spoofing. Often a coordinated attack, phishing and spoofing are two tactics commonly used by threat actors to spur users to perform an action, such as downloading an infected file or sharing login credentials. Spoofing is a tactic often layered on top of phishing. It refers to the act of disguising emails and websites so that they appear to be from legitimate, trusted or familiar contacts.

Software bundles or disguised tools. Many spyware developers disguise their programs as useful tools, such as hard drive cleaners or browsing accelerators. These downloads often contain a malicious add-on, extension or plugin. Unfortunately, most spyware is programmed to remain on the system even if the host application is uninstalled or deleted. In some cases, the user terms and conditions of the tool or software even disclose the presence of the spyware.

Learn More

Watch this video on CrowdStrike Falcon Spotlight™ vulnerability management to see how you can quickly monitor for vulnerabilities with the systems and applications in your organization. Watch: Using Falcon Spotlight for Vulnerability Management

How to Recognize Spyware

As the name implies, spyware is meant to be deceptive and difficult to recognize. Further complicating matters, many spyware symptoms are relatively common issues that are the result of other cyber threats.

If your device is experiencing any of the following, it is important to perform a full security review in order to determine and resolve the issue at the root level:

  • The computer or device runs slowly.
  • The device crashes unexpectedly on a consistent basis.
  • The device is inexplicably running out of space or memory.
  • The browser’s landing page or device’s home screen has been changed unexpectedly.
  • New toolbars, search engines or applications appear on the device without being downloaded.
  • The device is subject to pop-up ads and messages, even when offline.

It may be especially hard to identify spyware on a mobile device since there is no simple way to review programs running in the background.

Expert Tip

It’s critically important that your infosec champion work with your software development teams to train on best practices to develop software securely. Unsecure coding processes can result in greater susceptibility to vulnerabilities.

How To Help Prevent Spyware

Because malware — including spyware — is varied and constantly evolving, the only way to prevent it is to take a multi-pronged approach driven by constant innovation. Traditional antivirus tools, which compare suspected threats to a list of known threats by looking for indicators of compromise (IOCs), simply cannot keep up with the frenzied pace at which new malware is emerging. This leaves organizations in the weak position of always being a step behind their adversaries, only able to react to attacks and never able to proactively prevent them.

Organizations must adopt an integrated combination of methods to prevent and detect all types of malware, including spyware. These methods include machine learning, exploit blocking, behavioral analysis and blocklisting. Here we review these capabilities within the context of the CrowdStrike Falcon®️ platform, the market’s leading cloud-native security solution.

Machine Learning
The Falcon platform uses machine learning to block malware without using signatures. Instead, it relies on mathematical algorithms to analyze files and can protect the host even when it is not connected to the internet.

Exploit Blocking
Malware does not always come in the form of a file that can be analyzed by machine learning. Some types of malware may be deployed directly into memory through the use of exploit kits. To defend against these, the Falcon platform provides an exploit blocking function that adds another layer of protection.

Behavioral Analysis
What about fileless malware that doesn’t use an exploit kit, such as certain types of ransomware? To protect systems against these threats, the Falcon platform uses IOAs, which look across both legitimate and suspicious activities to detect stealthy chains of events that indicate malware infection attempts. Most IOAs can prevent non-malware attacks as well.

The Falcon platform also allows organizations to blacklist applications, automatically preventing them from running anywhere in the organization.

The CrowdStrike Falcon platform combines these methods with innovative technologies that run in the cloud for faster, more up-to-the-minute defenses. To learn more, schedule a demo or experience a free trial.