Watch Demo×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

What Is Spyware? The Various Types & How To Stay Protected

What Is Spyware? The Various Types & How To Stay Protected blog banner image

Think of all the information you type into your mobile or computer devices every day. From conversations with close and trusted friends, to sensitive medical queries and banking details – today’s devices are integral to our day to day lives. Attackers don’t just understand that your phone and laptop hold a lot of sensitive data – they also know this sensitive data can be sold for a profit. 

Spyware is the strain of malicious apps that aim to remain as undetectable as possible, while sending every piece of personal info to the spyware’s owner. This could be a profiteering cybercriminal or an entire government taskforce – spyware spans the width of simple keyloggers to uber-complex, zero-click exploits. Knowing what to recognize can help protect the data you hold dear, and let you sleep better at night.

What is spyware?

Spyware is a type of malicious software, or malware, that is secretly installed on a computer or mobile device without the user’s consent. Its primary function is to infiltrate the device to gather sensitive information about the user’s activities, and then transmit this data to unauthorized parties such as fraudulent advertisers, data farms, or other third parties. 

Understanding the point of spyware requires placing it in a wider context. Hacking groups today are sophisticated – not just in technical capability but also in economic development. The rise of online spaces that allow malicious actors to connect have meant that disparate groups of different skills can collate and trade the malware they have developed and the data they have stolen.

This black market sees tens of millions of dollars flow throughout it: for the data being harvested in spyware attacks, this is often re-sold to more offensive groups that use it to facilitate subsequent phishing and ransomware attacks.

On the other hand, gone are the days of the governments’ widespread ignorance of the internet. Spyware is drenched in allegations of governmental surveillance – and while renowned spyware providers such as the NSO Group claim they license only to governments wanting to use their tech for catching criminals, evidence for its use to target journalists is already available. 

Some variants of spyware, like stalkerware, are specifically designed to track a person’s location. This type of spyware can be discreetly loaded onto mobile devices and is capable of tracking the user’s physical movements, intercepting communications such as texts and emails, recording phone conversations, and accessing private content like photos and videos.

How spyware works

Building a baseline understanding of spyware’s Techniques, Tactics, and Procedures (TTPs) is essential for keeping yourself safe.

How spyware gets onto your device

Spyware can be installed on a device without the user’s awareness through a number of different forms. Whether through an app installation package (typically a .exe file), a file transfer, a malicious website, or a simple USB drive, the method of infection revolves primarily around the victim’s own circumstance. Because of how targeted spyware often is, infection techniques are often crafted uniquely for the victim being targeted.

For example, Pegasus – a specific brand of spyware we’ll discuss below – utilizes zero-touch exploits. This allows a governmental team to implant the spyware through a missed call on WhatsApp. The phone’s owner does not need to interact with the spyware at all to have it download, and the resultant spyware execution deletes the record of the missed call, meaning the user has no idea anything is amiss.

Rarely are most spyware deployments as advanced as this: social engineering can achieve the same with far less technical skill and investment. This more traditional approach can see attackers take advantage of open source intel to produce deeply persuasive and targeted phishing links that direct the user to a spyware-loaded server.

Finally, spyware deployments also take advantage of trusted insiders. This sees deployment occur via a local wireless transceiver – or manually downloaded onto a target’s phone.

How spyware collects your data

After getting onto your device, spyware immediately starts to wind up a number of functions. These scripts collect everything you type on the device’s keyboard: able to activate and record the device’s mic, camera, and screen captures; access all files; capture any content within your emails, messages, and social media apps, and keep logs of your browser history.

The massive range of data that spyware is able to collect is made partly possible due to keyloggers. These are usually software-based, and simply monitor and record every press of your device’s keyboard. These files are transmitted to the hacker in a number of different ways – sometimes exfiltrated to a third-party server, some sent by email, and others even uploaded directly to a public website or database.

Some keyloggers are more advanced than others, able to abuse smartphone accessibility programs that are intended to help users with visual impairments.

How spyware stays undetected

Detecting spyware is notoriously difficult. Spyware applications often start running as soon as the infected device is powered on and boots up: its goal is to then stay undetected as it runs in the background. This is sometimes achieved by masquerading as harmless utilities or apps, and adopting nondescript names and icons.

This way, they can hide in plain sight amongst the countless other processes across your device. To hide under the radar even more, some configure the device settings to prevent showing up in the device’s taskbar or desktop.

Often, the first indication of spyware on a device is a noticeable decrease in performance, such as slowed processing speeds or network connectivity issues, alongside increased data usage and reduced battery life, particularly in mobile devices.

As user input is recorded and sent to a malicious database, there is the risk of detection with the new streams of data being sent to an external server. This would mean that phones and devices connected to enterprise networks could be detected, as even basic network defense tools could flag this as suspicious.

So, spyware authors often build a nefarious but simple workaround: they just communicate via unsecured channels, hiding the malicious transfer in plain sight.

The harm spyware inflicts

Once a device has been tapped for its rich information flows, the issuing party has a choice of what to do with it. For governments and law enforcement teams, this data is funneled into a wider intelligence campaign that seeks to determine a suspect’s innocence. For black hat hackers, however, this captured data is often sold to other attackers that may then use it for identity theft.

Whether taking out lines of credit in your name, using your bank card details to make online transactions, or deploying more direct and intrusive forms of malware on the device, your world truly is their oyster.

Because spyware can be used to change its firewall settings, a device that’s been seeded with spyware is highly susceptible to further attacks. This can pave the way to the device becoming part of a botnet, or a malicious ad network, as spyware may also tamper with search engine outcomes to direct you to advertisements that the attackers then get paid for.

Additionally, spyware often brings with it the nuisance of pop-up ads. These advertisements can be particularly intrusive, appearing even without an internet connection, and proving to be a relentless irritation.

Sometimes, the harm inflicted on your computer can begin to damage your system itself. Spyware tends to consume substantial amounts of your computer’s memory, processing power, and internet bandwidth due to its lack of performance optimization. Consequently, devices plagued with spyware may experience sluggishness and delays when switching between applications or during online activities.

In more severe instances, the spyware can cause regular system crashes or overheating, potentially leading to permanent damage. 

Types of spyware

Due to the sheer variety of spyware out there, it can still be difficult to know what to keep an eye out for. The following examples help shed some light on the various types.


Adware primarily displays unwanted advertisements, often altering browser settings or manipulating web searches. While generally less harmful than other spyware variants, adware can still degrade device performance and be a source of annoyance. 

In August 2023, researchers discovered that over 40 applications on the Google Play store were stealthily loading ads when the phone screen was off. This included the Music Downloader, News, and Calendar apps, and in total clocked up over 2.5 million installations.

During installation, these bundles might connect to a third-party server to fetch the latest adware or plugins without directly saving any files to the hard drive. Moreover, the installers for this adware can hijack the delivery mechanisms, potentially being used to distribute more severe types of malware. 


Due to the depth of data collection achieved by keyloggers, they’re best exemplified in government-issued spyware. Pegasus is the flagship product of Israeli intelligence firm NSO Group: alongside the aforementioned zero-click exploit, Pegasus’ capabilities allow it to capture every keystroke, turn on the mic and camera, regularly capture screenshots, and exfiltrate every single file on the device and associated cloud accounts. Germany, Belgium, France, Hungary, Poland, Thailand, and the United Arab Emirates are just a few countries that have either admitted to using Pegasus spyware or are actively launching investigations into the use of Pegasus against their citizens.

Trojans with spyware functions

Spyware doesn’t have to be as fancy as NSO’s offerings. In 2023, the Google Play store was discovered to be hosting two popular file management apps that were, in fact, Chinese trojans with advanced spyware functions

The apps – File Recovery and Data Recovery with over 1 million installs, and File Manager with over 500,000 installs – were both developed by the same entity. These Android apps both launch automatically upon device reboot without user consent. They then covertly collect a wide range of personal information, including contact lists, media files, real-time location, mobile, and SIM provider network codes, as well as details about the device itself.

Additionally, the volume of data being stolen was marked to be alarmingly high, with each app conducting over a hundred data transmissions to multiple malicious servers on a regular basis.


Rootkits are uniquely well-positioned to play a role in spyware, due to the fact they’re designed to gain privileged access to a system while remaining undetected. A recent discovery has found a rootkit has been gaining access to computers at one of the most foundational levels since 2016. Nicknamed CosmicStrand, the rootkit compromises the UEFI – a piece of boot code located on the motherboard itself.

It’s the very first piece of software to run whenever a computer is booted up, and as a result influences every OS and software that later loads. Because of the hooks that can be placed into the bootup process, devices remain infected even if the hard drive is completely replaced. 

The real concern highlighted by security researchers is the fact that rootkits such as these have been around in the wild for a relatively long time. While CosmicStrand has now been linked to a Chinese-speaking threat group, it’s highly likely that there are other rootkits out there that have simply not yet reared their heads. 

How to protect against spyware

Unless you’ve made some powerful enemies, protecting against spyware is largely as simple as maintaining good security hygiene. For added safety, anti-spyware software can help keep snooping figures at bay. NinjaOne’s Remote Monitoring and Management (RMM) platform provides complete visibility into end-user devices, allowing for a comprehensive understanding of what software is running on each asset. 

With a new baseline of visibility, it becomes possible to configure, patch, uninstall, and monitor your end users’ applications at scale, with no reliance on an expensive and time-consuming company network, VPN, or domain. Being able to remove vulnerabilities and automatically identify concerning vulnerabilities is a key part of protecting teams against spyware. 

One last anti-spyware feature is NinjaOne’s drive encryption capabilities: this identifies which drives are unencrypted, and securely encrypts them in accordance with industry best practices, further hardening specific points of interest. With NinjaOne, your organization’s people and intellectual property are kept abreast of the rapidly-evolving field of spyware.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).