How to protect against stalkerware, a murky but dangerous mobile threat

How to protect against stalkerware, a murky but dangerous mobile threat

Last week, we pledged that—in honor of National Cybersecurity Awareness and Domestic Violence Awareness months—we would continue the fight against the online scourge known as stalkerware, or applications used to track and spy on victims without their knowing consent.

We told readers that, despite working to protect against stalkerware programs for more than five years, it was time to take our efforts to the next level by spreading awareness of stalkerware and its dangers, and demonstrating how law enforcement, cybersecurity vendors, and advocacy groups can team up for better results.

We laid out our vision and our plans for future action, calling on other security vendors, organizations, and individuals to get involved.

And now we’re ready to get back to work.

This year’s NCSAM emphasizes personal accountability, stressing the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. The overarching theme of 2019 boils down to a nifty tagline: Own IT. Secure IT. Protect IT. If you need that deconstructed a bit, the message asks users to consider key security concerns, such as maintaining online privacy, securing consumer devices and browsing experiences, and protecting against scams and other threats.

In the context of stalkerware, then, the goal of this particular campaign is to raise awareness of this threat, as well as the difficulty defining, and thus protecting against it. We aim to help users be personally proactive by demonstrating why stalkerware is both murky and dangerous, where to draw the line between legitimate monitoring programs and stalkerware, and most importantly, how to protect against stalkerware if users feel it’s being used against them.

What makes stalkerware dangerous

In previous blogs, we already described what stalkerware is and what it can do, especially on a mobile device. In a nutshell: Stalkerware can see all the things you see on your device, hear all the things you hear, pinpoint your physical location, and even remotely control your camera and microphone. Calls can be intercepted, eavesdropped on, and recorded—all without the knowledge of the device owner.

Stalkerware applications can conduct equally nefarious surveillance operations as spyware, a category of threats deemed by the cybersecurity industry as malicious. However, unlike spyware, stalkerware is largely available on the open market—including on Google Play—to anyone willing to pay.

Often marketing themselves as parental monitoring tools, though sometimes outright advertising their true purpose (to catch a cheating spouse in the act or “keep tabs” on a partner), stalkerware applications are able to skirt many cybersecurity solution detection protocols because, if used with consent or as originally marketed, they may not be particularly malicious.

The danger is that there’s a whole lot of gray area in between malicious spyware used by nation-states and legitimate monitoring programs used by parents or in the workplace. When VICE’s Motherboard first reported on the rampant usage of surveillance applications by “regular people,” jealous or distrustful lovers were often cited as the main participants. And while stalkerware applications might help confirm the nagging suspicion of an affair, they are more often leveraged as tools for control and abuse.

In fact, according to the National Domestic Violence Hotline, digital surveillance is a form of abuse itself.

Let’s take a second to unpack that, because it’s important. If someone is using stalkerware to monitor their partner unknowingly, they are participating in a form of abuse. It’s not a long leap from there to full-blown manipulation, and even violence.

Indeed, according to a 2014 study conducted by NPR, a whopping 85 percent of US shelters for abused women were working directly with a victim being tracked via GPS; 75 percent said their victims’ abusers were eavesdropping on their conversations remotely, using hidden mobile apps. This was five years ago.

Despite concerted efforts to “out” a few well-known consumer stalkerware applications by hacktivists—including a breach of FlexiSpy and Retina-X, makers of PhoneSheriff and SniperSpy—the market for personal surveillance has only grown.

In 2014, we started with 421 signatures for applications defined as stalkerware, including monitoring and spyware programs. Signatures are created to identify known threats, and they are uploaded into our software’s database so that when a Malwarebytes user comes across that threat, we automatically detect it.

Today, we have more than 4,300 monitoring signatures in our database, an increase of more than 900 percent over five years. And that’s only signatures of known threats.

Through a technology called behavioral heuristics, we are able to identify if an application is acting like a threat—in this case, if it’s monitoring user activity, location, browser history, or employing other surveillance techniques—and detect it based on suspicious activity. In that way, we catch many more threats that were previously unknown. Through heuristics and signatures combined, we now detect more than 150,000 stalkerware applications.

In addition, thousands of those apps are currently active in the wild. Over the last three months, we have seen 2,332 programs that we consider stalkerware detected at least once by Malwarebytes for Android. Out of those, 107 were categorized as spyware, while the other 2,225 were flagged as monitors.

Monitoring software is currently catalogued as a potentially unwanted program (PUP) by Malwarebytes, therefore it isn’t automatically blocked and removed from user systems. We instead isolate the application and allow users to make the decision whether or not to keep the program and prevent our software from detecting it in the future, or dispose of it.

While this allows users to make an autonomous choice about which types of applications to allow on their devices, it also represents a challenge if abusers can simply add monitoring programs to an exclusion list and keep on spying without intrusion.

You can start to see now why stalkerware has proved problematic for the security industry. Where do you draw the line between freedom and safety? For us, it boils down to one simple term: consent.

To monitor, or not to monitor

In a world where opportunities to connect over the digital realm translate into opportunities to cheat, deceive, bully, stalk, harass, and otherwise be bombarded by awfulness, it’s no wonder users are tempted to keep an eye on those they care about most: their partners and children.

As we said in our article about the difference between parental monitoring apps and stalkerware, we are not here to tell people how to parent their kids. Nor are we about to expunge on relationship advice. But we can tell you what is considered an invasion of privacy or unauthorized access in the eyes of the law, as well as the cybersecurity community.

If you strip away the reasons for using monitoring apps—ranging from legitimate love and concern for safety to a desire to exert power and control over an individual—the capabilities of many stalkerware and monitoring programs are no different, technically, from surveillance programs used by nation-states.

Let’s take a look at a few examples to demonstrate our meaning.

Below are four monitoring applications that, so far, only Malwarebytes detects. Two of them are still available on Google Play and Apple’s App Store.

Couple Tracker

  • Detection name: Android/Monitor.CoupleTracker
  • Available on: third-party platforms, its own website
  • Features: includes location and phone activity viewable in real time; delete prevention, which keeps partners from hiding or removing texts, calls, or other content; call and text history

Track Boyfriend

  • Detection name: Android/Monitor.TrackFriend
  • Available on: third-party platforms, its own website
  • Features: includes call, email, and social media tracking; access to contact names, email addresses, and phone numbers; ability to monitor dates and times of contacts made with individuals, and number of times contacted

Shadow: Kid’s Key Logger

  • Detection name: Android/Monitor.SimplleKeyLogger
  • Available on: Google Play
  • Features: includes key and event logging; browser and call history; applications accessed; email and text content; allows parent/partner to modify or delete files, applications, and pictures; records time spent online, using apps, or on other activities

Safer Kid 

  • Detection name: Android/Monitor.SaferKid
  • Available on Google Play and the App Store
  • Features: text message monitoring; screen time management; browser and call history; access to contact names, email addresses, and phone numbers; adult content blocking; cannot be disabled without parent knowledge or consent

We detect apps such as these under the guise that they could be used legitimately, but also have potential to be misused. More importantly, many of the features and capabilities of these applications can be construed as invasions of privacy—even by parents who aren’t trying to snoop on their kids. And finally, if implemented without consent, monitoring apps cross the line into abusive territory.

For example, Couple Tracker requires that both partners download the app on their phones and states that its icon cannot be hidden. This could be interpreted as a sign of consent, but an abuser could easily manipulate a victim into participating, or download the application without his partner’s knowledge, relegating the icon to a less visible area on the phone.

Meanwhile, Safer Kid allows parents to monitor web browsing, phone contacts, text messaging, and call history, while also restricting access to adult content and downloads of inappropriate apps. While limiting Internet access to age-appropriate content is well within a parent’s right, any notion of privacy is undone by the application’s other features. And if a child is not aware of the full feature set of parental controls on her device, any trust she had established with them will likely evaporate as well.

While this information alone might be enough to deter some folks, monitoring applications—even those used with consent—are often rife with vulnerabilities and other security risks.

In 2017, Cisco researchers disclosed multiple vulnerabilities for “Circle with Disney,” a tool for monitoring a child’s Internet usage. In 2018, a UK-based cybersecurity researcher found two unsecured cloud servers operated by TeenSafe. The servers included tens of thousands of accounts details, including parents’ email addresses and children’s Apple ID email addresses.

Just last month, researchers at Avast discovered serious security flaws in 600,000 wearable child trackers sold on Amazon and other online merchants. The devices exposed data sent to the cloud, including the real-time GPS locations of children.

Armed with this knowledge, if you’re still considering a monitoring application, aim to avoid these important markers:

  • Can the application be used without knowing consent from the person being monitored?
  • Does the program have capabilities that infringe on personal privacy or allow for unauthorized access as defined by the law or your own moral compass?
  • Are there real security risks to using the application?

If the answer is “yes” to any of these, our advice is to find a different program—or consider ditching the idea of surveilling loved ones altogether.

How to protect against stalkerware

On the other side of the coin are the victims of stalkerware—most often partners or spouses, with a special nod to those embroiled in domestic violence. Since so many of these applications can be used without consent and include stealth features that hide their presence, it’s difficult for victims of stalkerware to know exactly what they’re dealing with in order to determine next best steps.

However, as noted above, most domestic violence victims are also victims of digital abuse, including having their locations and communications tracked. And most could tell you that they didn’t know how their partner did it, but they knew, somehow, they had “hacked” into their device.

So the first step is a gut check. There are a few technical symptoms of stalkerware, including quickly-depleting battery life and increased data use, but those could be symptomatic of a multitude of other malware, hardware, or battery issues. Therefore, when trying to assess if your device has been infiltrated with stalkerware, consider the following factors, which are outlined in full in our article for victims of domestic abuse on what to do when you find stalkerware on your device:

  • Does your partner have physical access to your device?
  • Does your partner know your device’s passcode?
  • Does your partner seem to know where you are without telling him?
  • Is your girlfriend suddenly asking pressing questions about a topic you only discussed via text or email with someone else?
  • Are photos suddenly disappearing or appearing on your device without your tampering?
  • Does your partner just seem to know too much?

Domestic violence advocacy groups and victims we spoke with pointed to the same signal: a feeling of being watched. As Erica Olsen, director of the Safety Net project for the National Network to End Domestic Violence, advised users in a previous Labs blog: trust yourself. You know the feeling of being watched and controlled. Trust those feelings and never discount your own concerns.

While we previously and carefully documented next steps for victims of abuse, next steps for “regular” users are not quite as nuanced and complex. Android users can download the free version of Malwarebytes for Android and run a scan to root out stalkerware, spyware, or other monitoring programs. If our program finds stalkerware on your device, we recommend you remove it and immediately change your device’s passcode (or create a passcode if you don’t have one).

From there, consider resetting passwords of other accounts using a clean, safe device. And moving forward, pay special attention to the applications on your device and the permissions available for each.

We don’t know the specifics of users’ relationships with their partners, and wouldn’t dare to consider advising on how to figure out who put the stalkerware on your device or whether or not to confront an individual you know is responsible. Again, this is outside of the context of domestic violence. For those who are victims of abuse, an entirely different protocol is necessary to ensure physical safety. We cannot stress that enough.

But for those who are not at risk from abusive partners, we can say this: You deserve an autonomous, free, and safe experience with technology. Whoever infringes on that is not your friend. Whether you’re a parent who wants to keep their child safe or a partner who worries the person they love is going astray, you can address these situations without destroying trust, with informed consent, and with respect for personal privacy.

In the spirit of National Cybersecurity Awareness Month, we ask that those who are not at risk of physical or emotional abuse join us in a public display of support. To increase awareness of threats lurking unknown on devices, including stalkerware, download one of our free scanners (for Android, Windows, iOS, and Mac) and upload your results to Twitter—while making sure no personally identifiable information is on display. Follow the directions below for the opportunity to win a free Premium license:

1. Install Malwarebytes on your device for free at /mwb-download.

2. Screenshot your scan result and upload them to Twitter.

3. Tag and follow @Malwarebytes for your chance to win a Premium license.

We’ll choose the winners at the end of the week. In the meantime, stay informed, stay aware, and as always, stay safe!

ABOUT THE AUTHOR

Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.