Research on commercial surveillance software
We told readers that, despite working to protect against stalkerware programs for more than five years, it was time to take our efforts to the next level by spreading awareness of stalkerware and its dangers, and demonstrating how law enforcement, cybersecurity vendors, and advocacy groups can team up for better results.
Spyware might sound like a concept from a Hollywood movie, yet commercial versions of such programs – known in the cybersecurity industry as ‘stalkerware’ – are a daily reality for many people. For the price of just a few dollars, consumer spyware programs allow users to spy on their current or former partners, and even strangers. This can be done by simply installing an app on the targeted victim’s smartphone or tablet. Once this has happened, the stalker is granted access to a range of personal data: from the victim’s location and SMS, to social media messages and live feeds from their device camera or microphone.
From observing stalkerware program functionality, it can be seen that there are very few differences between commercial spyware (detected and defined by most security software as ‘not-a-virus’) and classic spying malware. For example, a consumer surveillance program works like this:
- The command and control server (C2) is provided by the service owners
- It is easy to buy and deploy than spying malware. There is no need to use shady hacking forums and have programming skills – in almost all cases it requires a simple manual installation
We detect such programs as ‘not-a-virus:Monitor’ and have been keeping a close eye on them. Two years ago, we published our first overview and continued to monitor such threats. We have now decided to conduct further research to check how stalkerware is being used and determine the most prominent features of the latest consumer surveillance programs.
We examined applications for mobile platforms, with a particular focus on Android, because it is the most popular OS that stalkerware is implemented on. For attackers to perform extended exfiltration activities on iOS devices, the devices need to be jailbroken first.
All in all, 2018 saw 58,487 users who had a stalkerware application installed on their phones or tablets. That is a moderate number compared to other types of threats. For example, during the same period, the number of users who encountered ransomware was 187,321. However, it should be noted that when it comes to malware, our figures show how many people we were able to protect from infection. But when we look at stalkerware, the situation is a bit different.
The following statistics reveal the most detected stalkerware applications based on the number of unique users of Kaspersky Lab for Android mobile products:
To monitor, or not to monitor
In a world where opportunities to connect over the digital realm translate into opportunities to cheat, deceive, bully, stalk, harass, and otherwise be bombarded by awfulness, it’s no wonder users are tempted to keep an eye on those they care about most: their partners and children.
As we said in our article about the difference between parental monitoring apps and stalkerware, we are not here to tell people how to parent their kids. Nor are we about to expunge on relationship advice. But we can tell you what is considered an invasion of privacy or unauthorized access in the eyes of the law, as well as the cybersecurity community.
If you strip away the reasons for using monitoring apps—ranging from legitimate love and concern for safety to a desire to exert power and control over an individual—the capabilities of many stalkerware and monitoring programs are no different, technically, from surveillance programs used by nation-states.
Let’s take a look at a few examples to demonstrate our meaning.
Below are four monitoring applications that, so far, only Malwarebytes detects. Two of them are still available on Google Play and Apple’s App Store.
- Detection name: Android/Monitor.CoupleTracker
- Available on: third-party platforms, its own website
- Features: includes location and phone activity viewable in real time; delete prevention, which keeps partners from hiding or removing texts, calls, or other content; call and text history
- Detection name: Android/Monitor.TrackFriend
- Available on: third-party platforms, its own website
- Features: includes call, email, and social media tracking; access to contact names, email addresses, and phone numbers; ability to monitor dates and times of contacts made with individuals, and number of times contacted
- Detection name: Android/Monitor.SimplleKeyLogger
- Available on: Google Play
- Features: includes key and event logging; browser and call history; applications accessed; email and text content; allows parent/partner to modify or delete files, applications, and pictures; records time spent online, using apps, or on other activities
- Detection name: Android/Monitor.SaferKid
- Available on Google Play and the App Store
- Features: text message monitoring; screen time management; browser and call history; access to contact names, email addresses, and phone numbers; adult content blocking; cannot be disabled without parent knowledge or consent
We detect apps such as these under the guise that they could be used legitimately, but also have potential to be misused. More importantly, many of the features and capabilities of these applications can be construed as invasions of privacy—even by parents who aren’t trying to snoop on their kids. And finally, if implemented without consent, monitoring apps cross the line into abusive territory.
For example, Couple Tracker requires that both partners download the app on their phones and states that its icon cannot be hidden. This could be interpreted as a sign of consent, but an abuser could easily manipulate a victim into participating, or download the application without his partner’s knowledge, relegating the icon to a less visible area on the phone.
Meanwhile, Safer Kid allows parents to monitor web browsing, phone contacts, text messaging, and call history, while also restricting access to adult content and downloads of inappropriate apps. While limiting Internet access to age-appropriate content is well within a parent’s right, any notion of privacy is undone by the application’s other features. And if a child is not aware of the full feature set of parental controls on her device, any trust she had established with them will likely evaporate as well.
While this information alone might be enough to deter some folks, monitoring applications—even those used with consent—are often rife with vulnerabilities and other security risks.
In 2017, Cisco researchers disclosed multiple vulnerabilities for “Circle with Disney,” a tool for monitoring a child’s Internet usage. In 2018, a UK-based cybersecurity researcher found two unsecured cloud servers operated by TeenSafe. The servers included tens of thousands of accounts details, including parents’ email addresses and children’s Apple ID email addresses.
Just last month, researchers at Avast discovered serious security flaws in 600,000 wearable child trackers sold on Amazon and other online merchants. The devices exposed data sent to the cloud, including the real-time GPS locations of children.
Armed with this knowledge, if you’re still considering a monitoring application, aim to avoid these important markers:
- Can the application be used without knowing consent from the person being monitored?
- Does the program have capabilities that infringe on personal privacy or allow for unauthorized access as defined by the law or your own moral compass?
- Are there real security risks to using the application?
If the answer is “yes” to any of these, our advice is to find a different program—or consider ditching the idea of surveilling loved ones altogether.
How to protect against stalkerware
On the other side of the coin are the victims of stalkerware—most often partners or spouses, with a special nod to those embroiled in domestic violence. Since so many of these applications can be used without consent and include stealth features that hide their presence, it’s difficult for victims of stalkerware to know exactly what they’re dealing with in order to determine next best steps.
However, as noted above, most domestic violence victims are also victims of digital abuse, including having their locations and communications tracked. And most could tell you that they didn’t know how their partner did it, but they knew, somehow, they had “hacked” into their device.
So the first step is a gut check. There are a few technical symptoms of stalkerware, including quickly-depleting battery life and increased data use, but those could be symptomatic of a multitude of other malware, hardware, or battery issues. Therefore, when trying to assess if your device has been infiltrated with stalkerware, consider the following factors, which are outlined in full in our article for victims of domestic abuse on what to do when you find stalkerware on your device:
- Does your partner have physical access to your device?
- Does your partner know your device’s passcode?
- Does your partner seem to know where you are without telling him?
- Is your girlfriend suddenly asking pressing questions about a topic you only discussed via text or email with someone else?
- Are photos suddenly disappearing or appearing on your device without your tampering?
- Does your partner just seem to know too much?
Domestic violence advocacy groups and victims we spoke with pointed to the same signal: a feeling of being watched. As Erica Olsen, director of the Safety Net project for the National Network to End Domestic Violence, advised users in a previous Labs blog: trust yourself. You know the feeling of being watched and controlled. Trust those feelings and never discount your own concerns.
While we previously and carefully documented next steps for victims of abuse, next steps for “regular” users are not quite as nuanced and complex. Android users can download the free version of Malwarebytes for Android and run a scan to root out stalkerware, spyware, or other monitoring programs. If our program finds stalkerware on your device, we recommend you remove it and immediately change your device’s passcode (or create a passcode if you don’t have one).