FTC issues first ban ever on a stalkerware company

Emma McGowan 2 Sep 2021

Activists applaud the ban as a great first step toward protecting survivors

The US Federal Trade Commission (FTC) recently announced a ban on the stalkerware company SpyFone and ordered them to delete all of the data they had illegally harvested from victims. Additionally, they banned the company’s CEO, Scott Zuckerman, from working in the surveillance industry ever again and ordered the company to notify everyone who had the app installed on their phone.

I think that this is a sign that the FTC is getting more serious about this kind of abuse,” Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation (EFF), a founding member of the Coalition Against Stalkerware, tells Avast. “And I’m really glad to see them calling out stalkerware and the company’s CEO in such a direct way.”

According to the FTC press release on the ruling, SpyFone (which is registered as Support King LLC) sold stalkerware apps that allowed people to surreptitiously monitor other people’s devices. The monitoring could include messages, photos, web histories, GPS locations, and other personal information. The company also provided instructions on how to install their apps without the device owner’s knowledge. 

SpyFone additionally failed to secure the personal data it stole, by “not encrypting personal information it stored, including photos and text messages; failing to ensure that only authorized users could access personal information; and transmitting purchasers’ passwords in plain text,” according to the press release. In fact, a hacker gained access to one of the company’s servers in 2018 and obtained the private information of 2,200 consumers. After that breach, the company promised to work with a date security firm and law enforcement — which the FTC says never happened. 

This move by the FTC — the first ban of its kind and the second time the agency has taken action against a stalkerware company — is “the tip of the iceberg” in fighting stalkerware, according to Galperin.

“Start with a ban, start with a decree, then move forward to do what you can in order to enforce these things,” she says. “And I think it makes stalkerware companies think twice about whether or not this type of business will be profitable for them.”

Christopher Budd, Senior Global Threat Communications Manager at Avast, also lauds the FTC move, but wonders what might happen next.

“Now that this has happened, does this mean this program disappears from the internet entirely? Or is there a way the company could start selling it on third party sites from abroad?” Budd says. “We see this with ransomware groups all the time: They close up shop, throw their code out to the wider world, and someone else picks up it up and carries on the work — or they set up shop somewhere else.”

In the meantime, there are steps a survivor can take if they receive the warning that a SpyFone app has been installed on their phone. And while Galperin acknowledges that we don’t yet know exactly what the warning will say, she hopes that the “notification process includes tips on how to remove it and for clarification about whether or not the spying is current and ongoing or whether it’s in the past.” 

Galperin also warns that removing a stalkerware app can further escalate a domestic violence situation, as the abuser could become enraged at the removal of access. That doesn’t mean, however, that a survivor must simply tolerate being stalked. Erica Olsen, Safety Net project director for the National Network to End Domestic Violence (NNEDV), tells Avast that the first step to clearing any stalkerware from a device is to “trust your instincts.”

"Most of the time, a survivor believes this is happening because the abuser just knows too much about their activity, is in their accounts, etc.,” Olsen says. “We suggest that survivors try to pay attention to what the abusive person seems to know and narrow down options for how they may know it. If there is no other explanation for the person knowing device activity, accessing accounts, and knowing the survivor’s location, and the abusive person had physical access to the device at some time, then it’s possible it could be stalkerware.”

For further tips on how to detect stalkerware and safely exit an abusive relationship, please access the NNEDV’s Technology Safety site from a secure device or call the National Domestic Violence Hotline at 1-800-799-SAFE.