The growing threat of stalkerware

Kevin Townsend 5 Jun 2020

Stalkerware is a growing domestic malware, with dangerous and sinister implications

While spyware and infostealers seek to steal personal data, stalkerware is different: it steals the physical freedom of the victim. Usually installed secretly on mobile phones by ‘friends’, jealous spouses, ex-partners, and sometimes concerned parents, stalkerware tracks the physical location of the victim, monitoring sites visited on the internet, and text messages and phone calls to friends.

But this is not about data theft – this is about control of the person. If it is installed by parents with the knowledge of offspring, there is little harm. All too often, however, it is used to secretly spy on where the target is, and what that person is doing; and often it is merely a sinister process that is part of, or degenerates into, an abusive relationship. That abusive element of stalkerware is so severe that in November 2019, support groups for victims of domestic abuse formed the Coalition Against Stalkerware

The installation of stalkerware

The problem and danger of stalkerware comes from its position sitting astride the distinction between genuine concern and outright malicious intent. The majority of traditional malware is installed by remote hackers using software vulnerabilities or social engineering. This can be detected and prevented by anti-malware products. But stalkerware can be ‘legitimately’ installed by someone with access to the device. Anti-malware products do not prevent legitimate installations, and stalkerware itself is not illegal. The use and intent may be, but the device knows nothing about intent.

In that context, the installer could be a parent, a couple in a genuinely close relationship, an employer monitoring staff use of a company device, an aggrieved ex-partner, or a controlling existing partner. Some of this is valid, but much of it is sinister and dangerous. Because it is not illegal, stalkerware can often be found on legitimate mobile app stores.

It is usually described in innocent terms. For example, an app might allow the user to digitally stalk their spouse, but claim it is for ‘keeping children safe’. Other stalkerware is less ambiguous, openly identifying itself as a way to keep track of a partner or spouse, or a means to closely monitor employees. In most cases, the stalkerware app has features to disguise its presence on the host device; icons will be hidden from the victim’s app folder, and there will be no notifications that might indicate the presence of new software. There is no need for any legitimate use of tracking software  to hide itself.

Most legitimate organizations frown on the use of stalkerware. In July 2019, Google pulled eight such apps from the Play Store following research by Avast. Using its mobile threat detection platform apklab.io, Avast was able to identify eight malicious stalkerware apps and worked with Google to remove them from the Play Store. 

The removal of these apps was good news – even the official descriptions of the software offered such dubious features as ‘this app is created to monitor [children]’ or ‘People usually spy on kids, but employees need strict control too’. Google is firm about malicious apps on its storefront and has a stringent validation process in place, but the presence of applications like these shows that stalkerware can be difficult to identify before damage is done. In this case, that damage was a combined install-base of over 140,000 devices across the eight removed applications.

Stalkerware statistics

Despite the Avast/Google success, 2019 saw a significant increase in the prominence of stalkerware. A 2019 study from the Coalition Against Stalkerware found that encounters with such surveillance apps rose 35% over the year. Over 37,000 users encountered stalkerware in the first eight months of 2019, while only 26,000 encountered trojan-based spyware. This makes stalkerware more prominent today than one of the most significant forms of malware. 

Although Russia, India and Brazil were the global leaders in reported usage of stalkerware apps, the US and UK have worryingly high rates as well. The United States had the fourth highest proportion of potentially affected users worldwide at 7.1%. Meanwhile, the UK was the third most stalkerware-affected nation in Europe. 

The motivation for installing stalkerware on a partner’s device seems to stem predominantly from trust issues. A Harris poll, titled Online Creeping Survey, reported that 44% of Americans who admitted to using stalkerware didn’t trust their partners or had suspicions about their behavior. Twenty percent of those who took part cited retaliation as the reason for installing stalkerware – after discovering surveillance being used by their partner, they installed similar on their partner’s device in response.

Thirty-eight percent gave the reason for using stalkerware as ‘just curious’, while 45% of Americans aged 18-34 believed that online stalking was essentially harmless.

The problem is that stalkerware is only harmless when it does no harm. Documented occurrences of stalkerware leading to direct physical harm in an abusive relationship are rare. They do occur but are rarely reported. It is believed that victims fear that reporting physical or sexual abuse will provide no solution but make the problem worse.

This fear has statistical support from the U.S. criminal justice system: More than three-quarters of sexual assaults are never reported; and from every 1000 of those that are, 995 perpetrators will walk free. Twenty percent of non-reporting is due to fear of retaliation from the aggressor; 15% is in belief that the police cannot, or will not, do anything; and a further 7% is to protect the perpetrator.

How is this relevant to stalkerware? According to the European Institute for Gender Equality research report Cyber violence against women and girls, 2017: “7 in 10 women (70 %) who have experienced cyber stalking, have also experienced at least one form of physical or/and sexual violence from an intimate partner.”

The legal context of stalkerware

To date, there have been few legal actions against stalkerware or its developers. The developer of one app called StealthGenie pleaded guilty to selling spyware in 2014 and was fined $500,000, which is the only recorded penalization. Noticeably the product was legally described as spyware although used as stalkerware. 

Only recently have authorities begun calling the threat by name. In October 2019, the FTC reached a settlement with Retina-X Studios (developer of PhoneSheriff, MobileSpy, and TeenSafe), effectively barring three products unless their functionality was changed. “This is our first action against a so-called ‘stalking app,’” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.

Clearly, legislation is not currently able to provide serious protection against stalkerware. It’s a complex problem. Firstly, it is difficult to declare a technology that can help parents protect young children to be unlawful. Developers can sell the product as child security even though they know it will be used for adult stalking. Secondly, stalkerware generally leaves little forensic evidence of its use. If discovered by the victim, common reactions to stalking software are to change devices or do a factory reset on the affected device, erasing the record of having been cyberstalked.

What remains is a morally abhorrent and potentially dangerous application that has ambiguous legality (the illegality is only in its use for ‘stalking’) and is rarely reported by victims to the authorities. So, until systemic social and judicial weaknesses are addressed, we can only rely on our personal security to keep us safe from stalkerware.

Staying safe

Smartphones are often left unprotected by their users. According to Pew Research, over a quarter of mobile users have no lock-screen protection on their smartphones whatsoever, and just over half use neither thumbprints nor PIN codes to keep their devices private. This makes it simple for one suspicious partner to secretly install stalkerware in the living room while the other makes coffee in the kitchen.

Rule #1: secure your phone against all unauthorized physical access.

A good mobile antivirus will treat stalkerware as a PUP – a potentially unwanted program – and give you the option to remove it. Try Avast Mobile Security to keep your mobile device secure from stalkerware as well as other malware and potentially malicious apps. Avast is a leader in the fight against stalkerware, having worked to remove eight of the biggest stalking apps from the Play Store last year. This work will continue as new trends and developments in stalkerware arise, helping to keep users and devices one step ahead of the threats.

Rule #2: install a good, mainstream antivirus product on your mobile phone.

However, if you are already in an abusive relationship – or fear it is heading that way – you should understand that you are at greater risk from stalkerware. An innocent visit to a friend or relative could be detected and provide the trigger for physical abuse. Even removing the stalkerware could alert the partner. If you have reached this stage, you need help and support fast – and you should not hesitate to seek it. Contact Operation Safe Escape at the earliest safe opportunity. 

Operation Safe Escape is a victim support organization which provides support and education for victims of domestic violence and abuse, and can help with issues of personal, physical and digital safety. If it’s possible your device has been compromised by stalkerware, avoid using it to contact support. If you are able, use an anonymous device such as a library computer or a friend’s phone in order to avoid alerting the stalker.

Rule #3: do not hesitate to contact Operation Safe Escape by a safe means.

Stay safe – and remember that help is available.

--> -->