Stalkerware is (ab)user-friendly, expert who analyzed malicious apps told CyberNews
Abusers increasingly use stalkerware to spy on their spouses or exes. These malicious apps are easy for perpetrators to install and use, yet sometimes very hard for victims to get rid of, an expert told CyberNews.
The global pandemic has yet another dark outcome - the use of stalkerware spiked. These apps are often portrayed as innocent tools to ensure business security or children's safety. In reality, they often induce psychological or physical threats or even violence.
Kaspersky's recent report showed that the US remains among the most affected companies globally. In Europe, Germany, Italy and the United Kingdom are the top three most affected countries.
The use of stalkerware can cause psychological damage, including fear, anger, hypervigilance, and PTSD.
Security Consultant at F-Secure Laura Kankaala analyzed the most prevalent stalkerware apps Kankaala with her colleagues, and CyberNews virtually sat down with her to discuss the findings.
You've analyzed the most prevalent stalkerware apps. What were the results?
Stalkerware and digital abuse are something that is on our radar quite heavily. There's a lot of talk and advertisement, and all kinds of things happening online related to stalkerware. We felt that there's a lot of fuss about it, but we didn't have anything concrete, what it's about actually. So what we did was that we installed, analyzed, and also a little bit decompiled some of the stalkerware that we were able to find, and did some baseline comparison, for example, how is iOS different from Android stalkerware.
We found out that the most powerful stalkerware apps can be found on Android devices - Huawei, Honor, Motorola, and all these different vendors that rely on Android. A lot of this Android-related stalkerware, when you install them, ask for permissions to access the camera and your contact information, location, your messages. In many cases, the stalkerware tries to hide itself so that it's not clearly visible when you open the phone. It can look like an Android system manager. It can sound like something related to Android and should be there, but, in reality, it is stalkerware. When you try to open it, it doesn't open either, so there's no graphical user interface on the phone. But there is a remote control, like a website, where you can observe whatever happens on the phone, see when it's unlocked, and it takes selfies of who is opening the phone and from where. Stalkerware can also take screenshots of chats, for example, WhatsApp. It means that abusers can also then read the messages through those screenshots. In general, I am from a more technical background myself, so I feel that a lot of this stalkerware is designed for people who don't necessarily have a lot of technical knowledge. They are typically easy to use.
For iOS, it seems that a lot of stalkerware is based on access to iCloud. You would need knowledge of their victims' iCloud credentials to be able to install that, and then you can monitor the location and messages, and pictures and whatever being transferred from the phone to iCloud.
Stalkerware can also take screenshots of chats, for example, WhatsApp. It means that abusers can also then read the messages through those screenshots. In general, I am from a more technical background myself, so I feel that a lot of this stalkerware is designed for people who don't necessarily have a lot of technical knowledge. They are typically easy to use.
So these apps are user-friendly apps?
Absolutely yes. They are marketed as that, as well. If you, for example, go to Google and search how to monitor your husband or wife, there will be a lot of these sites popping up and a lot of detailed instructions on how to get these on another person's device.
So these apps ask for permissions to access cameras, microphones, etc?
They need to have permissions enabled on the phone. The way this typically happens is, for example, your ex, your fiance, or whoever you are living with either shoulder surf your PIN code, password, or they guess it, or perhaps you don't have it at all. And then, with or without your knowledge, they would install that on your device. It's not something like a criminal trying to attack you over the internet. Often it requires physical access for installation for android devices especially.
Where did you find these apps? To my knowledge, neither App Store nor Google Play sells them on their platforms.
Google Play Store and App Store have put a lot of effort into trying to get rid of these kinds of apps from their platforms. But, for example, for Android, one thing that you can do is sideloading. It means that you don't have to download apps from the official app stores. The most powerful stalkerware is not installed from the app store. You go to these websites, and they give you the installation package directly, and you put it on the phone and install it.
And for the iOS, the ones that you can find might be on the app store, but they are typically then advertised as for monitoring kids' devices. Or you don't necessarily need an app at all for iOS because you can access it through the iCloud credentials.
What is the legal background for those apps? They are not illegal, are they?
It is good to remember that it is highly unethical to monitor someone else without their knowledge, if not illegal. And even with their knowledge, I would say. A lot of these times (and I'm not talking about children but about two adults monitoring each other's activities), it is not about just that they are monitoring each other and nothing else happens in the physical world. There is either threat of mental or physical violence or actual violence. It's a tool for perpetrating violence.
Have you tested those apps for vulnerabilities? Besides abusers using it for malicious purposes, the data from the victims phone can be leaked online.
I have not personally looked for those, but that is a very valid concern. These apps collect very detailed information from users and even their private chats and locations, and some of them also record phone calls. We are talking about sensitive data here. We are handing that to a third-party service provider that sometimes does have some kind of privacy policies in place, and states that they don't use it for anything illegal. Naturally, in these kinds of scenarios, I think we come to a very grey area.
And what about companies that are developing those apps? Are they also shady entities, or you would find some prominent tech companies?
Many of these stalkerware apps, designed for monitoring spouses or exes, typically have more features than you would require, for example, if you were a company wanting to enforce security requirements of your employees' phones. The fact that you can read private messages and tag very exact location and record phone calls, a lot of this, especially for Android, seems to be white-labeled. There is a company that typically provides the back-end application and functionalities. And then another company buys that and brands it with their own branding. That seems to be quite prevalent in what happens in the industry. When it comes to the companies themselves that are selling these apps, it is an unethical business or in this very grey area.
What about antiviruses? Previously, there was some concern around them not catching the apps. Are they getting any better at identifying stalkerware?
Yes, I think antiviruses are getting better at tracking these apps down and helping with their removal.
What are the signs of a stalkerware app? You mentioned that they are disguised quite clever, as some android support app, or even a battery saver app, etc.
One of the signs you can look for on your phone, especially Android devices, is battery consumption. GPS trackers use a lot of battery, so you could notice that the battery life is getting worse, and perhaps your phone is getting a lot warmer on the backside. Outside of physical finds, you could look for signs in person who is perpetrating, stalking you, or demonstrating any other violent behavior. For example, if they know about your private conversations, how can they know about them?
Should I uninstall the app once I'm sure I'm being followed? That might not be that easy, right?
It may be difficult to uninstall it from the phone directly. In case there are threats or actual violence, these things should be reported to the police of the local law enforcement. Then you should follow their instructions. For example, maybe you need to collect evidence. Keep a note of everything that happens and make screenshots.
Many times factory reset will uninstall this stalkerware because they are just apps on the phone. But if it seems that the phone is jail-broken or rooted, so that means that the security mechanisms that isolate the apps and keep the apps from running without high privileges are broken and bypassed. If you are not getting updates anymore, a factory reset may not work, and in some cases, it may be safer to consider getting a new phone.
So usually with stalkerware there's some kind of violence involved?
If you are afraid of physical or psychological violence, then always resort to your local law enforcement, go to the police and report these things. There are also locally different initiatives that will help with abuse. So it's always good to look up what kind of options you have in your region and what kind of local assistant groups you have there.
More great CyberNews stories:
Subscribe to our monthly newsletter