Jul 11 · 3 min read
Nothing says I’m over you like hiding a little spyware on your ex’s smartphone.
“Just because you’re paranoid doesn’t mean they’re not out to get you,” the late comedian Mort Saul famously observed. That warning seems especially applicable in the case of current and former domestic partners and lovers.
Anti-virus software researchers report that thousands of people, mostly women, have “stalkerware” apps hidden on their phones — surreptitiously installed by their partners — that give the stalker access to the victim’s email, location, SMS, social media messages and even live feeds from their device cameras or microphones.
How big a problem is it? Cybersecurity software maker Kaspersky Lab says it found and removed 58,000 instances of stalkerware last year just for its own customers after they downloaded its antivirus app to run scans. Android phones are the most common target.
This is a serious domestic abuse problem and Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation (EFF) and head of its Threat Lab project, has been leading essentially a one-woman crusade to bring it to the attention of anti-virus firms, governments and the public:
“Full access to someone’s phone is essentially full access to someone’s mind. The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge.”
Galperin is also pushing Apple, which doesn’t allow anti-virus companies to operate in its iPhones (although experts say to perform extended exfiltration activities on iOS devices, the devices need to be jailbroken first), to include better protections against stalkerware, as well as calling for state and federal officials to crack down on companies that sell stalkerware.
Installing stalkerware requires no particular programming expertise. All the stalker needs is access to your phone long enough to download and install the offending app. (See a list in the chart above.)
One of the problems in detecting stalkerware is that many of the available apps also have a legitimate use, such as helping parents monitor their children’s smartphone activity, ‘find my phone’ apps, or letting employers ensure their workers aren’t using company smartphones for private calls. Some firms are now using AI algorithms to spot apps that might have been sold as legitimate and legal but are behaving like malware — for example, running when the user hasn’t opened them or hiding their icon.
The major anti-virus companies have been alerting users about “commercial spyware” for the past several years but have generally miscategorized the shady apps as adware — software that automatically displays advertisements — or some other nuisance software that users may not want but are not necessarily dangerous.
In scans, potential spyware is likely to show up as “not-a-virus,” which is more confusing than helpful. Kasperky is now moving to a broader privacy alert that warns that the app could be used to “compromise your personal data” including by eavesdropping on calls and reading emails and text messages.
Kapersky’s Alexey Firsh says there are a couple of major differences between illegitimate commercial spyware and stalkerware.
Firstly, they are distributed through dedicated landing pages — a direct violation of Google Play safety recommendations. Secondly, these apps have functionality that allows them to invade the privacy of an individual without their consent or knowledge: the application icon can be hidden from the applications menu, while the app continues to run in the background, and some functions of the app fulfil surveillance tasks (such as recording the victim’s voice). Some even delete traces of their presence from the phone, along with any installed security solutions once the attacker manually grants the application with root-access.
Eva Galperin has launched a major outreach effort to survivors of stalkerware and followed up with the respondents to an open call for stories of suspicious, stalkerware-like events in the lives of survivors of domestic abuse. If you’re one of them, I’m suspect she’d like to hear your story.