Stalkerware is legal but often considered unethical. Find out what stalkerware is and how it can get on your smartphone.
The idea of someone tracking your whereabouts and eavesdropping on your conversations can be unsettling. Yet, more than 58,000 Google Android users had this happen to them. That’s because these individuals had stalkerware installed on their smartphones.
Stalkerware is not limited to Android phones. It can be installed on smartphones of virtually any make or model. (It can even be installed on other computing devices such as tablets and laptops.) To protect against this threat, you need to know what stalkerware is and how it can get on your phone.
Stalkerware 101
Stalkerware is commercial spyware offered by companies, not cybercriminals. Usually marketed as a solution to track employees or monitor children, it is set up like a Software as a Service (SaaS) offering. Customers pay a monthly fee to access data collected by a client app they installed on the phones they want to stalk. Although legal in many countries, stalkerware is increasingly being considered unethical because of the types of information it collects and how the data is gathered.
If a stalkerware app is installed on your phone, it will collect information on pretty much everything you do. For example, besides tracking the places you visit in both the physical and digital realms, it will log your calls, stockpile the photos you take, and amass the emails and text messages you send and receive.
All this information is sent to and stored on the stalkerware company’s servers. The customer (aka stalker) will have access to it as long as they continue to pay for the service. It typically costs between $16 and $68 per month, according to one report.
While some stalkerware apps will display a visible marker on the phone’s screen to let people know they are being watched, most operate in stealth mode. Several apps even go to great lengths to avoid detection, such as masking themselves as a system service in a phone’s installed applications list. Thanks to tactics like these, stalkerware victims are often unaware they are being tracked.
How Stalkerware Gets on Phones
Although stalkerware is legal, official app stores like Google Play and the App Store typically ban it. (Parental control software and programs designed to find lost phones are not considered stalkerware, which is why you will find them in app stores.) However, an Internet search will quickly reveal websites of companies that offer stalkerware.
The main method in which stalkerware apps get on phones is manual installation, according to security experts. The installation process is pretty straightforward — stalkers do not need to be techies to get the apps working. A few companies will even deliver phones with their stalkerware apps preinstalled to customers who are technically challenged.
The Dangers
Few people will contest that the kind of information gathered by stalkerware can be dangerous. Case studies have shown that it can lead to stalkers harassing, blackmailing, and even physically abusing their victims.
There are also other dangers that aren’t as obvious. Outsiders might see the captured data one of several ways:
- Since the data gets stored on the stalkerware company’s servers, staff members might access and look at the data.
- The data might get inadvertently leaked to the world at large. For example, millions of records collected by the mSpy stalkerware app were leaked because the company failed to properly protect its database. The leaked records included call logs, text messages, contacts, and location data.
- Hackers might breach the data. For instance, Retina-X Studios was breached twice by the same hacker. The hacker accessed and exposed the photos collected by two of its stalkerware apps.
Help Is on the Way
Efforts to crack down on the stalkerware industry are being led by the Electronic Frontier Foundation (EFF). One action the EFF is advocating is for security software companies to treat stalkerware as a serious threat. Often, that’s not the case. A 2018 study found that most security programs do a poor job of detecting and flagging stalkerware as a dangerous app.
Partnering with EFF, Kaspersky Lab has taken the first step toward cracking down on stalkerware. Previously, its Internet Security for Android software flagged stalkerware apps as suspicious but then displayed a “not a virus” message, which was confusing for users. Now there is no question about the dangers. The software displays a large “Privacy alert” message for any blacklisted stalkerware apps it finds installed on phones. After explaining what the app can do (e.g., eavesdrop on calls, read text messages), the security software gives users the option to delete or quarantine the program. Alternatively, users can decide to leave the app on their devices.
How to Protect Yourself in the Meantime
The EFF hopes that other security software companies will follow in Kaspersky Lab’s footsteps. In the meantime, the best way to protect yourself from stalkerware is to prevent its installation on your phone. Since manual installation is the primary way it gets on devices, there is a simple but effective preemptive measure: Lock your phone when you are not using it.
Smartphones usually provide more than one authentication method to unlock them, so you can use the method with which you feel most comfortable. For example, you might want to use a password or biometric authentication (e.g., iPhone’s Face ID). If you use a password, be sure it is strong and unique — and do not share it with anyone.
If you suspect your phone already has stalkerware on it but your security software does not specifically flag this type of program as a threat, you can check the phone’s activity monitor for suspicious processes. We can help, as it is not always easy to determine which processes are of concern.
phone privacy flickr photo by stockcatalog shared under a Creative Commons (BY) license