Ignored for years despite being one of the most dangerous forms of malware, the greatest trick stalkerware ever played was convincing the world that it didn't exist.
Until recently, cybersecurity experts could overlook stalkerware because of the personal nature of how it spreads, its muddled legal status — and how stalkerware was detected.
Part of the problem, said cybersecurity experts at the Enigma Conference in San Francisco last month, is that stalkerware has been hard to define until recently.
Stalkerware is a form of commercially available spyware that hides itself from the owner of the device on which it has been installed, but with a dark personal twist: It will "intentionally or unintentionally facilitate intimate partner surveillance, harassment, abuse, stalking or violence."
That's according to the Coalition Against Stalkerware, an association formed in mid-2019 by five antivirus makers, four domestic-abuse awareness groups in Europe and the United States, and the Electronic Frontier Foundation.
Misunderstandings legal and technical
Yet antivirus companies historically have been loath to flag stalkerware as malware, even when aware of its existence on a device, said Tara Hairston, the head of government relations for Kaspersky's North American team and a volunteer at the Coalition Against Stalkerware.
"We were detecting it, but labeling it as 'not malware,'" Hairston said. "'Can antivirus companies be sued?' is an active fear."
In 2019, antivirus maker Malwarebytes was, in fact, sued after it chose to flag and block software called SpyHunter. SpyHunter isn't stalkerware, but to many Malwarebytes users, it was a potentially unwanted program (PUP). The case was eventually dismissed.
Like PUPs, stalkerware apps are legal, as long as you don't use them for illegal purposes. It's generally legal to spy on your own children, as long as they're minors, and to monitor your employees' company-issued phones. That's why many stalkerware makers say they're selling parental-control apps.
- The best parental control apps for Android and iPhone
Further complicating the situation is that technology companies and even cybersecurity experts have applied the wrong threat model when trying to figure out who would use stalkerware — and who would be targeted.
"They haven't been taking into account the domestic-abuse threat model," Hairston said. "There's a misconception that this is a garden-variety cybersecurity problem, and that's not really the case."
What if the attacker wants to be discovered?
That domestic-abuse threat model includes physical proximity to the victim, the threat of physical violence and physical access to the victim's device. Because the abuser seeks to control the victim, the abuser sometimes deliberately reveals that he or she knows what's on the victim's phone to further terrorize the victim.
The nature of stalkerware itself makes it hard to remove. Antivirus software wants to remove traditional malware from a device as quickly as possible, but doing that with stalkerware could let the abuser know that the victim is aware of being spied on.
That could make the situation even more dangerous to the victim, both online and in the real world, said Kevin Roundy, technical director at NortonLifeLock Research Group, after his appearance on a panel of stalkerware experts at the Enigma Conference.
"With stalkerware, remediation varies from case to case," Roundy said.
Growing awareness of stalkerware
While collective action to put an end to stalkerware continues to grow, and law enforcement agencies begin to take the role of stalkerware in domestic violence cases more seriously, many of the top organizations positioned to hit back hardest against stalkerware have yet to sign on.
Google, Apple, Microsoft and other big tech companies have yet to officially sign on to fight stalkerware on their platforms, although Google forbids stalkerware behavior in its Play Store policies. Neither Google nor Apple returned requests for comment.
Stalkerware statistics are hard to come by. The FTC was able to ban sales of Retina-X's three stalkerware apps in October 2019 on a technicality. Retina-X was punished not for designing and selling stalkerware, but for allowing a hacker to breach its servers and steal user data multiple times. The banning of the apps, which had been downloaded more than 15,000 times, represented a major victory in the battle against stalkerware.
Compared with other known malicious apps, the number of downloads appears paltry: 17 apps removed from the Google Play Store last month had been downloaded more than half a million times.
Yet demand for stalkerware remains strong. An online Harris Poll conducted in December 2019 on behalf of NortonLifeLock found that 15% of men, and 6% of women, "admitted to using an app to monitor an ex or current partner's text messages, phone calls, direct messages, emails and photos."
How big is the stalkerware problem?
There are indications that stalkerware use is higher than the numbers would indicate, and affect both women and men, said Laura-Kate Bernstein, senior counsel in the Department of Justice's Computer Crime and Intellectual Property Section, who was also on the stalkerware panel at the Enigma Conference.
"There are more cyberstalking cases brought at the federal level year-over-year since 2014," Bernstein said.
Some studies indicate that even those statistics are underreported — and under-prosecuted.
That stalkerware cases would often slide under the legal radar is not surprising, said Erica Olsen, director of the Safety Net program at the National Network to End Domestic Violence.
"Many police departments are under-resourced for these kinds of forensic evaluations," Olsen said. "And it can be very hard to find stalkerware because they hide using a stealth mode."
How to tell stalkerware from parental-control apps
Many stalkerware apps present themselves as legitimate parental-control apps. In a blog post, NortonLifeLock's Roundy cited one app that "abruptly changed its name from 'Girlfriend Cell Tracker' to 'Family Locator for Android.'" Even Retina-X once marketed its stalkerware apps as useful for parents (and employers).
But Olsen said that the differences between stalkerware and legitimate parental-monitoring apps are obvious. Stalkerware goes to great lengths to hide itself from the user of the device that it's been installed on, while parental-control software generally makes clear that the device is being monitored, she said.
"Stalkerware is very hard to find because of their stealth mode, and the way it's built," Olsen said. "There are plenty of parental-monitoring options out there that don't have a stealth mode with no notifications or do place an icon on the phone. Stalkerware makes it very hard to tell that it's on the device."
To improve estimates of the scope of the problem of stalkerware, Roundy's work at NortonLifeLock has included the development of CreepRank, a new feature built into Norton Mobile Security. CreepRank looks at installed surveillance apps and tries to find similar apps on the same device. Using that methodology, CreepRank has found more than 1,000 malicious apps on devices running Norton software.
Looking for more antivirus firms to sign on against stalkerware
As awareness of stalkerware grows, the reach of Android antivirus apps could prove pivotal in gaining the evidence needed to back up the anecdotal research pointing to its spread.
For Eva Galperin, the Electronic Frontier Foundation's director of cybersecurity and a leader in the fight against stalkerware, more antivirus vendors need to take a stand against fight stalkerware. (In addition to Kaspersky and NortonLifeLock, antivirus makers Avira, G Data and Malwarebytes are part of the Coalition Against Stalkerware.)
Antivirus apps that detect stalkerware can provide the missing link of forensic proof to law enforcement that stalkerware victims often struggle to obtain.
"When victims of abuse feel that they're being spied on, they have a great deal of difficulty providing law enforcement with some kind of proof," Galperin said during the panel discussion. "Often they do sound crazy."
But if there's evidence backed by legitimate, recognized security apps already installed on the device, then "suddenly they have something they can work with."
Help for people in abusive relationships can be found by contacting National Domestic Violence Hotline at 1-800-799-7233.