Thousands of iOS and Android users have been tracked by this stalkerware app – how to stay safe

A nervous woman looking at her phone
(Image credit: Shutterstock)

Although we often worry about being tracked by companies online, stalkerware apps pose an even greater risk to both our privacy and security since they’re often installed by someone close to us.

Stalkerware and spyware have both seen a huge increase in recent years, despite the fact that you won’t find these kinds of apps on either the Google Play Store or Apple’s App Store. Instead, they need to be manually loaded onto a victim’s device often by a partner or spouse which is why stalkerware is also referred to as spouseware.

In addition to infringing on a user’s privacy and security, many of these apps contain vulnerabilities and other security flaws that could expose a victim’s data to third parties. One such app, called XNSPY, has stolen data from tens of thousands of iPhone and Android users according to a new report from TechCrunch (opens in new tab) — but it’s also riddled with security flaws.

XNSPY

Even though you can’t find XNSPY on any app store, it’s one of the most popular stalkerware apps today. In fact, data seen by TechCrunch shows that at least 60,000 smartphone users have been tracked by the app since 2014, though there was a recent influx of new victims during the pandemic.

Since this stalkerware needs to be loaded manually, the person doing the spying needs physical access to the target device. Android phones need to be rooted to use all of XNSPY’s features while an iPhone needs to be connected to a computer via iTunes during setup.

On its website, XNSPY advertises its lengthy list of spying features including the ability to check a victim’s phone calls and messages, take screenshots from their device, record their surroundings, see where they are using GPS, monitor keystrokes from WhatsApp, Facebook and other messaging platforms, view the locations and names of Wi-Fi networks and more. 

As you may have guessed, using stalkerware apps to track anyone is highly illegal and XNSPY even points this out on its site, saying:  “It’s outright illegal to spy on your spouse, girlfriend/boyfriend, or partner using XNSPY. Failure to do so is likely to result in violation of applicable law and may result in severe monetary and criminal penalties imposed on the violator.”

Riddled with security flaws

Over the past few months, security researchers Vangelis Stykas and Felipe Solferini have been investigating stalkerware apps to learn more about how they send data and the networks they send it to.

They recently presented their findings at the BSides London (opens in new tab) security conference and revealed that they had identified several common and easy-to-find security flaws in a number of stalkerware apps including XNSPY. These flaws further expose the stolen data of victims and unfortunately, much of this data isn’t being stored securely to begin with.

While it is easier to install stalkerware on Android devices since you can sideload apps, in the data it saw, TechCrunch observed more than 10,000 unique iCloud email addresses and passwords which are used for accessing a victim’s cloud data. To make matters worse, the data seen by the news outlet was unencrypted.

Unlike with other apps that would be pressured by Google or Apple to fix any security flaws they contain, the same can’t be said for stalkerware apps. These apps aren’t hosted on official app stores which means that no one else is holding their developers accountable.

How to stay safe from stalkerware

A phone with an eye depicting stalkereware

(Image credit: Kaspersky)

When it comes to staying safe from stalkerware, the first thing you should do is always keep your smartphone with you when possible. Don’t leave it unattended while at home and make sure you always bring it with you when leaving the house. As this isn’t always possible, you should have a PIN set up to unlock your device that only you know or even better, use your fingerprint or Face ID.

If you think that XNSPY or another similar stalkerware app may be installed on your device, there are several clear signs to look out for. These include your phone using more data than usual and your battery not lasting as long on a charge. Likewise, random glitches in apps you frequently use could indicate that stalkerware is installed.

While the best Android antivirus apps may be able to detect that stalkerware is installed on your smartphone, this isn’t always the case. If you feel your personal privacy and security are at risk, you might be better off upgrading to a new phone instead, though this should be a last resort. As for keeping your iCloud data safe, you should enable Advanced Data Protection on your iPhone.

Stalkerware continues to pose a threat to people around the world but Google has made some progress in combating its spread. For instance, the search giant banned stalkerware apps from the Play Store and it has also removed any ads for these types of apps. Unless law enforcement and other government agencies get involved, stalkerware apps will likely still exist since there’s a market for them.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.