The stakerware industry — which often markets spyware apps for as tools for parents to monitor kids via smartphones — has been treated to a thorough investigation by researchers at Citizen Lab of the University of Toronto.
The researchers from IT, security, legal and human rights disciplines, are calling for changes to be made by the stalkerware industry, legislators, antivirus vendors, and mobile operating system makers like Google and Apple.
Citizen Lab published two reports today, titled “A predator in your pocket”, which offers a look at the stalkerware app industry, and “Installing fear”, which offers a legal analysis of using, developing, and selling stalkerware apps. The reports are long but one of its contributors, Cynthia Khoo, offered a concise summary in a thread on Twitter.
The report focuses on “dual use” apps that can be used for legitimate purposes, such as monitoring employees or children, but are frequently used to covertly monitor partners. The researchers argue these vendors deserve greater scrutiny because of their products' potential to be repurposed as stalkerware.
"Dual-use spyware vendors and developers, even in the context of child and employee monitoring, thus require a higher standard of scrutiny be applied to them, relative to those who engage in commercial activities that do not involve collecting, using, or disclosing intimate personal information," one report states.
The reports look at the issue mostly from a Canadian legal and policy perspective, but also highlight tidbits demonstrating their relevance to all jurisdictions where the products are available and smartphones are used.
“The US-based National Network to End Domestic Violence found that 71% of domestic abusers monitor survivors’ computer activities, while 54% tracked survivors’ cell phones with stalkerware.”
For Australia, it highlights a 2013 survey by the Domestic Violence Resources Centre Victoria that that found 82 percent of victims reported abuse via smartphones while 74 percent of domestic violence help center staff reported tracking via apps as "often occurring amongst their client base”.
Meanwhile, in Canada, a 2012 national anti-violence survey found that 98 percent of perpetrators used technology to intimidate or threat their targets. Common attacks included hacking the email and social media accounts of women and girls, and installing computer monitoring software or hardware on a target’s computer.
In other words, the problem is not new, but an overview of the industry from a technical and legal standpoint is, which might help raise awareness of its use in domestic violence and other abusive purposes.
One stalkerware app in the report is FlexiSPY, a well-known mobile spyware app that’s been available for over a decade and at one point openly advertised its purpose as: “Catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms, etc."
Others include Highster Mobile, Hoverwatch, Mobistealth, mSpy, TeenSafe, TheTruthSpy, and Cerberus.
Today, FlexiSPY boasts that once installed it “silently takes total control of the Android mobile phone or tablet” and lets the use track GPS locations, view photos, videos, and web history, and log keystrokes.
It also allows users to listen and record live phone calls, and spy on calls made on Slype, WhatsApp, Viber and so on. But all the user reviews the company selects to publish are from users who claim to be using it for parent-child or employer-employee monitoring purposes.
Some antivirus companies have started detecting instances of stalkerware. Kaspersky announced in April that it would start detecting spyware like FlexiSPY.
Stalkerware is often distributed outside of major app stores and needs to be side loaded on Android devices. However, in cases of domestic abuse compared to a remote attacker, a partner often knows personal details about the target, such as a phone passcode, and likely has physical access to the device too.
The researchers found that a “significant” number of antivirus products did detect three or four spyware apps in the research, including FlexiSPy, Hoverwatch, and mSpy, as malicious or suspicious.
TheTruthSpy app was not detected by any antivirus engine. The researchers speculate this could be because it alone is available for sale in the Google Play Store, whereas other stalkerware apps are only available outside it for sideloading on to an Android device.
The researchers propose that a government body or an academic institution track whether antivirus products are detecting stalkerware apps on mobile devices and publish those results. Another option is for Google or Samsung to promote antivirus that does detect stalkerware.
They also found that the built-in Android defense called Google Play Protect detected all stalkerware in scope with the exception of Cerberus.