Understanding stalkerware
Stalkerware is getting increased media coverage, but what is it actually? We tested how some of the top recommended spouse-tracking apps work so you don’t have to.
Co-authored by Mikael Laakso and the rest of OUTRCH.
Stalkerware is a modern phenomenon that is a culmination of an idea that privacy of others is something that can be freely violated. Stalkerware may be sometimes referred to as Spyware, child monitors or anti-theft software, but ultimately they are employed in complex relationship dynamics. In a lot of cases there is an existing threat of physical or mental violence. As the name suggests, the main purpose of stalkerware is to track data, activities and the location of the device it’s installed on.
There are plenty of options when it comes to the selection of stalkerware. Just a simple Google search of “how can I track the phone of my husband/wife/child” yields an overwhelming amount of results. In this post we want to shed some light on the practical means and ways these apps work.
We tested stalkerware apps that did not require root on Android or jailbreak on iOS to bypass any inherent security mechanism in the device. We had physical unmodified Android and iOS test devices, in addition to emulated Android devices.
As we ventured deeper into the world of spouse stalking we learned some lessons that we want to share with end users, the information security community and anyone suspecting or struggling with digital stalking.
Stalkerware installation
There are roughly two ways in which smartphone related stalkerware work.
Firstly, there are apps that can be either downloaded from official application stores or sideloaded onto the device — the latter holds true especially for Android.
Secondly, especially iOS related stalkerware seem to sometimes rely on iCloud access. This means that there may not be any application downloaded on to the device, but the access is solely reliant on the knowledge of the victim’s iCloud credentials. This means that one can monitor data backed up from the phone without physically accessing the phone.
A successful installation of a stalkerware app on Android takes up to five minutes.
If a device is left unattended and the perpetrator can unlock it, the app could be installed and hidden on the device.
Smartphones expose internal APIs to access functions that are globally available on the device. These are functions such as location, calls and text messages can be accessed by other applications by requesting permissions during the initial setup.
This means that the perpetrator needs to allow permissions on the device to access device features in the background to access sensitive data and operations.
Android versions up until 10 will only need app permissions granted once to be set permanently, after which the app can run quietly in the background without prompting the user for anything even after rebooting the device. Traditionally iOS is more restrictive when it comes to the permission model and therefore it seems the trend is more towards accessing victim’s iCloud credentials to gain access to sensitive data.
Remote access to victim’s sensitive data
After setting up the stalkerware, either physically on the device or leveraging iCloud, the perpetrator can access the victim’s data remotely without physical access to the device. Well, there was one stalkerware tool that accessed backups from the iPhone when it was physically connected to a computer… a feat which could be accomplished even without an additional app.
Victim’s data is accessed via another app or more commonly a website, where a portal displays feed or listing of victim’s data.
Most Android stalkerware applications communicate data only outwards, i.e. sending captured data from the device to the stalkerware provider to be displayed on the web dashboard. However, there are also applications that provide remote-control features to trigger e.g. recording of camera, microphone, or even sending messages to be displayed on the phone.
By default smartphones that have not been rooted (Android) or jailbroken (iOS) sandbox applications in such manner that they operate in their own namespaces. This means that logical isolation protects other applications from directly accessing the operations of another application.
Marketing gimmicks
Overall the stalkerware industry berates privacy and promotes a view of the world where our private digital lives are not so private and it’s okay to trespass digital boundaries.
First things first — stalkerware is not a term used by the industry providing stalkerware services. They typically go by labeling themselves as mobile trackers or monitors.
The business of stalkerware is a lot about hype and marketing, often having modern and visually appealing websites with a professional and positive spin on the services offered. A typical stalkerware hustler will promise a colourful set of things which may or may not actually function on the device. These promises include access to social media apps, pictures, browsing history, geolocation and other potentially revealing information on the device.
Overall the stalkerware industry berates privacy and promotes a view of the world where our private digital lives are not so private and it’s okay to trespass digital boundaries. This is a difficult concept, especially in the contemporary age of connectivity, when by default we are increasingly expected to expose our lives online.
We also noticed that in some cases stalkerware apps seem to be white-labelled. This means that the app core functionality or some parts of it are sold forward and the purchaser places their own logos on the application without having to do the heavy lifting of developing the actual app or its back-end dashboard functionalities. This makes it possible for essentially the same product to show up more frequently among search results, as well as target their marketing towards specific tracking purposes and pricing levels.
We noticed that the promised features seemed to hold true more often for Android apps than iOS. The iOS applications that we tested were not even that great to track geolocation in some cases.
Privacy for the stalked
Stalkerware apps are by design used to gain access to the type of personal information that is classified personal sensitive information. It is illegal to collect personal information of another person without their explicit consent and knowledge in some countries, for businesses and end users both. The laws are perhaps different for business and people, depending on where the stalking takes place. However, it cannot be underlined enough that collecting sensitive information on someone without their explicit consent is equivalent to following them home and physically watching their every move.
A very serious privacy concern beyond the perpetrator gaining access to covertly captured data and personal information of the victim without consent is that the data is stored on the servers of the stalkerware-providers servers. In a recent study the communications of many popular stalkerware apps were tracked and the IP addresses often lead to cloud-based based providers in the United States making more exact tracking difficult.
Some of the more privacy-conscious apps won’t let the monitoring party directly access messages or pictures, but use automated ways to detect inappropriate pictures and block inappropriate Internet browsing. These less intrusive apps are sometimes used to monitor children’s devices, but could double as a means of stalking a significant other.
Where things are heading
Google has stated that apps with stalkerware-like behaviour will be banned from Play store and the newest version of Android (Android 11) includes improved security features which includes more granular control over permissions for apps running on the device as well as resetting permissions for unused apps.
While these are good improvements there will be devices running older versions of the operating system for years to come since few device manufacturers are committed to major software upgrades years after the launch of a device.
However, things might also be slowly improving in this regard as e.g. Samsung, which is one of the largest manufacturers of Android devices, has committed to three major OS updates for many of its newest line of devices.
How to avoid stalkerware, and what to do if you suspect stalkerware on your device?
In terms of prevention, keeping your device out of the hands of others is a good first line of defense. This includes using some sort of mechanism for unlocking the device, like a PIN, pattern, or fingerprint. Since it only takes around 5 minutes to install and hide stalkerware on a device having a locked device helps to avoid such scenarios.
During our testing of various popular stalkerware we did not come across any software on Android that could grant access to device information remotely, without first having physical access to the device to install the actual application.
For iOS users the most critical prevention strategy is to keep your iCloud credentials safe and only known to you, since most of the stalkerware worked on the principle of remote access by obtaining access to the victims iCloud account and the data stored within.
Keeping your devices up to date with the latest system updates is also something that can not be forgotten, using devices that are no longer receiving system updates or security patches is not recommended.
If you suspect that you have stalkerware on your device, performing a factory reset and changing your account credentials to both your system account and device locking mechanism is never a bad idea. Outreach has published a free and accessible guide to anyone suspecting stalkerware or other forms of cyberstalking in their lives.
Stalkerware has been a cat-and-mouse game between developers of mobile device operating systems, and software developers of applications that leverage weaknesses and loopholes in the security and privacy features of the devices. As such any detailed step-by-step guide runs the risk of becoming outdated fast as new ways of hiding installed software are leveraged.
