Who’s watching you?

An overview of stalkerware vendors and how they operate

By Linus Nyman, Riku Juurikko & the rest of Outreach

Stalkerware, sometimes called spyware or spouseware, is a program or app designed to let you stalk someone without their knowledge. These apps, commonly installed on a victim’s phone, can gather huge amounts of data.

This data can include things like the victim’s location, what websites they visit, what pictures they take, and who they are in touch with and what they say — either via phone text message or social media. (For a more in-depth introduction to stalkerware, see an earlier medium post.)

We know this kind of software is used to track and stalk partners. However, installing stalkerware on someone’s phone without their consent is illegal. How does that work? How do companies sell a product that is commonly known to be used illegally?

Outreach is a nonprofit that helps at-risk groups, including victims of stalking by a current or ex partner. Since stalkerware is a significant threat to those we help, we decided to take a closer look at stalkerware vendors. We were interested in three things in particular: who they market their product to, what they say about its legal use, and how flexible they are about following the law.

What we did — research design

We started by choosing ten stalkerware products. We focused on products that weren’t available on app stores. Apps on Android or iOS app stores are subject to store rules regarding content, and spyware is the kind of thing that isn’t supposed to be allowed. We focused on products sold through the vendor’s website.

To find products for our list of stalkerware we did online searches for terms like stalkerware, spyware, cheating spouse, and is my girlfriend/boyfriend cheating on me.

On the off chance that any of the vendors we looked at are the litigious sort, we will refer to them here as Vendor [X] rather than by their actual names. But if you do an online search using similar terms, the resulting vendors are likely to be among the ones we have included in our study.

When we had our list of 10 vendors we went through each of their websites in turn. We documented what their target audience was based on their website content, as well as what they said about the legal use of their product. Then we contacted those sites who had either listed an email address or had a live chat option.

Posing as potential customers, we asked different questions and variations of the same question. The unifying feature of our questions was that they all had to do with using their product to do something illegal. “Can I use this to spy on my girlfriend without her noticing?” and that sort of thing.

Let’s move on to our results.

What consumer groups do stalkerware vendor websites focus on?

Most vendors target several groups in their marketing. The most common focus was the notion that their product can be used to keep your children and family safe. One example is Vendor 1, who states that their app “connects you with your family”, noting that given “all the hazards in our new Internet Centric world you can use our app to help you better keep tabs on your family and loved ones.”

Another common target audience was business owners and employers. Vendor 2 says that it can be used to “see where your employees are, what they’re doing, and what they’re saying. Monitor your business mobile phones and protect your intellectual property.”

A less common sales point was that the software could function as a backup or means of finding your phone. Only one site of the ten, Vendor 3, stated openly that it could be used for covert spying on a partner or spouse: “[Our app] is one of the best Catch Cheating Spouse App available today. It provides you lots of features which make your work easy.”

As a side note, some vendors display customer reviews complete with pictures of their satisfied customers. Many of these reviews seemed too good to be true, so we did an image search for some of the pictures. Which more often than not revealed the pictures of their “customers” to be taken from the internet, also used on other websites for other purposes.

What do stalkerware vendors say about the legal use of their product?

The websites almost all include some small print, usually buried in a Terms and Conditions -section, stating that you need permission to install their program on someone else’s phone and to gather data about them. This was true even on those sites that market their products as the perfect choice for spying undetected. Leading to some perplexing results.

Like Vendor 4, that states that with their product you can “Remain completely invisible” and stay “hidden from the user, even if your children are familiar with how their devices work.” They also note that their app “gets the most accurate information while remaining undetectable by the user.

But, in their terms and conditions — on the same website — they note that you agree to install their software “only on a computer that you own or on a computer for which you have been given explicit permission to install” and that “Content in the Services may be protected by intellectual property rights of others. Please do not collect the data unless you have the right to do so.”

Vendor 3, the vendor that also targets those who believe their significant other might be cheating on them, proclaims that their program is “100% undetectable.” Furthermore, they have an entire page on their website devoted to the topic of catching a cheating spouse, including “signs of a cheating spouse” and “how to catch a cheating spouse”. However, nowhere on this page do they mention anything about the legal use of their product. In fact, it is difficult to find such a statement anywhere on their website.

The closest we could find was their privacy policy. However, that appeared to focus solely on the rights and obligations between Vendor 3 and the person who bought their service. We couldn’t find any clear mention anywhere regarding the legality of its use or the requirement to ask for permission before installing it on someone else’s phone.

Stalkerware vendors knowledge of the illegal use of their product and their willingness to help break the law

We were a bit skeptical that only one stalkerware vendor of the ten would actually be aware of their product being used for illegal purposes. Our hypothesis was that stalkerware vendors knew that their products were being used to spy on loved ones, partners or exes without their permission.

To test that hypothesis, we created two fake people, a man and a woman, complete with email addresses and social media accounts. Posing as our newly created potential customers, we contacted all the vendors we had contact information for. We asked various questions, all focused on something illegal. Some excerpts follow.

Discussion with Vendor 5.

Q: “I need to be able to see who my wife talks to and also record her calls. Can your app do that? I can access her phone without her knowing about it, to install the app. But is it 100% hidden once installed? She absolutely can’t find out about it?”

A: “[Our product] works in a stealth mode, so there will be no clue on the target device regarding [Our product]. “

Q: “So will it be totally undetectable?I am not prepared to pay for something that does not guarantee this.”

A: “To monitor an iPhone, iCloud credentials are not required. Physical access to the target device is required for the first time only. You will be able to fetch the data of the target device to your Vendor 5 account over the WiFi through a PC or MacBook. Instructions to do so will be provided to you after purchase.

Please follow the link to check available features with pricing info:

[link to product website]

Discussion with Vendor 6.

Q: “I need to be able to see who my wife talks to and also record her calls. Can your app do that? I can access her phone without her knowing about it, to install the app. But is it 100% hidden once installed? She absolutely can’t find out about it.”

Chat started

A: “Hello! My name is A.”

“Please be informed that Vendor 6 is a legal application. It is designed to help parents monitor their children and businesses monitor their employee’s use of IT equipment with the knowledge and consent of the employees. Please check our Legal Policy before installing Vendor 6 — hxxp://www.vendor6.com/legal_info.html”

“What kind of device do you want to monitor?”

Q: “Android, Samsung Galaxy S10”

A: “If you are going to monitor an Android-based device, physical access is required. You will need to get access to the device for about 5 minutes. Will it be possible for you?”

Q: “Sure”

A: “The installation is fast and easy. It takes 5–10 minutes only. You’d need to take the phone you’d like to monitor and launch the internet browser. There you’ll type in the link for downloading the program, then hit the downloaded file to proceed with the installation. As soon as the app is installed it will ask for the registration code. The link for download and the registration code can be found on your personal account.”

Q: “Ok.”

“But it is totally hidden right?”

“Can I also remove it afterwards so there is no trace?”

A: “The software will operate in the background. There will be no icon on the device once the application is installed. [Our product] won’t be detected or blocked by any security apps. So even if a highly technical person were to run sophisticated utilities, no software threads or running processes will lead anyone back to the customer or to Vendor 6.”

“Yes, you can”

Q: “Ok, sounds good”

(Vendor 6 then provided registration links with different subscriptions — the longer subscription the cheaper the recurring price.)

A: “Provide me with your email address once you complete the payment. I will send you the login instructions.”

In conclusion

Stalkerware vendors primarily market their products as being designed to help keep children safe or to oversee workers. They commonly have a mention of legality of use somewhere on their site, noting that you need permission to install their software on a victim’s phone — even while marketing their product as being untraceable and perfect for covert use.

However, even though legal aspects were visible on most of the stalkeware vendor pages, customer support personnel were quite ready to provide instructions on how to perform illegal monitoring. And often seemed more concerned with their sales bonuses than with legality or ethics.