Our Director of Cyber Threat Research, Kev Breen, recently discovered a vulnerability in a piece of stalkerware. What followed was a dilemma that has lasted months. Together, the Immersive Labs team has decided to help educate people on the dangers of stalkerware, how to protect themselves against it, and how we approached our disclosure dilemma. This is the first blog in our Stalkerware special series.
Nowadays, our mobile devices are an extension of ourselves. They travel everywhere with us, keep us connected and updated, snap the memories we cherish and give us access to our finances, our accounts, and our work. For most people, they are with us every moment of every day.
It goes without saying, therefore, that we implicitly trust these devices and their manufacturers with our most private details.
Now imagine that trust is broken.
All those private moments, sensitive messages, confidential emails, financial details, passwords – even the very location you are standing in right now have been silently taken. Not by hackers, not by the manufacturers, but by those closest to us.
Welcome to the weird world of Stalkerware
Most people are familiar with the concept of malware – software employed by individuals with malicious intent to gain access and control over their victim’s device. The creation, distribution and use of malware is illegal.
Stalkerware is subtly different in that it exhibits all the same behaviors as malware, but is sold commercially and pitched as “remote monitoring” that lets you keep an eye on children or employees. This means it is legal to create, distribute and use stalkerware – assuming it is only downloaded on devices that you are permitted to access and alter and that you have physical access to; for example, your child’s mobile phone or your employee’s tablet or laptop. And this is why the providers list it as child/employee monitoring.
The reality is that whilst some will use it in the way it is intended, it can also be used to spy on partners and spouses, and to facilitate stalking, blackmail and other criminal activities. These applications’ websites even link out to news articles that suggest as much, with tips on how to “catch your cheating spouse”.
The list of data gathered by this type of software is extensive – the polite way of putting it – and includes the following:
- SMS and deleted Texts
- Screenshots, photos and videos on the device’s camera roll
- Web browsing history
- Call log history
- GPS location
- Social media and online dating apps
- App usage
- Keystroke logging
Pretty invasive, right? Sadly, the use of stalkerware has seen a significant rise during the pandemic – and 7% of young Brits have admitted to using it to monitor their partner’s online activities and whereabouts. Even more worrisome is the fact that it’s becoming increasingly normalized: 38% of 18-39 year olds believe their partners were "at least somewhat likely" to plant stalkerware on their devices.
How does stalkerware work?
Let’s imagine our fictional character Lesley wants to keep tabs on what their partner is doing on their mobile phone and tablet – and, for bonus points, wants to know where they’re going when they say they’re staying late at the office.
Lesley searches for "mobile phone monitoring apps" and, lo and behold, their search engine of choice delivers thousands of hits, most of them claiming to be parental tools. Lesley browses a few listicles, picks one they like the sound of, clicks around the website, reads the fake reviews, and decides this is the one for them.
Once Lesley has created a free account or purchased a plan, they are provided with access to an online portal and instructions on how to install the stalkerware onto the target device. As Lesley’s partner has an iPhone, they just need their iCloud’s account credentials to install it. Luckily for Lesley, their partner is pretty open about sharing passwords, so this is way too easy. For Android, this would require physical access to the device to install an APK, which also disables some of the operating system’s security.
With the app installed or the account configured, Lesley can now access all the data on the device from the comfort of a browser anywhere in the world. If the device has internet access they can query it live. If not, they can review any of the historic data it has collected.
And, as we showed above, there is a lot of sensitive and personal information that is collected – all for the low low price of $16.66 a month.
But that’s not all…
Clearly, the primary issue with Stalkerware is that it is a huge invasion of privacy which could lead to physical and emotional abuse, stalking, cyberbullying, and more. Unfortunately, the problem goes even deeper when you consider the potential for compromise of a piece of software that is accessing, gathering and sharing every single piece of information on your device.
And, as we have discovered ourselves, vulnerabilities in stalkerware exist – and their creators and vendors just don’t care enough to fix them. We’ll be discussing this in more detail on our next blog.
Yep, this is awful. So how can I protect myself from stalkerware?
Luckily, there are several simple steps you can take right now to protect your devices:
- Use a strong password and/or biometrics to lock and secure your device, not just a simple PIN. Change this occasionally.
- Enable two-factor authentication for services on your devices. My preferred method is with a YUbiKey, which is a physical key in my possession.
- Install a free Antivirus application from a trusted vendor. Only get this from the official app store.
- Check the permissions that applications may request on your device and don’t blindly agree to access requests from apps.
- Check your Gmail/Apple accounts for suspicious activity.
How can I tell if there’s Stalkerware on my personal device?
While we’ve spent a large part of this article discussing the insidious nature of stalkerware, it should be pointed out that there are some child/employee monitoring and built-in tracking tools that are legitimate; for example, Apple’s Find My or certain tools used by companies to keep track of the hardware and software they own.
The main difference is that you can easily find and be aware of the legitimate services (and your company should have told you that your work device is being monitored – even if they haven’t, it’s always safest to assume that it is), whereas stalkerware will be hidden and possibly disguised as something else.
On your mobile phone or tablet:
This is far from an exact science, but here are some things to look out for:
- The battery might drain quickly when you’re not using it, or it gets hot to touch for no apparent reason.
- Start-up and shutdown times could be longer than usual.
- App icons or names in the main app library that you don’t recognize.
- Unusual menu items in your Settings – on Android devices in particular, stalkerware can be hidden in the Security section of the Settings menu.
- Applications freezing or crashing unexpectedly.
On your laptop or desktop:
If there is Stalkerware installed on your computer, you may notice similar behaviors to those listed above, as well as the following:
- Unusual items with excessive disc usage – check Task Manager (on Windows) or Activity Monitor (on macOS) for items that you don’t recognize; a quick Google search of the item’s name will tell you if it’s legitimate.
- Applications and processes that start up at the same time as your operating system that you don’t recognize.
It’s worth noting that it could be easier for someone to monitor your online activities simply by gaining access to your accounts rather than installing stalkerware. As such, you should always make sure your passwords are unique and never shared with anyone. For bonus points, make sure you keep an eye on where your accounts are being accessed from – Facebook, Gmail, and Instagram all provide details of where your account is logged in.
What do I do if I’ve found Stalkerware on my device?
This does not constitute legal advice. If you are uncertain about what to do or feel that you are in danger, please contact the police.
First of all, DON’T PANIC! It will be tempting to zoom straight in with a good old fashioned factory reset, but there are a few things you absolutely need to consider before taking any other action:
- Your safety. This must always come first. By wiping the stalkerware from your device, will you be putting yourself at risk from whoever has installed it? Many abusers may use stalkerware to monitor their victims, and taking action like this could lead to increased harassment. If it is safe to do so, reach out to organizations such as the National Domestic Violence Hotline (US) or the National Domestic Abuse Helpline (UK) (or any of the organizations at the bottom of this article) for advice and support. Consider doing this from a different device, like a friend’s phone, to prevent from alerting the person who installed the stalkerware.
- Evidence. Removing the stalkerware from your device will also delete any potential evidence. This is really important to remember, as if you wish to press charges or open a criminal investigation against whoever has installed it to your device, law enforcement will need that evidence. Contact your local law enforcement agency for advice.
Once you have considered the above points, sought the appropriate advice and support, and decided it is safe to remove the stalkerware from your device, you can often do so using a simple factory reset.
If you go down this route, you must ensure your device is not connected to the backup to redownload apps, photos, etc., as it is very likely this will reinstall the stalkerware. It is also highly recommended that you set up a new iCloud or Google account and that you use these accounts to download your apps. And now would be a good time to reset your passwords!
Stalkerware is sinister. It still blows our mind that it can be sold as a legitimate service when it can so clearly be abused. We hope this article has been useful in explaining what it is, how it is used, and how you can protect yourself from it. In our next blog, we’ll be discussing some of our recent research into a piece of stalkerware – and the vulnerabilities we found.
If you or anyone you know has been affected by or you believe has been affected by stalkerware or domestic abuse, if it is safe to do so, please reach out to any of the organizations listed here.
13 July 2021
Director of Cyber Threat Research,
Latest Blog posts
Kaseya supply chain attack: Prepare to respond with the Cyber Crisis Simulator
27 July 2021
Disclosure Dilemmas: Vulnerable Stalkerware
19 July 2021
When Less Isn’t More: A Deep Dive into Exploiting the Less.js RCE
15 July 2021
Patch Newsday – 13 July 2021
14 July 2021
Stalkerware 101: Everything you need to know
13 July 2021
An investment into the cyber skilled workforce of the future
11 June 2021