Stalkerware: A Growing Threat to Individual Security?

With much of the discussion in the cybersecurity sphere focusing on attack campaigns against businesses and how to mitigate them, it’s important not to forget that many types of cyber threats target and cause harm solely to individuals. One worrying threat with an alarming range of possibilities is stalkerware. This post explains what stalkerware is, common features, possible consequences and tips to protect yourself.

What is Stalkerware?

Stalkerware is a type of software that people covertly install on a victim’s phone where it lurks in the background collecting data about what the victim does. The typical perpetrators are often close to the victims—the common scenario is an overly suspicious partner or disgruntled and obsessed ex-partner installing stalkerware on the victim’s smartphone. Worldwide detection of users impacted by stalkerware totaled 32,694 individuals in 2021.

This growing threat to individual security and privacy is part of a wider area of technology-facilitated abuse. Developments in technology over the last decade or so, including the proliferation of social media and moving to a mobile-first world, brought about both positive and negative changes. Tech abuse exploits these changes and innovations to harass, monitor or exploit people.

Stalkerware exists in somewhat of a legal and ethical grey area because the apps used for this purpose also have other use cases that aren’t malicious. While there is a hard line that makes it easy to distinguish whether software created expressly for malicious use is bad or good, the same is not true for stalkerware apps.

Parental monitoring out of concern for a child’s well-being or monitoring an elderly relative with dementia are two things that sound useful, ethically sound and legal. The companies creating stalkerware often market their apps as parental monitoring software or even anti-theft solutions, but the reality doesn’t match up with the marketing. Criminals can hijack the apparent legitimacy of these apps for their own nefarious purposes, and most antivirus solutions won’t flag anything because the app is not strictly malware.

Since stalkerware apps often have a legitimate use, it’s been a struggle to get a handle on their more devious undercurrent. Google explicitly took steps to ban stalkerware in 2020 by forbidding any code that collects and/or transmits personal or sensitive user data from a device without adequate notice or consent and doesn’t display a persistent notification of this activity to the user.

Unfortunately, new apps continually emerge to replace banned ones. Furthermore, jailbreaking provides a way to circumvent any bans enforced by mobile operating systems. Jailbreaking enables the perpetrator to install pretty much any app they want on a device. If the victim’s phone is already jailbroken before it gets in their hands, installing stalkerware becomes even easier.

A more primitive stalking attempt inspired by stalkerware exploits the use of popular hardware devices, such as Apple AirTags, to covertly track the location of people. One notable case involved model Brooks Nader noticing an AirTag planted in her belongings on a night out.

Stalkerware vs. Spyware

It’s important to clarify a small distinction between stalkerware vs. spyware. While both types of software sound similar in how they operate, spyware often gets installed when visiting a website or clicking a link. In other words, spyware doesn’t require the physical access that stalkerware does.

Spyware is used by dedicated cybercriminal gangs and nation states to surveil people, in contrast to the lone-wolf actors that are often behind stalkerware. An infamous example of spyware is Pegasus, which the Israeli cyber-arms company NSO Group developed. The use of Pegasus became a politically-charged topic, with various governments around the world using it to spy on political opposition groups, activists and journalists.

Common Features in Stalkerware Apps

Whether a stalkerware app is marketed as a seemingly legitimate solution or it’s downloaded directly onto a jailbroken device from a dubious source, some common features include:

• Hiding the app icon from the device’s screen so that the user doesn’t see it while scrolling through apps
• The ability to read users’ text messages and sift through call logs
• Transmitting GPS location data
• Viewing images from the device’s gallery
• Access to messages on popular messaging and social apps, such as Facebook, WhatsApp and TikTok
• Listening to the victim via microphone access
• Surveilling the private activity of an individual is always bad. But the most worrying consequence of stalkerware is how it facilitates abuse against victims, such as domestic violence or bullying.

The likeliest origin of stalkerware being installed on a phone involves people very close to the victim. Since physical access is first required to download the stalkerware app, the perpetrator needs to get ahold of the victim’s phone temporarily for at least a few minutes. The easiest way for this to happen is when two people live under the same roof.

It’s worth bearing in mind though that there are other less common scenarios. For example, an obsessive boss or another high-ranking employee might ask for access to a victim’s smartphone under the guise of checking that it’s in compliance with corporate BYOD policies. The victim then gets unknowingly monitored by someone at their workplace.

Tips to Protect Yourself Against Stalkerware

Awareness about the threat of stalkerware is a good start. The following tips can help prevent, detect or remove these apps from your device.

• Never share your phone’s PIN code with anyone, including family or intimate partners, and always have the PIN code enabled.
• Protect access to your phone with a pattern or fingerprint to make it hard or impossible to download an app, even if you leave your phone unattended for a considerable period.
• Go through your phone’s settings periodically until you find a list of all downloaded apps or all apps with permission access to specific phone features (the methods for doing this depend on the operating system).
• Look out for some other signs indicating stalkerware, such as the phone’s battery starting to drain much faster than usual, the phone getting very hot or the screen suddenly lagging.
• Check for spikes in data usage beyond normal expected levels, as this indicates the exfiltration of large files, such as gallery images and WhatsApp conversations.
• If you detect stalkerware, a factory reset deletes all applications, but it’s still advisable to change passwords to services you regularly use, even if you perform a factory reset.

Endpoint Security

The nature of the cyberthreat landscape is that individuals are always exposed to cyberthreats, some of which may target their financial data or personal security, like stalkerware. Many other threats target individuals at the workplace in an attempt to compromise their employers. Often, workplace cyber threats focus on the endpoint devices that employees use for normal work activities.

With the right endpoint detection and response solution, companies can get visibility into threats that evade standard antivirus software and deploy accelerated remediation capabilities for those threats.