Stalkerware: Violating your privacy by creeping up on you via your phone

In early April, Russian cybersecurity company, Kaspersky Lab, significantly upgraded its anti-virus offerings. The company added a “Privacy Alert” to its “Kaspersky Security for Android” program, which is designed to detect and remove malware from mobiles. The new alert flags a class of programs referred to in the cybersecurity industry as Stalkerware.

Stalkerware is a subset of spyware — programs designed to infiltrate digital devices and sweep up data. Stalkerware masks its presence, like spyware, and it monitors all activity, stealthily picking up conversations, emails, text messages, internet and social media activity, location info, financial transactions and so on.  

But unlike spyware, which may be illegal and used by habitual criminals to prey on strangers, stalkerware is often legal, or quasi-legal. Another key difference: stalkerware is called that because it is frequently installed by a jealous, controlling person who wants to keep tabs on their partner, or ex-partner, 24x7. For that reason, it’s also sometimes referred to as “spouseware”. 

There are legitimate uses for this. Some programs are anti-theft in nature, allowing the owner to locate a stolen phone. Courier companies, cabbies, freight transporters and food delivery agents install tracking programs on employee’s phones. Parents often install stalkerware on phones they give kids. Security agencies and police forces have been known to use it. Some stalkerware programs are marketed to parents, but others are also blatantly advertised as stalkerware. Most are available only outside the Google Play and Apple Store. 

Most programs require a few minutes of physical access to the target’s handset for installation. Some work like other spyware by sending interesting looking links, which will infect the phone if opened. Stalkerware is usually installed without the phone user’s knowledge or consent, and it has been indicted in multiple cases of domestic violence. 

In January 2018, Eva Galperin, who is the head of the Threat Lab of the Electronic Frontier Foundation (EFF), discovered some of the dimensions of the problem. Galperin (@evacide) tweeted: “If you are a woman who has been sexually abused by a hacker who threatened to compromise your devices, contact me and I will make sure they are properly examined.” She received thousands of responses and discovered that stalkerware was often associated with horrific abuse, with victims being cornered and raped, children threatened, and so on.  

Galperin also discovered that there was a huge hole in the anti-virus market. Most anti-virus programs did not detect stalkerware effectively — after all, these weren’t viruses. Indeed, most cybersecurity programs ignored them. 

A study by Cornell University indicated that up to 85 per cent of stalkerware went undetected by anti-virus programs. When Galperin connected with Kaspersky, the cybersecurity company discovered that it had recorded over 58,000 devices in 2018 with undetected stalkerware on them. 

Another problem with stalkerware is that it causes insecurities on global scales. Private data from the phones of victims are uploaded to stalker-servers. If such a server gets hacked, thousands, perhaps millions, of people are at risk. Unsurprisingly, hackers see those servers as juicy targets since they contain sensitive financial data. There have been at least 12 notable incidents where stalkerware servers have had private data sucked out, according to one study by the tech website, Motherboard. 

Given that this issue has now started receiving attention, and Kaspersky has introduced the Privacy Alert feature, other anti-virus solutions may soon follow suit. But it will still be up to individuals to take basic precautions and ensure that their phones are secure.