Is it spyware, stalkerware or a legit tracking app?

It’s tough to decide whether an app is a nasty example of stalkerware – reporting on what, where, and when the tracked individual is doing anything — or a legitimate tracker like a parental control app for a child’s phone. If Solomon would have had a smartphone – how would he distinguish between the two … and what would he add to the Queen of Sheba’s device?

Give the wise guy a smart phone with stalkerware … How would Solomon have distinguished between spyware, stalkerware and a legit tracking app?

This is a technological question for our modern times: Is that tracking app helping a parent keep their child on the straight and narrow path home from school … or is this being used to control and eavesdrop on a significant other’s every move and social interaction? Both stalker and parental control apps have many of the exact same functionalities of listening, restricting, and tracking. They might even be marketed by the same people. And what do you expect a security company, whose main job is to spot incoming malware and protect user privacy, to be doing in this uncertain situation?

Solomon in the age before smartphones

It’s enough to make you wonder what Solomon, a man remembered as the wisest man in the world, would have done when asked to distinguish between the two. Or what he might have done if given to opportunity to track the Queen. I think that in his Solomonic wisdom, he would have drawn a sword, and threaten to split the suspect smartphone in half – just like he did with the baby that had two women arguing over who was its rightful mother.

In the story, Solomon identified the mother as the one who wanted a living child – not on the basis of a fact-based genetic test. And that is indeed like discerning between stalkerware and a parental control app – the technical makeup of the two is almost identical (but there are some suspect variations). The primary difference is in how they are used and the intent of the person installing them. With parenting and with IT – this one is a judgement call.

Wisdom in an age of surveillance

Tracking apps such as spyware, stalkerware, and parental control apps all fall under the same operational umbrella as they contain a bundle of similar functions. Spyware is usually seen as a negative app, invasive in the hands of cybercriminals and law enforcement. The most famous example of spyware is Pegasus, developed by the Israeli NSO Group and has been linked to spying on the activities of everyone from Mexican journalists and Saudi activists. Spyware such as Pegasus have an incredibly extensive range of snooping and installation capabilities – It can be installed by the victim simply answering a call.

Stalkerware is usually pitched as the perfect app for anyone to secretly install and spy on the online activities of those close to them. Stalkerware apps have more spying and controlling features than the parental apps. Some of these functions include phone call recording, data exfiltration, assuring persistence and reconnaissance, location history, remote microphone/camera spying, activity monitoring, conversation eavesdropping, access to social media and storage media contents, unauthorized access, keylogger, and more.

Parental control software is a kinder and more gentle version that is marketed as a way to insure little Bobby gets home and does his homework. Typical parental control apps have the major functions of letting parents read their children’s text messages, know about their location by tracking via GPS, and see children’s browsing and search history. Moreover, some parental control apps have more serious surveillance capabilities like collecting information from social media accounts, accessing private contents of someone’s phone e.g., photos and videos, enabling remote unauthorized access, turning on and off the device remotely, and keyloggers.

The absolute importance of user awareness

Yes, there is an overlap. Many apps in this tracking category are considered dual-use apps, meaning that the same app can be used for several purposes – and also not so legitimately. Tracking suspected terrorists is a legitimate use but journalists writing about a tax on sweet beverages is something else. From experience, we have seen that some of these apps are indeed used for legitimate and lawful purposes, but they are also abused in spying purposes.

Confusing yes. But when you add user awareness to the mix, the situation becomes clearer as stalkerware is almost always installed on the device without user’s knowledge and consent. The test can be boiled down to a double A/B maybe C test:

1. The tracker app is on my device

A: Yes, I know about it and willingly accept this – OK (It’s a company phone)
B: I don’t know. – Not OK, this is bad

2. I put the app on someone else’s device

A: They know and willingly accept this – OK (parental guidance app)
B: They don’t know – but I have legal approval to do this(questionable).
C: They don’t know. – Not OK, this is bad.

Knowing is a critical part of the distinction. Legitimate apps display their monitoring activities to the user and the illegitimate apps generally hide. If the app is secretly installed or concealed, it is almost certainly stalkerware and is careening into legal and moral difficulties. Yes, there are exceptions to this – like with a tracking app is installed to collect evidence of a crime, but the general principle holds.

The slippery legal slope for tracking apps.

For John Q Public, the NSO’s Pegasus is way beyond his operational level and budget. But there is still a wide palate of tracking apps available of varied legality. Tracking apps that the device holder knows about – like the work computer that this article is being written on — is generally ok if it is announced, tracking is in line with business activities, and there is limited private info recorded. Secretly tracking what a person is doing and their online activities is ok if legally approved.

But that still leaves a wide range of tracking software available to John that could be an illegal invasion on another’s life. Similarly, parental control apps marketed as for tracking and controlling children activities with hidden monitoring functionalities can have serious repercussions on children’s private lives.

The difference can be visible in the app icon (or lack thereof)

The most visible division between acceptable and monitoring software is in the icon on the device monitor. Most – but not all – parental control apps usually have icon which is both clearly visible and which also accurately describes the app function. Malicious and invasive stalkerware will usually have invisible or deceptive icon to hide the real functionality.

How deep can that tracking go?

An acceptable parental control app will usually have limits over what apps are allowed to be installed on the device, control capabilities over screen time, and records on the browser history (there is a difference between control and monitor). Unacceptable tracking apps step over the line when they enable monitoring or access to private data such as conversations. It is also a problem when there is no visible installation or app icon. In addition, it is a major issue when the app is installed without the knowledge of the device holder.

While children often do need some guidelines when it comes to app use, it should be noted that many security and anti-theft apps for smartphones already come with a bundle of remote geo-tracking options.

Device security issues with parental control and stalkerware apps

Tracking and control apps are not security neutral as many have two primary issues. First, they essentially open up a back door to the device that, when fully exploited, can let a hacker have various levels of access and privilege including authentication bypass, executing malicious code and remote commands, data theft, modification of user files, and sniffing out network traffic. Second, the data taken from the device can go to an unsecured location where it could also leak out. Family Orbit, a parental monitoring company, stored files in unsecured cloud storage sites which resulted in the private data being leaked such as email addresses, devices ids and names, credentials, and media storage files.

Is there a security firm detection difference?

Security companies that have usually focused on detecting malware, direct threats to devices, and privacy are waking up to the risks to their users from tracking apps. Increasingly, invasive tracking apps are being directly identified as malware. Others such as Employee Work Spy and Mobile Tracking have been removed from the official app stores. Commercial spywares are now often detected as stalkerware and classified as PUA – a potentially unwanted app with the detection identification of PUA/Stalk.

This PUA ranking provides the Solomonic judgement of recognizing that there are legitimate tracking apps (parental control) with legitimate functionalities. However, this also recognizes that the end user has the right to know what is installed on their device and its activities. And it does this without threatening to divide the device in two.

Analysis of PUA/Stalk.FlexiSpy

FlexiSpy is one of the more famous stalkerware applications. Although FlexiSpy positions itself as parental control tool with specific app features like geolocation tracking and application activity monitoring, it also includes a huge list of other features as well, which can give the device administrator full access to the controlled device. Spy functionalities include call recording, taking photos and recording videos from device cameras, getting private information from chat applications (Skype, Viber, WhatsApp and others), keylogging, password extraction, remote contol via sms text commands and more.

Besides this, FlexiSpy tries to hide its presence and activity on the devices. For this purpose, it can hide the app icon, delete itself from any app lists, and even masquerade its presence under a random name.

We’ve highlighted below some of the spying and controlling features of this stalkerware other than those which are mentioned above. Avira detects this app as PUA/Stalk.FlexiSpy.

Hide or Enable/Disable Application icon


Above images show FlexiSpy installed as Android Sync and Sync Services. It shows that the application is trying to show that it is some kind of Android OS related tool.

Hide application icon
Function which will enable/disable the app icon

Hide SuperSU and rooting traces

Rooting an Android phone gives access to additional features and controls, but it can leave the SuperSU icon behind which might alert an individual that they are being spied on. FlexiSPY also gives the device administrator the ability to hide it as a feature.

FlexiSpy feature to hide SuperSU and all traces of rooting on an Android phone

Controlling different functionalities remotely

Below is a big list of functionalities that can be turned off/on remotely through this app. In the screen shot, it can be seen that the app has a wide range of remote controlling and spying features ranging from simple recording to capturing personal information on a phone level.

Big list of different functionalities that can be turned on/off remotely

Control phone through remote SMS commands

One set of features are empowered by the ability to control the phone remotely via SMS commands. It also has the ability to hide these request and reply commands from the phone owner.

Supress sms request with command
Supress sms command reply
Collect all packages that has receivers for android.provider.Telephone.SMS_RECEIVED as HashSet. Delete its own name „com.android.msecurity“ from this set
Restart all packages from set

This post is also available in: German

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.