On the hunt for Stalkerware

Monitoring software has developed quickly, adding surveillance functions and capabilities. No longer is this restricted to state organizations buying access to NSO spyware, it’s now available to for about anyone with a smartphone. The fast growth in mobile device penetration, aggressive app developers, and a lack of legislative protection have made it easy to spy on spouses, family members or friends.

Avira has recognized that this runaway monitoring is really a rapidly growing threat category – Stalkerware — and has joined the Coalition against Stalkerware with several IT security companies and organizations in protecting against domestic violence to share information and develop a common approach to stopping these privacy violations.

Spotting Stalkerware is not so easy

It is obvious, Stalkerware apps may compromise a user’s privacy and the security of the local system. But identifying Stalkerware apps is not such a simple and obvious task.

These may be a dual-use app where the same app could be legitimately installed and used by a person to monitor their own device or it could be secretly installed on another person’s device without their knowledge or consent and used to spy on their activities. The list of Stalkerware apps can include malicious programs, commercial spyware built specifically for this purpose, or legitimate apps used maliciously (example – parental monitor apps abused to track an intimate partner).

These apps also have a long list of technical capabilities which may include call recording, device tracking, remotely taking pictures/videos, remotely monitoring and uploading data from the device and more. Then there are operational functions such as the ability to work in stealth mode (user not notified about the monitoring), disguising itself as a system process or utility program, and preventing uninstallation or disabling anti-viruses.

Avira is tackling Stalkerware with others

This combination of technical capabilities with specific operational functions make spying on intimate partners easier and more accessible — and facilitate abuse by people with bad intentions. Avira has developed its own list of around 20 points for identifying Stalkerware – and we are not the only organization working to consistently identify this threat. For this reason, the Coalition Against Stalkerware is exceptionally important in helping the industry reach a consensus over the criteria over what can be Stalkerware and then creating a proper detection for it.

Coalition Agains Stalkerware - Logo

Is the number of Stalkerware apps going down?

Popular Stalkerware apps recently available include: FlexiSpy, mSpy, Cerberus, Trackview, HelloSpy, ATTI Shadow Tracker, Retina-X, iKeyMonitor and FoneMonitor. There is a move by Google to remove some of them, with Z6Mag reporting seven were removed earlier this year.

We have also found that Cerberus has been removed and FlexiSpy and MSpy are nowhere to be found in Google Play.

There is still more Stalkerware on the market

Despite these efforts, Google Play is still hosting Stalkerware apps just like the app market has also hosted malicious apps. Here is an example of Stalkerware that Avira has uncovered — and some of the reasons why we consider it to be Stalkerware:

All Tracker Family is available on Google Play as of November 18, 2019:

Stalkerware: All Tracker Family

The app is cleverly advertised as a convenient means to allow you to give your parents or partner total or partial access to your device.

Stalkerware: All Tracker Family

  • According to the Google Play description, features include:
  • Access to location, phone calls, camera, microphone
  • Monitor notifications sent in the status bar from any app such as Messenger, WhatsApp, and Viber
  • Screen mirroring in real time – stream the screen of a device to any browser
  • Monitor location by GPS tracking, phone calls, camera, and microphone from other devices
  • Live video tracking from device camera
  • Monitor surroundings with live audio tracking from the device microphone

After installing it on a “victim” device and connected it to an account, we can see details about the device on alltracker.org – the app’s web page for showing tracked devices:

The developer (RUSSCITY) has taken care to inform us that any function will send a notification to the device:

“ATTENTION: You CANNOT hide this app! Phone owner will be always notified about each request send to his/her phone. You CANNOT use this software like a spyware or hidden tracking!”

However, even though the application itself has no option to disable notifications, we used the standard Android settings to disable the notifications for this app. This enables a person to surreptitiously install and hide the app on a targeted phone:

Sure enough, after activating the 6 hour PRO trial we could use the features with no notification on the “victim” device – for example below you can see how we could access two screenshots on the device that we had just taken.

Users give their moment of truth
This is an example of an app which can be abused to spy on a significant other remotely. And, as we can see from the Google Play comments people are actually using it for that purpose:

It is for these reasons we consider this app to be Stalkerware and are detecting it as PUA/Stalk.Catwatch.spy .