Fighting stalkerware: technical and lifestyle obstacles
Marius Becker / dpa
Little has changed for the better in the scale of the stalkerware problem in 2020 – that’s how IT security firm Kasperskys’ new report on the prevalence of apps people use to secretly monitor their partners or other stalking victims begins. 53.870 victims registered by Kaspersky last year. Although that is just under 14.000 fewer than in 2019, but around 14.000 more than in 2018. And only those victims who have Kaspersky’s security app installed on their smartphone are counted here: The actual prevalence of such apps is likely to be much higher.
Still, the report provides interesting insights: first, the number of detected stalking apps dropped significantly after March 2020, which Kaspersky explains with the start of contact restrictions due to the coronavirus pandemic: in partnerships, perpetrators have been able to monitor their victims more easily since then.
Second, according to the report, Germany ranks first in Europe and sixth in the world in terms of the number of detected stalking attempts using snooping apps. 1547 victims recorded by Kaspersky for 2020. For comparison: In Russia, where Kaspersky’s app may also be more widespread, the number was 12.389 cases, more than 6500 in Brazil, 4745 in the U.S.
Third, many stalking app providers do not even try to disguise the purpose of their apps, although their use is likely to be illegal practically all the time. Those who call their app iSpyoo, TheTruthSpy or PhoneSpy want to address a very specific clientele.
Search engine optimization with "cheating spouse" in the source code
Surveillance software for smartphones can, however, be legitimate or at least give itself a legitimate appearance, for example when it is advertised as theft protection or for parents who want to control where their child is. Some apps are superficially advertised in exactly this way, but the source code of the website then contains the term "spouse" or "cheating spouse", visible especially to search engines. So it’s all about the allegedly adulterous partner again, or at least about them as well. Obviously, such tactics are used to try to direct people to the website, who simply Google for stalking apps.
These tricks are well known, yet detecting stalkerware on a smartphone is not a no-brainer. Since November 2019, there has been a "coalition against stalkerware," which now includes ten IT security companies, including G Data, Malwarebytes, Avast, Avira, and F-Secure, in addition to the civil rights organization Electronic Frontier Foundation and victim protection organizations such as the White Ring. They exchange information and develop new detection methods – but despite their experience in the fight against malware, they have to deal with technical and real-world obstacles.
G Data from Bochum, for example, has integrated stalkerware detection into its Android app since October. But smartphone operating systems, simply put, don’t allow deep analysis of running programs, unlike Windows PCs, for example. It is therefore not possible to identify stalkerware that is still unknown simply on the basis of its behavior on the smartphone. Therefore, G Data only works with a list of known stalker programs on the device itself. The real work is the ongoing updating of this list using samples, i.e. examples.
On Android, monitoring is easier
Any Android app can be taken apart and analyzed if you can find its installation file (technical term: APK), and G Data has several sources for that, according to Alexander Burris, head of mobile research at G Data. "We share a lot of samples of malware and just stalkerware with other companies in the industry," Burris said. "We have crawlers that scan websites for samples, we look at file-sharing sites, or we download directly from some vendors."
APKs are first scanned by automated systems for known malware patterns, it says. But classifying them as stalkerware always requires human analysts as well. A key factor is whether an app secretly monitors communications or transmits location, i.e., without notices to smartphone owners. Legitimate programs would also signal to children, for example, that they are active.
The fact that G Data focuses on Android is due to Apple’s closed system: by default, only apps from the rather strictly controlled App Store can be installed, and they also get less access to data from other apps, full monitoring is hardly possible under these circumstances.
There is stalkerware for iPhones, but installing it is so complicated that some providers have started to sell ready-made iPhones with pre-installed surveillance software – but fewer perpetrators can afford it.
Do not delete stalkerware immediately
Burris estimates that there are "a few dozen" different stalking apps on the German market. G Data, however, knows between 2000 and 3000 samples, i.e. variants of these apps, because the developers keep changing their monitoring programs. Keeping the list of stalkerware apps up-to-date is a laborious process.
If G Data finds a problematic app on a smartphone, it is not deleted immediately. Stefan Mutterlose, team leader in app development, says: "Normal malware you want to remove from the device as quickly as possible. Stalkerware is a different story. The perpetrator would most likely notice if the software suddenly stopped working and could feel cornered. Then the situation can escalate to domestic violence."
Victims should therefore remain calm and consider what secure channels they could use to seek help and what other devices or accounts may still be compromised because someone else knows the password or has set up access.
That’s why G Data initially only displays a notice to its users explaining that there is an app on the phone that (depending on its capabilities) is capable of monitoring location and communications, followed by a link to more information. The link leads to a website that is not immediately recognizable as a stalkerware information site, in case the perpetrator is currently in the area.
"Read this article only if you are in a safe and trusted environment! If necessary, delete this page from the history of your Internet browser after reading", but it also says as a warning.
Action against stalkerware is therefore not just a problem that can be solved technically. Those affected must act prudently, even if they are under great pressure. (We have collected more tips about this here.)
Stalking with apps is to be explicitly prohibited by law
At least there were some positive developments in 2020. In the fall, for example, Google finally banned stalkerware explicitly from the Play Store, which has at least made it more difficult to distribute the programs. Perpetrators must use their victim’s device to visit a website offering a monitoring program and install it, bypassing Google’s default security settings. In the best case, a screen lock with pin, password or fingerprint already protects against this.
Antivirus apps are also no longer the only way to track down stalkers. Kaspersky has developed an alternative approach with TinyCheck. It is an open-source software that is installed on a mini-computer such as the Rasperry Pi and scans the network traffic between a smartphone and a WLAN router for suspicious data. The technology is intended for use in women’s shelters, for example, to help victims who do not want to or cannot install an antivirus app on their smartphone.
Something is also moving politically: A week ago, Federal Minister of Justice Christine Lambrecht (SPD) presented a draft to tighten up Section 238 of the Criminal Code, which deals with stalking. Here, monitoring with the help of stalking apps should be explicitly included in the list of bans. In addition, the minister wants to change the definition of reenactment.
According to the draft, it is no longer only those who "persistently" stalk their victims and "seriously" impair their way of life who are liable to prosecution, but "repeated" attempts with "not insignificant" impairments for the victims are sufficient. The goal is "better and easier law enforcement," so ultimately there should be more convictions.