Guest Post – Don’t Let Your Phone Stalk You

The idea of someone tracking your whereabouts and eavesdropping on your conversations can be unsettling. Yet, more than 58,000 Google Android users had this happen to them. That’s because these individuals had stalkerware installed on their smartphones.  Stalkerware is legal but often considered unethical. Find out what stalkerware is and how it can get on your smartphone.

Stalkerware is not limited to Android phones. It can be installed on smartphones of virtually any make or model. (It can even be installed on other computing devices such as tablets and laptops.) To protect against this threat, you need to know what stalkerware is and how it can get on your phone.

Stalkerware 101

Stalkerware is commercial spyware offered by companies, not cyber-criminals. Usually marketed as a solution to track employees or monitor children, it is set up like a Software as a Service (SaaS) offering. Customers pay a monthly fee to access data collected by a client app they installed on the phones they want to stalk. Although legal in many countries, stalkerware is increasingly being considered unethical because of the types of information it collects and how the data is gathered.

If a stalkerware app is installed on your phone, it will collect information on pretty much everything you do. For example, besides tracking the places you visit in both the physical and digital realms, it will log your calls, stockpile the photos you take, and amass the emails and text messages you send and receive.

All this information is sent to and stored on the stalkerware company’s servers. The customer (aka stalker) will have access to it as long as they continue to pay for the service. It typically costs between $16 and $68 per month, according to one report.

While some stalkerware apps will display a visible marker on the phone’s screen to let people know they are being watched, most operate in stealth mode. Several apps even go to great lengths to avoid detection, such as masking themselves as a system service in a phone’s installed applications list. Thanks to tactics like these, stalkerware victims are often unaware they are being tracked.

How Stalkerware Gets on Phones

Although stalkerware is legal, official app stores like Google Play and the App Store typically ban it. (Parental control software and programs designed to find lost phones are not considered stalkerware, which is why you will find them in app stores.) However, an Internet search will quickly reveal websites of companies that offer stalkerware.

The main method in which stalkerware apps get on phones is manual installation, according to security experts. The installation process is pretty straightforward — stalkers do not need to be techies to get the apps working. A few companies will even deliver phones with their stalkerware apps preinstalled to customers who are technically challenged.

The Dangers

Few people will contest that the kind of information gathered by stalkerware can be dangerous. Case studies have shown that it can lead to stalkers harassing, blackmailing, and even physically abusing their victims.

There are also other dangers that aren’t as obvious. Outsiders might see the captured data one of several ways:

  • Since the data gets stored on the stalkerware company’s servers, staff members might access and look at the data.
  • The data might get inadvertently leaked to the world at large. For example, millions of records collected by the mSpy stalkerware app were leaked because the company failed to properly protect its database. The leaked records included call logs, text messages, contacts, and location data.
  • Hackers might breach the data. For instance, Retina-X Studios was breached twice by the same hacker. The hacker accessed and exposed the photos collected by two of its stalkerware apps.

Help Is on the Way

Efforts to crack down on the stalkerware industry are being led by the Electronic Frontier Foundation (EFF). One action the EFF is advocating is for security software companies to treat stalkerware as a serious threat. Often, that’s not the case. A 2018 study found that most security programs do a poor job of detecting and flagging stalkerware as a dangerous app.

Partnering with EFF, Kaspersky Lab has taken the first step toward cracking down on stalkerware. Previously, its Internet Security for Android software flagged stalkerware apps as suspicious but then displayed a “not a virus” message, which was confusing for users. Now there is no question about the dangers. The software displays a large “Privacy alert” message for any blacklisted stalkerware apps it finds installed on phones. After explaining what the app can do (e.g., eavesdrop on calls, read text messages), the security software gives users the option to delete or quarantine the program. Alternatively, users can decide to leave the app on their devices.

How to Protect Yourself in the Meantime

The EFF hopes that other security software companies will follow in Kaspersky Lab’s footsteps. In the meantime, the best way to protect yourself from stalkerware is to prevent its installation on your phone. Since manual installation is the primary way it gets on devices, there is a simple but effective preemptive measure: Lock your phone when you are not using it.

Smartphones usually provide more than one authentication method to unlock them, so you can use the method with which you feel most comfortable. For example, you might want to use a password or biometric authentication (e.g., iPhone’s Face ID). If you use a password, be sure it is strong and unique — and do not share it with anyone.

If you suspect your phone already has stalkerware on it but your security software does not specifically flag this type of program as a threat, you can check the phone’s activity monitor for suspicious processes. We can help, as it is not always easy to determine which processes are of concern.


Today’s guest post is by a friend and professional peer of mine, Tony Chiappetta, owner of CHIPS Computing.

CHIPS is a Technology Success Provider located in Shoreview, MN near the intersection of Highway 96 and Lexington.  Since 2001, CHIPS has been working with businesses to help them get the most from their technology investment.

Tony has been around technology all his life and holds numerous industry certifications.  With the completion of both a Law Enforcement and a Business Management Degree, Tony brings a business perspective to the technology landscape.  This has allowed CHIPS to lead the industry by bringing enterprise solutions down to the Small Business sector.

CHIPS has received many industry awards and accredations however, Tony is most proud that his team has been asked to help secure the Critical Infrastructure of the Twin Cities by bringing to market a proven technology that was previously only available to Federal Government Agencies.

You can follow CHIPS via Social Media and stay connected with their blog.

phone privacy flickr photo by stockcatalog shared under a Creative Commons (BY) license

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an information technology and cybersecurity instructor for several training and certification organizations. Bob has worked in corporate, military, government, and workforce development training environments Bob is a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.