Google Bans Stalkerware Ads – With a Loophole

Starting in August Google is banning ads of products or services promoting stalkerware.

Google will soon prohibit ads on its platform that promote stalkerware products and services – but the tech giant’s ban comes with a catch that some security experts worry will render it ineffective.

Starting August 2020, Google’s ads policy will be updated to ban advertisements for stalkerware, which is software that can be installed on devices to track their owners’ location, activity and more. Google said, violations of this policy will first lead to a warning being issued for at least seven days prior to any suspension of one’s account.

“The updated policy will prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization,” according to Google’s Advertising Policies page. “This policy will apply globally and we will begin enforcing this policy update on August 11, 2020.”

According to Google, stalkerware technology includes spyware or malware that can be used to monitor texts, phone calls, or browsing history; or GPS trackers specifically marketed to spy or track someone without their consent. It also includes promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.

However, Google said that its ban on stalkerware ads will not extend to private investigation services or services designed for parents to track or monitor their underage children – which some are condemning as a big loophole for surveillanceware companies.

To sidestep this rule, all a stalkerware company would need to do is merely pretend to be an app helping parents track of their young children – but that doesn’t necessarily reflect what the company is really selling, said security expert Graham Cluley in a recent post.

“I’m reminded of visiting a particular stalkerware vendor’s website in the past (I won’t name them, as I have no desire to promote their creepy product) which incorporated a cheesie video of a man explaining how his wife had been knocked unconscious in a car crash, and that the stalkerware had helped him find where she was and alert the emergency services,” said Cluley. “Despite the website’s small print reminding purchasers that their software absolutely should not be installed on anyone’s smartphone without the explicit permission of the phone’s owner, it was clear that that was the primary expected usage for the software.”

That was the case with three Retina-X apps, which last October were barred by the Federal Trade Commission (FTC): MobileSpy, PhoneSheriff and TeenShield. While these three apps were marketed for monitoring mobile devices used by children, or for monitoring employees, the FTC said “these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses.”

Security researcher Martijn Grooten on Twitter said he hopes that a universal definition of stalkerware will soon be established, based on the services’ technical capabilities, rather than how they are being marketed.

Threatpost has reached out to Google on how it plans to distinguish the technical properties of surveillanceware versus how they’re being sold.

The number of stalkerware attacks on mobile devices increased 50 percent over the last year, showing an upward and continued trend in the emerging threat, according to research from Kaspersky.  One of those stalkerware families, disclosed in March, is an aggressive stalkerware app called Monitor Minor.

This growing threat comes as more efforts to combat stalkerware emerge in the security industry, including the recently announced Coalition Against Stalkerware. The coalition, which includes Avira, Electronic Frontier Foundation, European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Kaspersky, Malwarebytes, National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape and WEISSER RING, aims to  create a centralized location for helping victims of stalkerware, as well as to define what stalkerware is in the first place.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail. 

Suggested articles