Stalkerware Attacks Increased 50 Percent Last Year, Report

Research puts the emerging mobile threat—which monitors the whereabouts and device activity of devices users as well as collects personal data—into clearer focus.

The number of stalkerware attacks on mobile devices increased 50 percent over the last year, showing an upward and continued trend in the emerging threat, researchers said.

Over the past year, the instances of stalkerware—which tracks users without their knowledge and can result in harassment, surveillance, stalking and even domestic violence—increased from 40,386 unique users in 2018 to 67,500 in 2019, according to new research from Kaspersky.

“Attacks involving the use of mobile stalkerware became more frequent, the purpose being to monitor and collect information about the victim,” Victor Chebyshev, a research development team lead at Kaspersky, wrote in a post on the company’s SecureList blog outlining trends in mobile malware in 2019.At the same time, stalkerware—a threat that appeared on security researchers’ radar in only the last couple of years–also began to show signs of ” keeping pace with its malware cousins” in terms of sophistication, he said.

Researchers have had some difficulty in the past defining stalkerware because the software used in these types of attacks typically varies between surreptitious spyware, available on illicit online markets, and more legitimate applications that can be obtained through app stores such as Google Play.

That landscape is beginning to change slightly, however, as stalkerware comes into clearer focus and security researchers and privacy advocates alike are aligning to help define exactly what this threat entails as well as prevent future attacks.

Kaspersky researchers divide stalkerware into two categories—trackers and full-fledged tracking apps, they said. The first type of stalkerware has two main features: tracking victims’ coordinates and intercepting text messages, Chebyshev wrote.

Once this type of app is loaded on a device, a third party can access messages and data about the user’s location, he said. However, it’s possible for a wider audience also to gain access to the data collected by trackers, as “the client-server interaction of some services ignores even the minimum security requirements” of a device, Chebyshev wrote.

While this type of mobile app previously was available on the official Google Play marketplace, changes to Google’s policy in 2018 led to the removal of most of these apps from the store, with developers subsequently pulling support for their products, he said.

“However, such trackers can still be found on their developers’ and third-party sites,” Chebyshev wrote.

Full-fledged stalkerware poses a different scenario for both users and threat actors who use this type attack to target victims, according to researchers. While these apps don’t exist on legitimate stores like Google Play, there is active support by developers for these apps in spyware that’s commercially available.

Rather than merely track certain aspects of user activity, this type of stalkerware “can harvest almost any data on a compromised device: photos (both entire archives and individual pictures, for example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so on,” Chebyshev wrote.

“Many apps exploit root privileges to extract messaging history from protected storage in social networking and instant messaging applications,” he said. “If it cannot gain the required access, the stalkerware can take screenshots, log screen taps and even extract the text of incoming and outgoing messages from the windows of popular services using the Accessibility feature.”

While the Federal Trade Commission already has banned some commercial spyware apps from a company called Retina-X–MobileSpy, PhoneSheriff and TeenShield—others still exist that can be used in full-fledged stalkerware attacks. These include spyware apps Monitor Minor and FinSpy, the latter even includes a feature to intercept correspondence in secure messengers, such as Signal, Threema and others, Chebyshev wrote.

Indeed, the growing preference of using mobile messaging apps rather than text messages or voice calls also is widening the playing field for stalkerware as well as bolstering the impetus for threat actors to target users with these attacks, he added.

With people basically unable to “live without their devices” these days, it’s a no-brainer that cybercriminals see stalkerware as a profitable way to collect information and use it for extortion against victims, James McQuiggan, a security awareness advocate with KnowBe4 said in an email to Threatpost.

He advised device users to remain vigilante of what apps are installed on their devices and take off any apps that are no longer needed to prevent falling victim to stalkerware attacks. “While the mobile device is important in one’s life, it’s important to keep it updated, uninstall older apps and only use apps that are from organizations and developers,” he said.

Suggested articles