This Stalkerware Delivers Extra-Creepy Features

stalkerware monitor minor

Stalkerware called Monitor Minor gives users the ability to creep on a target’s missives swapped via Instagram, Skype and Snapchat.

Researchers are sending up a red flag over the distribution of an aggressive stalkerware app called Monitor Minor. In a report released Monday, researchers said the Android version of the app gives stalkers near absolute control of targeted devices, going so far as allowing them to capture the unlock pattern or unlock code of phones.

“This is the first time we have registered such a function in all our experience of monitoring mobile platform threats,” wrote Victor Chebyshev, a security researcher at Kaspersky who authored the report.

Over the past year, installs of stalkerware found on Android and iOS devices doubled, according to researchers. But, compared to garden-variety stalkerware apps, researchers say Monitor Minor stands out.

Chebyshev explains that because of the app’s stealth, sophistication and ability to track Gmail, WhatsApp, Instagram and Facebook user activity, a heightened awareness of the stalkerware is needed.

Threatpost reached out to Monitor Minor seeking comment and has not heard back. While the app is not available via Google Play or via Apple’s App Store, it is sold online at a purported tool for monitoring a child’s activity on the phone.

App in Action  

Researchers said the app, tracked as Monitor.AndroidOS.MonitorMinor.c, is a “rare piece of stalkerware” that can tap voice communication of over dozen apps including Gmail, WhatsApp, Skype and Snapchat. But, what researchers say surprised them the most was the apps ability to escape a targeted Android device’s sandboxing and access data tied to other apps such as WhatsApp messages.

The ability to access sensitive app data generated by apps other than Monitor Minor itself on the targeted Android device requires the installation of a SuperUser-type app, a.k.a. an SU utility. These types of apps are able to bypass an Android protection called Discretionary Access Control, designed to prevent data leakage between apps. In this cased the SU utility is Monitor Minor.

“[The SU utility] grants root access to the system. Exactly how they get on the device — installed at the factory, by a user, or even by malware — is not so important. The main point is that they cause one of the system’s key security mechanisms to cease to exist,” researchers wrote.

Installation of this type of app on a phone is not trivial. “Keep in mind that on recent versions of Android OS, an attacker will have to do a lot to install this software, because the operating system will fight against the installation on each step,” Chebyshev wrote in an email based interview with Threatpost.

A review of the install process revealed a 17-step process, which entailed turning off key security features such as “scan device for security threats” and “improve harmful app detection.”

“The infection vector here is different; it has social-engineering origin. The attacker must have physical access to the device for a long time to download, install and configure the stalkerware properly,” Chebyshev said.

SuperUser or SuperCreep

One of the more aggressive features the app has, is its ability to steal the device’s unlock code. The Monitor Minor app does this by using it’s root privileges to extract the file “/data/system/gesture.key” from the targeted phone. That directory contains the hash sum for the screen unlock pattern or the password.

“If this piece of software works on the device properly, the victim would not know anything, and a stolen unlock pattern would not be of any use,” the researcher told Threatpost. “However, if the victim uninstalls the stalkerware from the device, the attacker may need the unlock pattern to gain access again. So, it’s something like a backup.”

The researcher said that Monitor Minor is also unique in that it is almost impossible to detect on the victim’s device. “Note too that the Monitor.AndroidOS.MonitorMinor.c is obfuscated, which means that its creators are aware of the existence of anti-stalkerware tools and try to counter them,” he said.

Kaspersky warned that the app is predominantly in use in India. It also said the app is also used in English- and Turkish-speaking parts of the world.

Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles