Stalkerware Volumes Remain Concerningly High, Despite Bans

stalkerware volumes

COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware.

Tens of thousands of mobile users were infected by the class of software known generically as stalkerware last year.

According to just-published research by Kaspersky, 2020 lockdowns related to the global COVID-19 pandemic put a damper on installations, but the scourge of privacy-busting software still invaded the lives of many at-risks individuals.

According to Kaspersky’s “The State of Stalkerware 2020” report, there were 53,870 mobile users within its telemetry who were affected by stalkerware during the year. That’s a drop from the year before, when 67,500 mobile users were affected, but still up from the 40,386 instances detected amongst Kaspersky’s client base in 2018.

This is despite the fact that Google banned stalkerware apps from Google Play last year.

Stalkerware is defined as software that can be installed on someone’s phone, allowing the person’s physical location to be tracked, calls and messages monitored, social-media activity snooped upon, and photos and videos to be seen. It can also switch on a device’s camera to see what the target is doing or who the person is with.

In general, it allows someone to remotely spy on another person’s life via their digital device. This is usually done without the affected user giving their consent or being notified. The Coalition Against Stalkerware warns that these pernicious apps “may facilitate intimate partner surveillance, harassment, abuse, stalking and/or violence.”

The issue statistically does correlate to physical abuse: According to a report by the European Institute for Gender Equality, seven in 10 women in Europe who have experienced cyberstalking have also experienced at least one form of physical or sexual violence from an intimate partner.

Stalkerware Volume Increases in U.S.

Russia, Brazil, the United States, India and Mexico were the top five countries where users were most impacted in 2020, in that order, according to Kaspersky’s report. The U.S. passed India, rising on the list from fourth place in 2019 to third in 2020.

Germany was the top European country, occupying sixth place in the global rankings. Iran, Italy, the United Kingdom and, lastly, Saudi Arabia complete the 10 most-affected nations.

“We see the number of users affected by stalkerware has remained high and we detect new samples every day,” said Victor Chebyshev, research development team lead, Kaspersky, in a media statement. “It’s important to remember that there is somebody’s real life story behind all these numbers, and sometimes there is a silent call for help.”

It’s notable that “the yearly curve began to rise again in the second half of 2020, after some lockdown measures were lifted,” the report added. The reason that lockdowns may have affected the rate of stalkerware installation is because targets would be less likely to be out and about, reducing the need for keeping track of someone’s physical movements and remote activity.

The first two months of the year were in line with numbers from the year before. The situation changed in March when many countries decided to announce quarantine measures. Volumes began to rise again in June, when many countries around the world eased restrictions.

Stalkerware instances, month by month. Source: Kaspersky.

Top Stalkerware Apps

With more than 8,100 users affected globally, Nidb is the most-used stalkerware strain, according to Kaspersky’s stats. The code forms the core of several stalkerware brands, researchers said, including iSpyoo, TheTruthSpy and Copy9, among others.

“The Nidb creator sells their product as stalkerware-as-a-service,” according to the firm. “This means that anyone could rent their control server software and mobile application, rename it to any suitable marketing name and sell it separately.”

Source: Kaspersky.

Both second and eighth place are occupied by different versions of Cerberus – an Android malware that started life as a banking trojan, but which is now a fully fledged remote access trojan (RAT) available for rent in underground forums.

And Agent.af comes in third place, which is marketed as the “Track My Phone” app. It can read messages from any messenger, log a person’s call history and track geolocation.

Some apps do try to get around bans by Google and others by claiming to do something else entirely. The “Anlost” malware for instance, No. 4 on Kaspersky’s Top 10 most-common stalkerwares, is advertised as an antitheft application. It can intercept SMS messages and read the call log of a device.

“And its icon is present on the home screen (not usual behavior for stealthy stalkerware apps),” according to the report. “Therefore, it is available on the Google Play store. That said, it is possible to deliberately hide the icon from the home screen.”

Stalkerware companies have also sold apps that purport to help parents track their young children – even though their capabilities could be used for other purposes. Increasingly, app gatekeepers are cracking down on these types of offerings.

That was the case with three Retina-X apps, which were barred by the Federal Trade Commission (FTC): MobileSpy, PhoneSheriff and TeenShield. While these three apps were marketed for monitoring mobile devices used by children, or for monitoring employees, the FTC determined that they “were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses.”

Another example is an app called “Monitor Minor,” which researchers flagged as problematic last year. The Android version of the app gives stalkers near absolute control of targeted devices, going so far as allowing them to capture the unlock pattern or unlock code of phones.

Stalkerware Requires Physical Access

Stalkerware isn’t delivered in the same way as other malware; it can’t be sent via a sneaky email or installed in some other remote way, Kaspersky said. This means that the abuser will need to have physical access to a device in order to install it. Once past any lock-screen, it only takes a few minutes to load an app, researchers said.

“The main barrier that exists is that stalkerware has to be configured on an affected device,” according to the report. “Due to the distribution vector of such applications which are very different from common malware distribution schemes, it is impossible to get infected with a stalkerware through a spam message including a link to stalkerware or a trap via normal web surfing.”

Stalkerware is usually downloaded from third-party sources. This is easy for Android users; but iPhone stalkerware tools are less frequent because iOS is traditionally a closed system with apps from third party stores barred from running on it.

However, “an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware as a gift,” according to Kaspersky. “There are many companies who make their services available online to install such tools on a new phone and deliver it to an unwitting addressee in factory packaging to celebrate a special occasion.”

How to Check for Stalkerware on a Phone

To check for stalkerware, users can run an antivirus solution, and keep an eye out for a fast-draining battery, constant overheating and mobile data traffic growth. Users can also check the browser history, because an abuser would have needed to download the app from a website.

Users should also check to see if “unknown sources” are enabled on devices; this might be a sign that unwanted software was installed from third-party source. And, they should check the permissions of installed apps: Stalkerware applications may be disguised under a wrong name with suspicious access to messages, call logs, location and other personal activity.

“It’s hard for everyday users to know if stalkerware is installed on their devices,” according to Kaspersky. “Generally, this type of software remains hidden which includes hiding the icon of the stalkerware app on the home screen and in the phone menu and even cleaning any traces that have been made. However, it may give itself away and there are some warning signs.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.