The WhatsApp Pegasus spyware controversy has raised the issue of user privacy on smartphones again. The Pegasus scandal showed how government and law enforcement agencies could use this sophisticated and expensive software to track and spy on intended targets. While there’s not enough evidence to show Pegasus was used for mass surveillance given its exorbitant cost, the easy availability of other kinds of spyware such as ‘stalkerware’ means the privacy risks continue.
Just like sypware, stalkerware also lets someone spy on a person’s phone and access all their data. But in this case, the person doing the spying is a loved one or a family member, and not the government. Also stalkerware is well-advertised, and often touts the ‘tracking’ features it offers.
It is available to the general public at large, provided they can pay for the license, which usually has a monthly cost attached to it.
You may have seen ads for such apps on the internet, which claim to let users ‘track’ their girlfriend’s, or boyfriend’s, phones. A search for boyfriend or girlfriend tracker apps will show lists of several such apps. Many of the apps in the stalkerware category are marketed as apps for parents to monitor children’s activities.
But the reality is that the license for many of these apps can be purchased by any particular user, and not just a parent. So anyone can use these to spy on anyone, provided they can get access to the device and install the required software. One such stalkerware app that was eventually forced to shut down its business was PhoneSheriff in the US, which was marketed as a child-monitoring app that was compatible with most Android phones.
The US Federal Trade Commission (FTC) took action against the developer Retina-X, which had other apps like Flexispy, Teenspy that also served the same purpose. The Electronic Frontier Foundation reported on November 6 that the US FTC has now barred Retina-X from distributing its mobile apps.
Keep in mind, the reason that Retina-X got into trouble was not because it created spyware, but because of multiple data breaches and because the data it acquired was compromised several times. So yes, many of these stalkerware apps are legal.
Monitoring apps like mSpy, Spyzie, SPYERA, Appmia, XNSPY are all easily available. Many of these claim to be compatible with iOS as well, so it is not just limited to Android. For instance, mSpy can also be installed on non jail-broken iOS devices by accessing the iCloud account.
The services also to claim to monitor location, messages sent on apps like WhatsApp, Telegram, calls, SMS, access photos shared, etc, though services make varying claims on what they can monitor. Some cannot monitor apps like Snapchat, which are popular among teens.
How does stalkerware work?
Once installed on a person’s phone, the service functions like any other spyware. All data, photos, even messages sent, keystrokes, apps, location can be tracked. The data is usually shared with the person who has installed the stalkerware on the other user’s device. But remember many of these apps and services are not exactly the best when it comes to handling this kind of sensitive data. As the Retina-X case shows, the data they are accessing can easily be hacked by others.
Like all other malware, the victim is often unaware of the presence of stalkerware on their phone. The software is collecting information and passing it on, while the user is none the wiser.
So how can you know if there is stalkerware on your phone?
On Android, Kaspersky Lab upgraded its Kaspersky Internet Security for Android with a new privacy alert feature. This will warn users if their private information is being monitored via commercially available spyware.
As Kaspersky noted, this kind of software is legal, but very often users might not know the program is present on their phones. In some cases, parents might inform their children that they will be monitoring their devices, but when it comes to adults, such apps become a serious privacy violation.
Kaspersky noted in a blog post that “in some cases a program’s download page specifically states the software is intended to be used for secretly spying on the user.” According to Kaspersky, these are often used “to spy on partners or ex-partners, there is nothing to stop people using such programs to target specific individuals for malicious purposes.”
In 2018, Kaspersky Lab products detected stalkerware programs on 58,487 unique mobile devices. Further, their research showed many programs do not have measures to keep some of this sensitive data secure. The cyber-security firm found that five out of 10 stalkerware programs that it analysed had either experienced a data-breach, or were found to be vulnerable to such attacks.
How to keep stalkerware out of your phone?
For one, stick to official apps from Google Play Store on Android, or Apple App Store on iOS. Double check the developer before installing any new app.
Keep the passcode to your phone a secret, and do not disclose it, because that’s how spyware or stalkerware is often installed. When a trusted friend or spouse gains access to the device, they can install the app because they can unlock the device.
According to Kaspersky, one must change all security settings on their mobile device if leaving a relationship.
Keep a track of what apps are installed on your phone. If you notice something you did not install, delete it. And, as always, do not share passwords for Gmail, Google accounts, iCloud accounts, etc with anyone else.