The Stalkerware Threat

On August 15th, 2018, an unsavory character was able to obtain complete and total access to everything on my personal cell phone. In just a few minutes, they were able to download all of my pictures and videos. They could read my text messages and emails, and even send whatever they wanted to while pretending to be me. They tracked my location and secretly activated my microphone and camera. They knew where I was at any given moment and where I would be according to my calendar. They had access to my entire life.

Fortunately, I was that unsavory character. And just as fortunately, I was conducting an experiment to demonstrate how easy it can be to weaponize our own phones against us, how hard it can be to detect for even advanced users, and how disastrous it can be if it happens. Turns out, it’s pretty easy.

In May of 2018, security researchers Andrew Blaich and Michael Flossman with the security firm Lookout, discovered a new malware variant that they dubbed Stealth Mango (for Android) and Tangelo (for IOS). These tools were successfully deployed against military and government targets in Pakistan, Afghanistan, India, Iraq, Iran, and the UAE, and spread largely through phishing and compromised websites. The campaign was ultimately able to exfiltrate over 15GB of data, including text messages, contacts, secret recordings, and sensitive military/government communications. The stolen data even included passport scans, ID cards, whiteboards, and meeting/ceremony pictures that included US service members. In other words, it was a treasure trove of information.

While researching the campaign, the researchers make a remarkable discovery: the same team that developed Stealth Mango and Tangelo also made a commercial variant and the code was almost exactly the same. Commercial variants of mobile spyware are often referred to as “stalkerware” or “spouseware”, named after their common usage.

Once upon a time, sophisticated mobile attacks and intelligence operations were the purview of state actors. This is why the government and military doesn’t allow cell phones into certain areas. But now the threat has grown exponentially and the sheer number of potential attack vectors warrant a careful reconsideration of our policies, training, and defensive posture. Today, the threat includes anyone with $60 or so and easily who can follow basic instructions. There are countless variants of this sort of software commercially available, not to mention the multiple homebrew versions. We can start to get some idea of the sheer scope of the problem by analyzing the data leaded from a self-identified employee of one such company, Flexispy.

Flexispy makes and sells this sort of software. They also sell a “white label” version for other companies to resell under their own brand. According to the information provided to motherboard security researchers Lorenzo Franceschi-Bicchierai and Joseph Cox, at least 130,000 people had accounts with the service. Among them, a fifth-grade teacher, the president of a distribution company, the vice-president of a bank and many more. And that’s just one company- there’s many others with their own customer base.

Recently, I went to the website of one such company. Their website lists two primary uses for their brand of stalkerware: to “keep your children safe” and to “monitor your employee’s company phone usage”. Insert additional air quotes liberally. It’s important to note that both of those purposes are technically legal, although there would be certain caveats and provisions that would be the responsibility of the buyer to obey.

As an experiment, I contacted this company with a fictitious back story. I told the sales rep that I thought my “girlfriend” was cheating on me, and I wanted to know if their product could help me spy on her. I expressed concern that she would discover it, and mentioned that it’s her phone on her own account. In other words, I was asking if I could use their software to commit a major crime. The rep assured me that it would work perfectly for this purpose. They offered tips on installing it without the victim discovering it, and they even offered a 10% discount code for my first month.

After I purchased a one-month license (I chose not to take advantage of discounts offered for longer durations), it took about two minutes to infect my phone. After that, I merely had to login to my online dashboard on the company’s website to access everything on my now-infected phone. If I intended harm, I would have had ample means to do it then.

The fictitious story is a realistic one, and includes not only an abusive partner but also burglars, hackers, or anyone else that would benefit from this unprecedented level of access when trying to accomplish their goals our counter our own. It’s an inexpensive and low-risk method of intelligence gathering that can be initiated from anywhere in the world, depending on the technical capabilities of the attacker.

As discussed previously, we already restrict cell phones in specific areas. This is a good thing, and that shouldn’t change. But what could your adversary could do if they manage to infect one or more of your employee’s personal or issued cell phones?

We all know that we’re not supposed to talk about work-related topics while we’re out of the office for lunch, but we feel a little bit safer when we’re alone with our trusted coworkers who are working on the same project. We wouldn’t tell our adversary about network issues and vulnerabilities, but we might do a quick internet search on our phone while trying to fix a router configuration issue. And we work hard to protect information about client arrivals, even though a compromised phone can tell far more than an itinerary can. That’s not to mention the blackmail potential for well-placed employees based on their app usage (for example, a married employee using a dating / hookup app), location history, email receipts, and more. The next time you think about the information you want to protect, think about all the items that could potentially be compromised along with your employee’s phones.

As always, real-world risk should inform policy. But when we’re talking about personal devices and non-work hours, there’s only so much that policy can adequately address. We need to provide our users with the resources and information they need to protect themselves under those conditions. For example, these are some important concepts that can be relayed to your employees in order to help protect them and your critical information:

– Free antivirus apps are able to detect many variants of stalkerware, but are often not installed by default. Installing a third-party antivirus app by a reputable company will help prevent infection in the first place
– Periodically scan through your list of installed apps to look for anything you didn’t install or don’t recognize. Many stalkerware apps don’t actually display an icon, so this may not be enough on its own
– If using an android device, look through the settings for “device administrators.” Any apps listed here have more or less full control of your device. For example, the program that I tested required these privileges in order to function. Also, disable the “install from unknown sources” option to help prevent the surreptitious installation of apps
– The least difficult method of installing stalkerware involves physical access to the device. This allows the attacker to ensure that it’s working properly and their tracks are fully removed. Make sure your device is locked and uses a password, PIN, or some other security feature. Other methods of installation seen in the wild include phishing attacks or luring users to a compromised website, referred to as a “watering hole” attack. Make sure these methods are addressed in your training and awareness program
– Some users choose to root or jailbreak their phone in order to increase functionality or unlock certain features. However, this also increases the options available to the attacker. For example, some attacks against iOS devices simply won’t work unless the device is jailbroken. If your users have rooted or jailbroken their devices, make sure they’re aware of the risks

This was only a very broad overview discussing the scope of the problem and basic remediation measures. We have no choice but to meet this emerging threat head on before it’s too late. Much like our adversaries, we have to adapt to a new, increasingly connected environment where the battle lines are blurry at best and ordinary users are on the front lines of a new kind of war.

Early police intervention linked to lower rates of domestic violence escalation

Police in Tarrant County, Texas, have started hand-delivering letters to individuals convicted of any form of abuse against an intimate partner- even relatively minor, non-violent crimes. The letters inform the perpetrator that they have been added to a registry of domestic violence perpetrators and that any future crimes will be treated very seriously. The goal is halt the behavior before it escalates, and it appears to be working. Since the program’s inception, the rate of re-occurrence of intimate partner violence has been cut in half.

Read more: https://www.nbcdfw.com/news/local/Police-in-NE-Tarrant-County-Delivering-Letters-to-Put-Domestic-Violence-Offenders-on-Notice-513473961.html

Latina Safehouse: “Abusers continue using immigration status to control their victims”

Colorado-based domestic violence shelter, Latina Safehouse, reports that abusers are continuing to use immigration status as a form of control. By threatening deportation (either with or without their children), the abuser strives to keep their victim from reporting the crimes.

Read more: https://coloradosun.com/2019/07/29/colorado-domestic-violence-immigration-threats/

New members and territories join fight against digital violence

Originally published at https://stopstalkerware.org/2020/05/27/new-members-and-territories-join-fight-against-digital-violence/

Worldwide lockdowns reconfirm the need for strengthened international working group to domestic violence and stalkerware

The fight to protect consumers against stalkerware continues as eleven new organizations – AEquitas with its Stalking Prevention, Awareness, and Resource Center (SPARC), Anonyome Labs, AppEsteem Corporation, bff Bundesverband Frauenberatungsstellen und Frauennotrufe, Centre Hubertine Auclert, Copperhead, Corrata, Commonwealth Peoples’ Association of Uganda, Cyber Peace Foundation, F-Secure, and Illinois Stalking Advocacy Center – join the Coalition Against Stalkerware. Since its launch in November 2019, the Coalition Against Stalkerware now has 21 partners, including founding partners – Avira, Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Kaspersky, Malwarebytes, The National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape, and WEISSER RING. The Coalition seeks to combine its partners’ expertise in domestic violence survivor support, digital rights advocacy, and cybersecurity to address the criminal behavior perpetrated by stalkerware and to raise general awareness about this important issue. 

Domestic violence increases due to lockdowns

Growing the number of organizations united to fight stalkerware has never been more important than during these exceptionally difficult times. With lockdowns globally in place due to the COVID-19 pandemic, domestic violence incidents are increasing according to the US-based National Network to End Domestic Violence[1]. Other Coalition partners from different territories report similar increases[2], and the United Nations (UN) recognizes this as well. In early April, the UN Deputy Secretary-General, Amina Mohammed, explained that worldwide, the negative consequences caused by lockdowns are borne more by women as their risk of suffering from domestic violence is more likely to increase[3]. As well as physical abuse, many of these women need to be afraid of finding stalkerware on their phones. This is one of the most concerning problems resulting from domestic violence in general, not only during the ongoing pandemic, according to a bff survey conducted among women’s counselling and rape crisis centres in Germany[4].

Joint efforts

With the goal of helping victims and educating the public about the dangers of stalkerware, the founding members of the Coalition created a standard definition and detection criteria for stalkerware, which did not previously exist. During the first few months of their efforts, the Coalition partners have focused on raising greater awareness of stalkerware advocacy organizations, journalists, and regulators through public speecheseventspublicationsresearch, and collecting the cybersecurity vendors’ data on stalkerware.

To continue raising awareness about the issue of stalkerware, the Coalition Against Stalkerware has also produced an explanatory video available in six languages (EnglishFrenchGermanItalianPortuguese and Spanish) that has been launched today. The aim is to provide helpful information for victims and survivors to better understand and detect the warning signs of stalkerware. The video lists common indicators to check if a user thinks they may have become a victim of stalkerware, and what steps they should and should not take.

The Coalition’s helpful online resource for stalkerware victims has also been made available in six different languages. Users can now find information about what stalkerware is, what it can do, how to detect it, and how to protect themselves in English, German, French, Italian, Spanish and Portuguese. For potentially affected users, the Coalition members recommend contacting local victim service organizations immediately.

Finally, another member of the Coalition – National Network to End Domestic Violence – has released a Documentation and Evidence Collection App[5]. DocuSAFE is a free app available in English that helps survivors collect, store, and share evidence of abuse, such as harassing messages, online impersonation, or other images or videos documenting domestic violence, sexual assault, stalking, harassment, and dating violence. WEISSER RING also launched such an app last year, called “NO STALK” which is available in German[6]. It is important to note that these apps should not be used on devices that one suspects may be monitored.

The Coalition Partners’ future goals include, but are not limited to: improving detection and mitigation of stalkerware, developing best practices for ethical software development, and increasing technical capacity of survivors and advocacy organizations.

“Stalking impacts an estimated 6-7.5 million people in a one-year period in the United States and 1 in 4 victims report being stalked through some form of technology. Providing education and information to survivors, those working to respond to the crime of stalking, as well as to our communities at large is an essential first step in enhancing the safety of stalking victims and holding those who perpetrate such crimes accountable. We are excited to join this coalition of non-profits and IT Security Companies to enhance our collaborative response to stalking.” - Jennifer Landhuis, Director, Stalking Prevention Awareness & Resource Center.
“Anonyome Labs Inc. empowers people to be able to determine what information they share, and how, when and with whom they share it. We provide victims and potential victims of harassment, violence and abuse real and effective tools for protecting their personal information. We are proud to join the important Coalition Against Stalkerware to help stop tech-facilitated violence and abuse.” – JD Mumford, Co-CEO, Anonyome Labs, Inc.
“We believe that any software that tracks people’s actions without their awareness or their consent is evil. But because the people who buy stalkerware do so knowingly, we know that the only way to eradicate stalkerware is through a coordinated and holistic effort that attacks not just the stalkerware vendors, but also punishes those who enable its distribution. We are happy to contribute to and work with the Coalition Against Stalkerware.” – Dennis Batchelder, President, AppEsteem Corporation
“In Germany, for several years, Women’s Counselling Centres and Rape Crisis Centres have noticed an increasing use of stalkerware in conjunction with partner relationships. During the coronavirus pandemic, digital communication is, for many, often the only remaining contact option. Monitoring of communication and media usage by a violent partner can result in escalating dynamics of violence and making it more difficult to get support and help. Now, and any other time, victims of intimate partner violence need to have the possibility to protect their privacy and use media free from violence.” – Ans Hartmann, Project Coordination “active against digital violence”, bff: federal association of rape crisis centres and women’s counselling
“According to the study on cyberviolence in intimate relationships, conducted by the Center Hubertine Auclert in France , 21% of victims have experienced the use of stalkerware by their abusive partner,  69% of victims have the feeling that their personal information on their smartphone has been accessed by their partner in a hidden way.  The stalkerware is an important source of danger and distress for victims. The Coalition is a great opportunity to bring together the expertise of the IT security sector and of NGOs specialized on violence against women. This synergy on an international level will be fruitful to create together the best solutions  for victims’ protection.” – Clémence Pajot, Director, Center Hubertine Auclert
“Stalkerware is a terrible extension of the current offence and defense race in the mobile security world. Individuals should expect and demand privacy from the systems they use and their mobile devices are no exception. Stalkerware is a gross invasion of privacy and personal security - the equivalent of having a firm of private investigators tracking your every move. Currently this can happen, with minimal effort, to individuals and corporations with their mobile devices. The Coalition Against Stalkerware is an important social movement to stop the spread of this invasion of liberty and freedom.” - James Donaldson, Director and CEO, Copperhead
“Stalkerware is an extremely harmful example of the kind of threat that Corrata’s technology is designed to guard against. We are delighted to join forces with the other members of the Alliance to protect users against targeted stalkerware attacks. Spying on a partner or family member’s mobile device is a complete invasion of privacy. Designed with user privacy in mind, Corrata fights against the rising menace of stalkerware.” - Colm Healy, CEO, Corrata
“Over the last 14 years, the Commonwealth Peoples’ Association of Uganda, as a non-governmental organization, has been at the forefront in promoting the use of information and communications technologies for development (“ICT4D”) among the youth for social change & development in addition of being a champion in making sure that the World Summit on the Information Society (“WSIS”) Declaration of Principles (2005) are being implemented in Uganda. Partnering in the Coalition Against Stalkerware enables our organization to share important information and to access capacity building opportunities to protect Internet users from this type of software throughout the country.” - Kiapi K. Frederick, Executive Director, Commonwealth Peoples’ Association of Uganda
“In recent times we have seen a sharp increase in stalkerware and spyware use. It is a matter of concern because many are ignorant about the existence of these applications and the negative impact it can have on security and privacy and society at large. Cyber Peace Foundation is committed to aligning all our initiatives in line with the collective vision of the Coalition against Stalkerware.” - Capt. Vineet Kumar, Founder & President, Cyber Peace Foundation
"Stalkerware evolved from the same culture of mass surveillance and data collection that pervades the internet. But these tools’ accessibility to individuals without much technical know-how or resources makes stalkerware a threat that rings closer to home for many, particularly those who are already victims or vulnerable to abuse. We’re committed to protecting F-Secure’s customers from the culture of pervasive surveillance and data collection that's consuming our digital lives, and we hope that joining this coalition of like-minded organizations will enable us to address this threat at a wider scale."  - Christine Bejerasco, VP Tactical Defense Unit, F-Secure
“Stalking is unpredictable and can be dangerous which is why it is imperative for stalking advocates to thoroughly safety plan with their clients. The use of stalkerware in stalking cases often complicates efforts to safety plan with victims because it is often undetectable and even when stalkerware is suspected, there are often little resources available to remove stalkerware and prevent it from being reinstalled. Collaborating with the Coalition Against Stalkerware is an important first step to connect advocates and IT security professionals so we can work together to combat this growing problem.” - Kim Tipsord, Executive Director, Illinois Stalking Advocacy Center
“The Coalition Against Stalkerware is essential to the effort to coordinate academic researchers, law enforcement, anti-virus companies, and organizations working directly with survivors of domestic abuse and spying. The digital world is global, and so is domestic abuse, spying, and partner violence. I’m happy to see the Coalition welcome not just new technology companies, but also key voices from the Global South. I look forward to incorporating new threat models, so that the Coalition’s efforts can benefit survivors all over the world.” --Eva Galperin, Director of Cybersecurity Electronic Frontier Foundation
“More and more, service providers see themselves confronted with offline violence continuing online. Perpetrators of cyber stalking cause immeasurable harm and undermine victims’ sense of safety. The Coalition Against Stalkerware is a unique chance to bring together NGO and technical knowledge. We are proud to welcome new members to this incredible effort. Together, we will ensure perpetrator programmes have the necessary knowledge and resources to hold perpetrators accountable for their violence - offline and online.” - Anna McKenzie, Communications Manager, European Network for the Work with Perpetrators of Domestic Violence (WWP EN)
“No company or NGO can fight stalkerware alone - it takes a village. I am therefore very happy that many new members are joining the coalition to contribute to this crucial cause and bring in their respective skills and connections. Especially in this trying time domestic violence and espionage against partners is an important topic that needs much more awareness.” - Hauke Gierow, Spokesperson, G DATA CyberDefense”
"The threat of stalkerware is constantly on our radar. In April 2020 alone, we detected that 8,201 users worldwide had stalkerware installed on their mobile devices. While in April 2019, this number was 7,736. We see that statistics are changing from month to month and year to year. To further improve the detection of such software in the cybersecurity industry, we are glad to see more organizations joining the Coalition Against Stalkerware and therefore sharing our knowledge with and inside this group dedicated to protecting users against stalkerware. Beyond detection, further research on the link between cyberviolence, physical violence and the gendered nature of stalkerware use is crucial in order to develop a clearer picture and better understanding of this issue. For that we are proud to be working together with our fellow Coalition members," – Tatyana Shishkova, Senior Malware Analyst, Kaspersky
“Stalkerware is both a global and local human rights issue, and to address it, we’re seeking help from every region. Today, we are proud to welcome new members to the Coalition from around the world who bring community-based expertise both in researching the threats of stalkerware, and in providing support and proactive digital protections for domestic abuse survivors. With their help, we hope to develop more nuanced and informed strategies of prevention.” - David Ruiz, Online Privacy Advocate, Malwarebytes
“Survivors have the right to safety and privacy. We know that a safe home means that survivors have access to safe and secure devices free from stalking, monitoring and tracking. The National Network to End Domestic Violence is proud to partner with technologists, global advocacy organizations, and direct service providers to further the work around ending stalkerware as we all work to end violence for all.” - Erica Olsen, Director of the Safety Net Project at the National Network to End Domestic Violence
“In the last year, we have identified nearly 11,000 apps we consider to be stalkerware and have detected roughly 1,250 infected mobile devices monthly. As a founding member of the Coalition Against Stalkerware, NortonLifeLock takes digital and domestic violence seriously and has worked diligently to research the data, help define the issues and identify and report cases related to stalkerware. With the addition of eleven new organizations to the Coalition, we look forward to continuing to fight and protect consumers with more experts and organizations across the globe.” – Kevin Roundy, Technical Director, NortonLifeLock
“Increasingly, we’re seeing abusers, stalkers, and harassers using stalkerware tools to control and harm their victims. The effect can be devastating when a person impacted by those crimes doesn’t know when it’s safe to communicate or how to reach out for help. Fortunately, the actions of this coalition, strengthened by its newest members, continue to make significant progress in raising awareness and developing easy tools to allow even non-technical victims to detect stalkerware and take actions to protect themselves.” - Chris Cox, Director, Operation Safe Escape
“As a victim support organization, we know that victims suffer from stalking. Those who are affected rarely seek help, because they feel ashamed and blame themselves. Victims of stalkerware suffer particularly because of the far-reaching digital possibilities we have today: There are hardly any shelters left for them when cyberstalking pervades their digital lives. This not only limits the quality of life but also creates a feeling of powerlessness and the feeling that they are completely and utterly at somebody’s mercy. Even if stalking does not always leave visible marks, victims often react with strong psychological stress symptoms. We face such cases in our victim work. According to police crime statistics, there were almost 19,000 cases of stalking in Germany in 2018, 500 more than in the previous year. That is why we have developed the NO STALK app together with the WEISSER RING Stiftung to provide victims with an effective tool for documenting stalking. For us as WEISSER RING, it is important to offer support to those who are affected by stalking. We do so via the app to report the actions but mainly in personal conversations and support, for example when we accompany them to the police. The WEISSE RING is available to help over 700 stalking victims every year. Our civic engagement helps victims of crime to rebuild their lives after being victimized.” – Horst Hinger, Deputy Managing Director, WEISSER RING

About Coalition Against Stalkerware

The Coalition Against Stalkerware (“CAS” or “Coalition”) is a group dedicated to addressing abuse, stalking, and harassment via the creation and use of stalkerware. Currently comprised of direct service and international victim service agencies, as well as information technology security firms, the Coalition looks to bring together a diverse array of organizations to actively address the criminal behavior perpetrated through stalkerware and raise public awareness about this important issue. Due to the high societal relevance for users all over the globe, with new variants of stalkerware emerging periodically, the Coalition Against Stalkerware is open to new partners and calls for cooperation. To find out more about the Coalition Against Stalkerware please visit the official website www.stopstalkerware.org

[1] WIRED article, “Tech Is a Double-Edged Lifeline for Domestic Violence Victims”, 28 April 2020.

[2] As examples:
In France, the Centre Hubertine Auclert explains that there is a 50 % increase of calls to the main helpline for domestic violence victims (helpline 3919 of the Fédération Nationale Solidarité Femmes).
For India, the Cyber Peace Foundation refers to the National Commission for Women (NCW) reporting 587 complaints on their helpline number and online portal since the lockdown kicked into effect in March. Also, Cyber Peace Foundation states that 89% of the total number of cases registered to legal services authorities across the country were of domestic violence.

In Europe, the European Network for the Work with Perpetrators of Domestic Violence (WWP-EN) said that their members reported significant increases in activity.

[3] UN News “UN backs global action to end violence against women and girls amid COVID-19 crisis”, 6 April 2020.

[4] bff report “Digitalization of gender specific violence” 2017.

[5] Website by the NNEDV, DocuSAFE: Documentation and Evidence Collection App.

[6] Website by WEISSER RING, NO STALK.