What is Stalkerware?

Spyware is typically deployed to gather personal information that can either be exploited in a later attack or sold. But when spyware is commercialized to provide covert surveillance on an individual we call it stalkerware.

Which Threat Actors uses stalkerware?

To be frank, if you are hit by a stalkerware attack it most likely originated from your spouse. The installation of stalkerware requires a high degree of access to the device, commonly a mobile phone. Once installed most tools require to be registered with the distributor. This enables the attacker to monitor the device.

In rare cases, external attackers will first compromise the device and then install the stalkerware. This is only the case when the attacker has an incentive to track a high-value target.

Primary impact

Ignoring the morality (or lack thereof) of digitally stalking someone, the target is often exposed not only to the attacker but other threats as well. As stalkerware operates in on the darker end of the moral grey spectrum of apps, they are often not found in app stores. This means they don’t face the same quality checks as approved apps.

Apps like Copy9 and thetruthSPY have been reverse engineered to reveal they are in fact the same app communicating with different servers. Stalkerware app mSpy has had 2 data breaches in 3 years leaking millions of records.

Secondary risks

As I mentioned, these apps don’t come from the app store. Most devices have default protection to prevent the installation of these non-approved apps. But an attacker will in most cases disable this protection. Putting you at risk of further infection.

Will antivirus help?

Stalkerware is flagged as ‘Not-a-virus’, meaning it isn’t inherently malicious, but could pose risk. Most of these apps have aggressive methods of flying under the radar. Reptilicus scans the devices for a list of apps (all of which are antivirus products) and prompts the users that remove the antivirus program or whitelist Reptilicus.

Take away

Spyware is bad, big surprise, but the risk of secondary incidents is huge. From additional infections to data leaks by third parties, the commercialization of spyware has only increased the risk of incidents.

If you want to determine if you may have been infected with stalkerware, identification is quite easy.

Android: Check if unknown apps are allowed to be installed, which can be found in the security settings of your device

iOS: If your device is jailbroken, you are at risk. If you also have Cydia app installed (without you knowing) there is a high likelihood of compromise

Windows: Check the programs active in the task manager for any suspicious programs, additionally you should check your antivirus whitelisted applications.

Mac: Check your activity monitor to check the status of running programs. additionally, you should check your antivirus whitelisted applications.