SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Tue, 18th May 2021
FYI, this story is more than a year old

Android stalkerware is on the rise, according to new research from ESET.

Mobile stalkerware is monitoring software silently installed by stalkers onto victims' mobile devices without their knowledge. It is also known as spouseware.

Stalkerware can track the GPS location of a victim's device, conversations, images, browser history and more. It also stores and transmits all the data.

Generally, the stalker needs to have physical access to a victim's device so as to side-load the stalkerware. Because of this, stalkers are usually someone from the close family, social or work circles of their victims.

In 2020, ESET telemetry recorded almost five times more Android stalkerware detections than in 2019, this after a five-fold increase the previous year. In addition, ESET Research says it has discovered serious vulnerabilities in Android stalkerware apps and their monitoring servers that could result in serious user impact if exploited.

"For stalkerware vendors, to stay under the radar and avoid being flagged as stalkerware, their apps are in many cases promoted as providing protection to children, employees, or women, yet the word spy is used many times on their websites," explains ESET researcher Lukas Stefanko.

"Searching for these tools online is not difficult at all; you do not have to browse underground websites," he says.

"If nothing else, stalkerware apps encourage clearly ethically questionable behaviour, leading most mobile security solutions to flag them as undesirable or harmful."

ESET researchers manually analysed 86 stalkerware apps for the Android platform, provided by 86 different vendors. This analysis identified many serious security and privacy issues that could result in a third party an attacker taking control of a victims device, taking over a stalkers account, intercepting a victims' data, framing a victim by uploading fabricated evidence, or achieving remote code execution on a victims smartphone.

Across 58 of these Android applications, ESET discovered a total of 158 security and privacy issues that can have a serious impact on a victim. The cybersecurity firm also says that even the stalker or the app's vendor may be at some risk.

Among the most prevalent issues were insecure transmission of users personally identifiable information; storage of sensitive information on external media; exposure of sensitive user information to unauthorised users; server leak of stalkerware client information; and unauthorised data transmission from device to server.

"Following our 90-day coordinated vulnerability disclosure policy, we repeatedly reported these issues to the affected vendors," says Stefanko.

"Unfortunately, to this day, only six vendors have fixed the issues we reported in their apps," he says.