Helping survivors of domestic abuse: What to do when you find stalkerware

Helping survivors of domestic abuse: What to do when you find stalkerware

We’re going to talk about something different today. We’re going to talk about domestic abuse.

Earlier this year, cybersecurity company Kaspersky Lab announced that the latest upgrade to its Android app would inform users about whether their devices were running stealthy, behind-the-scenes monitoring apps sometimes referred to as stalkerware.

This type of software can track unsuspecting victims’ locations, record phone calls, peer into text messages and emails, pry into locally-stored photos and videos, and rifle through web browsing activity, all while hidden from view.

Though often, and shamelessly, advertised as a tool for parents to track the activity of their children, these apps are commonly used against survivors of domestic abuse.

It serves as no surprise. Stalkerware coils around a victim’s digital life, giving abusive partners what they crave: control.

Electronic Frontier Foundation Cybersecurity Director Eva Galperin, who pushed Kaspersky Labs into improving its product, told Motherboard at the time of the company’s announcement:

“I would really like to see other [antivirus] companies follow suit, so that I can recommend them instead of just one company that has shown that they are committed to doing this… I’d like to see this be the industry standard so it doesn’t matter which product you’re downloading.”

Malwarebytes stands up to this commitment, as we have for years.

But starting today, we’re going to do more than improve our stalkerware detection capabilities. We’re going to help survivors understand this danger and know what to do if they’re being digitally tracked.

Finding proof of stalkerware

Stalkerware presents a unique detection problem for its victims—it often hides itself from public view, and any attempt to find it could be recorded by the stalkerware itself.

Further, the US government has done little to help. Despite a previous FBI investigation that led to the court-ordered shut down of the stalkerware app StealthGenie, countless other stalkerware apps still operate today.

CitizenLab, a research institution at the University of Toronto that focuses on technology and human rights, recently produced a study on the harms of stalkerware. Researchers studied eight apps based on their monitoring capabilities and relative popularity—analyzed through Google Trends, web searches, and “best of” lists. The study focused on the following apps which are used in the US, Canada, and Australia: FlexiSpy, Highster Mobile, Hoverwatch, Mobistealth, mSpy, TeenSafe, TheTruthSpy, and Cerberus.

Malwarebytes Labs has previously written about the technological signs of stalkerware—quickly-depleting battery life, increased data usage, and longer response times than usual—but we wanted to explore what stalkerware looks like from a behavioral aspect. We spoke to multiple domestic abuse networks and advocacy groups, and one troubling fact arose repeatedly:

Symptoms of stalkerware are not proof of stalkerware.

Erica Olsen, director of the Safety Net project for the National Network to End Domestic Violence, said her organization consistently hears stories from domestic abuse survivors who are struggling to explain how their partners know about their phone calls, text message conversations, emails, and even visited locations.

“Survivors could come to law enforcement and say ‘My ex knows about the text messages I sent, and I don’t know how they know that,’” Olsen said. But, she said, the signs don’t always guarantee the use stalkerware.

“Could the [recipient] have just told [the ex]?” Olsen said.

In determining the presence of stalkerware, Olsen said survivors should assess several factors:

  • Does their abusive partner have physical access to their device—a common situation for couples who live together?
  • Does their abusive partner know the passcode to unlock a device—another situation that depends on whether an abusive partner even allows for that level of agency and freedom from their victim.
  • Can their abusive partner view call logs on their device, learning who was called, how often, and for how long?
  • Does their abusive partner know the content of phone calls?
  • For domestic abuse survivors who have physically escaped their abuser, do their abusers still know about recently-taken photographs, locations visited, and any information that is typically locked behind an account or device passcode?

Further, Olsen said that domestic abuse survivors should study how the private information is being used by an abuser.

“Abusers will end up hinting at all the things they know that they shouldn’t know,” Olsen said. “That is the most frequent thing we hear from survivors, advocates, and law enforcement—the number one thing is identifying that an abuser knows ways too much.”

Olsen continued: “They know text messages, emails, they have access to accounts logged into via [the survivor’s] phone. That’s when we immediately have to start talking to survivors about what they think is safe.”

While every safety plan is unique, and every domestic abuse situation nuanced, Olsen offered one top-level piece of advice that applies to all survivors: Trust yourself. You know the feeling of being watched and controlled—whether through physical, emotional, mental, or digital means. You should trust those feelings and never discount your own concerns. 

The following ideas do not present a catch-all “solution” to finding stalkerware on a device. Instead, they present information that will hopefully guide survivors toward safety.

Evaluate your own level of safety

Determining what is safe for you is crucial. What you discover in this process can impact what other steps you take after learning about or suspecting the presence of stalkerware on your device.

Ask yourself several questions about what steps you can reliably take.

  • Do you have people you can ask for support?
  • Can you communicate with those people from a safe, non-monitored device?
  • Can you change your social media account passwords?
  • Can you change your own device passcode?
  • Are you allowed to have a device passcode?
  • Can you install antivirus and anti-malware programs on your own device?
  • What would be the consequences of your abusive partner discovering that you are trying to get rid of stalkerware?
  • Do you want to bring in law enforcement?

If all this seems overwhelming, remember that the National Domestic Violence Hotline is there to help.

Your every move might be recorded

When determining your own level of safety, it’s important to remember that everything you do on your compromised device could be recorded and watched by an abusive partner. That means your web browsing activity, your text messages, your emails, and all of your written correspondence could be far from private.

Know what apps are on your phone and what permissions they’re allowed

Olsen advised that domestic abuse survivors know what apps are on their devices at any given moment. While this guideline does not reliably catch hidden stalkerware apps, it does give you an opportunity to understand what other apps might have been installed on your device in an attempt to surveil you.

Remember, abusive partners do not need stalkerware to victimize and control their partners. Instead, Olsen said, abusers can rely on technology misuse.

“The vast majority of our work is in looking at misuses of general technologies that have 100 different good uses, that are never intended to be misused,” Olsen said. “The ownership [of abuse] is always on the abuser for their behavior. If you remove technology, you’re still going to have an abusive person.”

Shaena Spoor, program assistant with W.O.M.A.N. Inc., offered a couple of examples of technology misuses that she has heard about.

“We had some concerns with Snap Maps,” Spoor said about the Snapchat feature rolled out in 2017 that let users find their friends’ locations. Every user that agreed to share their location had their locations updated with every app use.

“For some people, they didn’t realize that locations had been [turned] on,” Spoor said. “If you don’t use the app very often, you’re just sitting on a map, super findable.”

Spoor said she also heard of domestic abuse survivors whose locations were tracked through the use of the location-tracking product Tile. Though sold to legitimately track luggage, wallets, and purses, domestic abusers can also sneak the small plastic device into your jacket or work bag. When the abuser loads up the Tile app, they can then get a real-time result of that device, and thus, your location.

“People use Tile, for example, and hide them in survivor’s stuff,” Spoor said. “[Survivors] are showing up at domestic violence shelters and finding it hidden in a bag.”

Create new online account logins and passwords from a safe device

This one comes straight from the National Network to End Domestic Violence’s Technology Safety project. You should think about making new account logins and passwords.

As one of the the Technology Safety project’s many resource said:

“If you suspect that anyone abusive can access your email or Instant Messaging (IM), consider creating additional email/IM accounts on a safer computer. Do not create or check new email/IM accounts from a computer that might be monitored.”

The Tech Safety resource also advises you to open new accounts with no identifying information, like real names or nicknames. This step should be considered for all important online accounts, including your banking and social media accounts.

Always remember to do this from a safe computer that is not being monitored.

Factory reset or toss your device

Multiple organizations recommended that any stalkerware victim take immediate steps to toss, or wipe clean, their current device. There are a few options:

  • Toss your device and buy a new one
  • Factory reset your device
  • Keep your compromised device, but purchase a new phone that you use for confidential conversations

Olsen advised that every situation has its own unique challenges, and she urged domestic abuse survivors to consider the potential outcomes of whatever option they choose. She said her organization works closely with domestic abuse survivors to come up with the best plan for them.

“We think about the abuser, who no longer has remote access to [the survivor]—they will try to get physical access, and that is a real concern which absolutely could happen,” Olsen said. “If the survivor thinks that [might happen], we try alternatives—buying a pay-as-you-go phone, use it to have critical conversations, private ones, but still keep the regular phone for silly things and to keep the [abuser] at bay.”

Chris Cox, founder of Operation Safe Escape, which works directly with domestic abuse networks and shelters and law enforcement to provide operational and cybersecurity support, echoed similar advice.

“What we always advise, consistently, if an abuser ever had access to the device, leave it behind. Never touch it. Get a burner,” Cox said, using the term “burner” to refer to a prepaid phone, purchased with cash. “You have to assume the device and the accounts are compromised.”

Further, Cox cautioned against survivors trying to wipe stalkerware from a device, as it could introduce a “new vulnerability” in which an abuser learns—through the stalkerware itself—that their victim is trying to thwart the abuser.

Instead, Cox said, “whenever possible, the device is left behind.”

Approach law enforcement

Working with the police is a step taken by survivors who want to take legal action, whether that means eventually obtaining a restraining order or bringing charges against their abuser.

Because of this step’s nuance, you should take caution.

Olsen said that, of the successful attempts she has learned of survivors working with local police, the survivors already have a firm safety plan in place, and they have built a relationship with domestic abuse shelters and advocates. She said that, together with their support network, survivors have managed to get confessions out of their abusers.

But, Olsen stressed, trying to get an abuser to admit to their abusive and potentially criminal behavior is not a step to be taken alone.

“I do not suggest doing this in isolation, but if they’re working with advocates, I have heard of some survivors strategically communicating with abusers,” Olsen said. “It is amazing how many times abusers admit to [using stalkerware].”

Also, survivors should be wary of how police can be used against them, said Cox.

“Abusers, as a whole, are adept at using the law as a weapon,” Cox said. “If a phone belongs to a victim, and it happens to be in the abuser’s name, if the victim leaves and the abuser reports it stolen, [law enforcement] are used as a weapon to track the victim down.”

Call the National Domestic Violence Hotline

If you find stalkerware on your device, or you have strong suspicions about an abusive partner knowing too much about your personal life—with details from text messages and knowledge of private photos—call the hotline from a safe device.

The number for the National Domestic Violence Hotline is 1−800−799−7233.

The hotline’s trained experts can help you find the safest path forward, all while maintaining your confidentiality.

Seek help from various online resources

If you want to find more information online, from a safe device, read through any of these resources about dealing with domestic abuse, stalkerware, and the misuse of technology:

Malwarebytes has also written a few articles on types of technology, malicious or not, that are often abused to their victims’ detriment. Awareness of what’s out there and how it can be used against you can help you stay safe:

And if you are able to install an anti-malware program on your mobile device, running a scan with Malwarebytes for Android can help you detect and remove stalkerware apps—as well as keep a log of which apps were installed on your phone, which is valuable information if you choose to work with law enforcement.

We’re here for you. We care. And we’ll always do what we can to help users have a safe online—and offline—experience with technology.

Stay tuned for our next article in our stalkerware series, which will explore which monitoring apps are safe for parents to use, and which should be avoided. Stay safe.


David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.