For Cybersecurity and Domestic Violence Awareness months, we pledge to fight stalkerware

For Cybersecurity and Domestic Violence Awareness months, we pledge to fight stalkerware

Starting today, two hallmark holidays are upon us. No, it’s not Halloween and Thanksgiving. It’s both Cybersecurity Awareness Month and Domestic Violence Awareness Month.

It’s no coincidence these two awareness campaigns overlap. What were once seen as separate realities—the physical and the digital—are increasingly blurred as our offices, schools, and hospitals move from paper to screen. Our homes are operationally Internet-connected, and our personal and professional relationships are colored by the way we interact online.

Through the ubiquity of mobile devices and social media, an argument can be made that we’re already living in an augmented reality. And there is no better evidence than the real-life fallout experienced by victims of technological abuse—cyberattacks lead to identity theft and empty bank accounts, frozen assets for businesses, or worse, whole cities shutting down.

But no line is as blurry as the one toed by domestic violence abusers, who use software called stalkerware to leverage their partner’s digital footprint for physical control. And it’s stalkerware that we’re here to talk about—and hopefully eradicate—as we kick off a month of continued awareness and action.

In honor of Cybersecurity and Domestic Violence Awareness months, then, we renew our pledge to fight stalkerware. And we encourage other vendors to step up their efforts so we can work together to stomp out this scourge on the Internet once and for all.

What is stalkerware?

Stalkerware is software that was created to monitor a person’s activities on their computer or, more commonly, their mobile device—without that person’s knowledge. Though often advertised as a tool for parents to track their children’s activities, these apps are more commonly used for nefarious purposes.

Stalkerware applications can track unsuspecting victims’ locations, record calls, view text messages, pry into locally-stored photos, and rifle through web-browsing activity, all while hidden from view. To highlight, here is a list of information that stalkerware can gather—all of which can be sent to a remote user—as well as activities an abuser can conduct on a user’s device without their knowing or consent:

  • Exact geographic location via GPS
  • IP address of device
  • SMS message history
  • Call history, including call length
  • Browser history
  • Contacts, including phone numbers and email addresses
  • Email account credentials
  • Email content from all accounts accessed from device
  • Photos, videos, and audio recorded and stored on the device or connected cloud account
  • Can take pictures with front/rear camera
  • Can record audio via device mic
  • Can remotely turn on and off device

Malwarebytes detects stalkerware applications through the longtime mobile threat category monitor, which is a subset of potentially unwanted programs (PUPs). Because some of these stalkerware applications can be used “legitimately,” they are currently flagged as programs users might not want on their phones. However, once presented with what stalkerware can do (or once gaining knowledge of a program that’s been installed on their device without consent), many users will likely want to delete these apps.

These applications represent real-life threats to domestic abuse victims, who can readily be tracked down (along with their children), even when hidden in shelters.

How to fight stalkerware

Historically, the cybersecurity industry has turned a blind eye to stalkerware. Because many of these applications are available on legitimate platforms (including iTunes and the Google Play Store) and marketed as harmless child-monitoring software, an argument could be made for their valid existence.

But reaching back more than five years, Malwarebytes has drawn a hard line in the sand about its tolerance for stalkerware. We simply won’t stand for it. We blocked it years ago, doubled our intelligence and detection capabilities back in June, and continue to press for awareness and action from advocacy groups, shelters, law enforcement, and other vendors.

So what can other vendors and individuals do to step up their efforts to fight stalkerware? For starters, many other antivirus companies don’t detect monitoring or stalkerware applications at all. Coming up with rules for stalkerware detection and adding them to their product databases can help users on any security platform better protect against these threats.

Second, spreading awareness about these types of apps and how to protect against them is key. Users should Google and Google some more to learn all they can on stalkerware. We’ve linked many of our own articles in this blog, for starters.

Advocates should listen closely to their victims who are being tracked through their phones—does it sound like they have a stalkerware problem? If so, download security apps that can scan for and remove these threats and other forms of surveillance, including spyware.

For other ideas on what cybersecurity companies could do to fight stalkerware, take a look at what we’ve done so far in 2019:

  • Analyzed more than 2,500 samples of programs that had been flagged in research algorithms as potential monitoring/tracking apps, spyware, or stalkerware
  • Grown our database of known stalkerware to include over 100 applications that no other vendor detects and more than 10 that are, as of presstime, still on Google Play
  • Developed a set of awareness blogs for domestic abuse survivors and advocates on what to do if they have stalkerware on their phones, how to protect against stalkerware, and how organizations supporting victims of stalking can secure their data
  • Spoken with local nonprofit and advocacy groups about stalkerware and how to protect against it, as well as shared intel with local law enforcement and attorneys general
  • Presented at the National Network to End Domestic Violence’s annual Tech Summit, with information on protecting both domestic violence survivors and the advocates who are with them in the field
  • Released Malwarebytes Browser Guard, which protects against tracking applications and extensions used on browsers
  • Partnered with other vendors and domestic violence awareness advocates on creating avenues for intel-sharing, definition of the threat, and underscoring that this issue is deeper than owning proprietary signatures and detections

More to come

While we’ve committed to kicking stalkerware’s ass over the last five plus years, our work is far from over. Over the next month, we plan to follow up with articles on how individuals and organizations can do their part to better understand this threat and the way it can be used to endanger people’s safety. We’ll also continue with local and national outreach efforts, hoping to both equip advocates with technological understanding and learn from victims themselves what else can be done to support their needs.

At the center of themes regarded as important and relevant today—privacy, technological autonomy, and civic responsibility—sits stalkerware and the cybersecurity community’s response to it. We must band together to squash this threat instead of fluffing it off in favor of “sexier” and scarier-sounding malware. We must pay more than lip service to defending users from physical harm, instead offering solace and protection for those in need. And we must use the full capabilities of our technology to keep users safe from stalkerware, even if it doesn’t directly impact us.

We know what we’ll be doing at Malwarebytes to fight stalkerware. We hope you’ll join us in the fight.


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.