TinyCheck: Stalkerware detection that doesn’t leave a trace

In 2019, when Malwarebytes helped found the Coalition Against Stalkerware, which brings together cybersecurity vendors and nonprofits to detect and raise awareness about stalkerware, we encountered a significant roadblock in our fight: For some users, the very detection of these potentially privacy-invasive tools could put their lives at greater risk.

In short, we needed a way to detect stalkerware-type apps without the detection being discoverable by stalkerware-type apps or their users.

Now, a new tool makes that far more possible.

Developed by a small team at Kaspersky, “TinyCheck” represents the latest technological effort from a Coalition Against Stalkerware member to continue the fight against a digital threat that can rob people of their expectation of, and right to, privacy. It is just one of the many advancements from the Coalition Against Stalkerware, which meets routinely to discuss ongoing research, new member applications, regional outreach, and advances in detections.

What is TinyCheck?

TinyCheck is an open-source tool available on GitHub that requires a higher technical skillset than downloading and running any of the apps made by the Coalition Against Stalkerware’s cybersecurity vendors. Those apps, like Malwarebytes for Android, are installed directly on a device where they can perform malware scans to detect and remove suspicious or dangerous programs.

TinyCheck, on the other hand, runs separate from a smartphone, on a computer like a Raspberry Pi. Functionally, TinyCheck is configured to act as a WiFi access point. Once set up and connected to a smartphone, TinyCheck will analyze that smartphone’s Internet traffic and determine if it is sending data to a known, malicious server.

Kristina Shingareva, head of external relations for Kaspersky, said that TinyCheck “was built with the idea of making it impossible to identify its use via a stalkerware app.”

“The analysis of the checked device is only available to the individual person using TinyCheck with their own equipment,” Shingareva said. “It is not shared anywhere: neither Kaspersky nor any other party will receive this data.”

Further, Shingareva said that TinyCheck analyses are performed locally, and the data from those analyses, including full packet capture, logs, and a PDF report, can only end up on a USB stick that users can plug in to save records, or on a computer, if TinyCheck is running in a browser from a remote workstation.

This may sound like a lot of technical fuss for the everyday user, but the value is tremendous. When used correctly, TinyCheck can overcome what we are calling the “stalkerware detection dilemma.”

The stalkerware detection dilemma

For years, the detection of stalkerware-type apps followed the same model: If a user thought they had a malicious app on their phone, they downloaded a separate, anti-malware app to find that malicious app and then potentially root it out.

This makes sense, as early stalkerware detection fell somewhat haphazardly to the individual cybersecurity vendors that were already protecting people’s computers from other cyberthreats, such as malware, ransomware, and Trojans.

But as effective as that cyberthreat detection model is, it makes a lot of assumptions about its users. First, it assumes that users have full agency of their computers and devices, able to download a separate program on their own, and then run that program with little interference. Second, it assumes that the removal of a cyberthreat is the best way to keep a user safe.

In reality, those assumptions could be dangerous when dealing with stalkerware.

As we have written about on Malwarebytes Labs, there is a documented intersection between stalkerware use and domestic abuse. Domestic abusers have repeatedly used these tools to invade the privacy of their partners’ lives, prying into their text messages and emails, revealing their web browsing history, pinpointing their GPS location, and secretly recording their phone calls.

For many domestic abusers, stalkerware can serve as a digital method to maintain control of their partner’s life. For the survivor, then, the removal of a stalkerware-type app can actually cause more harm, cutting off their abuser’s control and only enraging them. Further, many domestic abuse survivors simply do not have sufficient device control to download and run an anti-malware application on their phone. Their phones may be shared with their abusers, or their phone’s passcode may be required to be shared, or their abuser may not even allow them to have a passcode on their phone at all.

Finally, some stalkerware-type apps can also see a device’s most recently installed app, the device’s screen when active, and the notifications delivered to the device, which could in turn reveal that a survivor downloaded an anti-malware scanner, used the scanner, and then received a notification about a stalkerware-type app present on the device.

Here, then, is the stalkerware detection dilemma: How can we safely detect these threats when the detections themselves could lead to more harm?

It is a question that many members of the Coalition Against Stalkerware have asked, and shortly after the Coalition welcomed Centre Hubertine Auclert as an associate partner, the French organization began working with Kaspersky to find a solution. Inspired by the opportunity, Kaspersky researcher Félix Aimé charged ahead, eventually releasing the first version of TinyCheck last year.

It has since gained new features and seen promising adoption.

Big impact

Though TinyCheck has a higher technical bar for use, it can help address an important gap.

According to Shingareva, Kaspersky relied on several of its experts to run a workshop in January that invited individuals from 15 French associations working to prevent and protect people from domestic abuse. Shingareva said that the company is also supporting TinyCheck in Australia, where it will launch a pilot phase of testing with the network committed to women’s domestic and family violence services, WESNET.

So far, TinyCheck has also been “starred” by more than 1,700 users on GitHub, and the introductory video to TinyCheck on YouTube has obtained more than 4,600 views.

Recently, Kaspersky’s developers updated TinyCheck to be able to send notifications to users when new updates are available. The company is also adding new languages to the user interface, with current functionality available in English, French, Spanish, and Catalan.

Shingareva said it is important that advocate networks and non-governmental organizations committed to protecting survivors of domestic abuse are heavily involved in the further development of TinyCheck. With yet another tool to help fight against stalkerware threats, we are hopeful for the future.

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security editor. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.