Stalkerware activity drops as glaring spying problem is revealed

Stalkerware activity drops as glaring spying problem is revealed

North America has a spying problem. Its perpetrators are everyday people.

According to recent research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

But while consenting adults can and increasingly do agree to share passwords, locations, and devices with their romantic partners, another statistic deserves scrutiny: 41 percent of the people who admitted to monitoring their partners said they did so without permission.

These numbers are particularly disappointing to report just months after Malwarebytes presented original data at the National Network to End Domestic Violence’s Technology Summit that showed that stalkerware-type activity had dropped significantly from an all-time high three years prior, when shelter-in-place orders were issued to originally limit the spread of COVID-19.

The two issues, while not identical, share an overlap, which is that the non-consensual tracking of another adult is always spying.

It’s spying when governments do it through opaque, mass surveillance regimes, it’s spying when companies do it through shadowy data broker networks that braid together disparate streams of information, and it’s spying when private individuals do it through unseen behavior on personal devices.

Malwarebytes has a firm history in opposing surveillance—in the homeat school, and around the world—and this October, during Domestic Violence Awareness Month, Malwarebytes again commits itself to advocating for user privacy, whether from a person’s government, the corporations they interact with, or from those most capable of abuse.

Monitoring without permission

This month, Malwarebytes released new research into the cybersecurity and online privacy beliefs and behaviors of 1,000 respondents in the United States and Canada. The report, titled “Everyone’s afraid of the internet and no one’s sure what to do about it,” reveals the dismal rates of adoption for antivirus software, two-factor authentication (2FA), password managers, and unique passwords across online accounts.

But the report also explores the methods and stated justifications for individuals who spy on their romantic partners.

Of all people (which is the General Population of respondents involved in Malwarebytes’ 1,000-person survey) who admitted to monitoring their partners online without permission:

  • 23 percent looked through messages (texts, emails, DMs) on a spouse’s/significant other’s devices and apps.
  • 16 percent tracked a spouse’s/significant other’s location through an app or Bluetooth tracker (like Apple AirTags, Tile, Find My).
  • 22 percent looked at a spouse’s/significant other’s search history on their phone or computer.
  • 13 percent installed monitoring software/apps on spouse’s/significant other’s devices.
  • 17 percent monitored a spouse’s/significant other’s finances.

Respondents who monitored their partners—both with permission and without—were also asked about their own opinions on why they monitor. Half (50 percent) agreed or strongly agreed with the statement that “monitoring my spouse’s/significant other’s online activity and/or location makes me feel they are safer,” while 42 percent agreed or strongly agreed with the statement that “being able to track my spouse’s/significant other’s location when they are away is extremely important to me.”

Offline monitoring rates for all survey respondents in the latest research from Malwarebytes

Online monitoring rates for all survey respondents in the latest research from Malwarebytes

These numbers change slightly for members of Generation Z, but in short, Gen Z engages in more non-consensual online monitoring than non-Gen Z in nearly every single circumstance.

Of the Gen Z respondents who digitally monitor their spouses or significant others, more do so non-consensually than non-Gen Z, overall (47 percent compared to 40 percent). Those same Gen Z respondents non-consensually track locations more (19 percent compared to 15 percent), non-consensually read messages like emails, texts, and DMs more (25 percent compared to 23 percent), and non-consensually install monitoring applications on devices more (16 percent compared to 12 percent).

Gen Z even engages in more non-consensual physical surveillance than non-Gen Z, with increased rates of non-consensually reading through a spouse’s or significant other’s diary or journal (17 percent compared to 11 percent), non-consensually reading a personal letter addressed to or from that person (21 percent compared to 17 percent), and even non-consensually searching through that person’s room, backpack, car, purse, or other personal belonging (24 percent compared to 22 percent).

Stalkerware-type activity across three years' of Malwarebytes data

Offline monitoring rates for all survey respondents in the latest research from Malwarebytes

But where Gen Z presents the most novel change is in how they monitor one another with permission. While Gen Z engages in more non-consensual monitoring, they also engage in more consensual monitoring, which is only possible because Gen Z monitors significantly more than non-Gen Z overall

Here, the takeaways are up for interpretation. Perhaps Gen Z is, optimistically, having more open conversations about consensual sharing, both in romantic relationships and friendships. This was anecdotally confirmed last year, when the Lock and Code podcast spoke with a Bay Area teenager about how she and her friends obtain consent before sharing photos on social media.

But one activity that Malwarebytes asked about, even if originally performed with consent, could present a threat to privacy long into the future: Installing monitoring apps on another person’s devices.

Depending of the type of app used, these digital tools can provide access to a person’s location, SMS messages, photos, videos, phone calls, and contacts, while also granting remote access to a device’s camera, microphone, and WiFi functionality. What’s more, some can even do this without any notification or warning to the person being monitored. If such an app is installed on a person’s device with their consent, there is little way of them knowing that it is still on their device, even if they eventually withdraw consent. In other words, the spied-upon have few, basic indicators that they are being spied upon.

According to Malwarebytes’ research, 40 percent of Gen Z have installed monitoring software or apps on a spouse’s or significant other’s devices, compared to 29 percent of non-Gen Z.

These numbers are less open to interpretation. They are deeply concerning.

A drop in stalkerware-type activity

In July, Malwarebytes presented at the National Network to End Domestic Violence’s Technology Summit to offer device security training and updated statistics on a problem that has long plagued survivors of domestic abuse: Stalkerware.

Malwarebytes’ fight against stalkerware is long-documented. For years, the company has detected and helped people remove stalkerware-type applications, while also visiting local domestic abuse shelters and national conferences to share vital information on this pernicious digital threat.

Part of this advocacy has included publishing stalkerware-type detection data with the public, including a dramatic spike in stalkerware-type activity that coincided with shelter-in-place orders mandated near the start of the COVID-19 pandemic, and eventual decreases in that same type of activity one year after.

But that earlier data focused on what are called “detections” on Android devices—moments when Malwarebytes scanned and found apps that could monitor or spy on a user without their knowledge. This year, Malwarebytes has changed its approach to publishing stalkerware-type activity, now incorporating the active user base at any given moment, to show not just raw detection counts, but overall prevalence.

The good news? Stalkerware-type activity is down. A lot.

 Across June, July, and August of 2020, on average, 0.7 percent of all Malwarebytes scans conducted on Android devices resulted in Malwarebytes encountering a stalkerware-type app. Starting in March of 2022, that incident rate dropped to below 0.2 percent. It has remained that low up to June 2023, which is the cutoff date for Malwarebytes’ most recent data.

 For that final month of data, the incident rate was just 0.11 percent—tied for the lowest rate recorded across three years.

Stalkerware-type activity across three years' of Malwarebytes data

Stalkerware-type activity across three years’ of Malwarebytes data

Erring towards caution, with good cause

Stalkerware-type activity is down, but in Malwarebytes’ latest survey, a worrying number of individuals admitted to digitally tracking their spouses and significant others, and while fewer admitted to doing this type of tracking without consent, the type of tracking made available by certain monitoring apps could create privacy invasions in the future.

Malwarebytes will always caution against a world that grows comfortable with surveillance, even if the surveillance is initially conducted “with consent.” Consent shifts with time—it can be removed, narrowed, and tailored to specific situations. But the type of access that some monitoring apps provide, particularly those with stalkerware-type capabilities, are entirely incompatible with consent. They are built to collect as much information as possible and to even hide that data collection from view.

Remember that 50 percent of all respondents who admitted to monitoring their spouses or significant others agreed or strongly agreed with the statement: “Monitoring my spouse’s/significant other’s online activity and/or location makes me feel they are safer.” (Emphasis added).

This Domestic Violence Awareness Month, perhaps we remember that adults can determine their own safety—and privacy.

If you are currently facing domestic violence, you can call the National Domestic Violence Hotline at 1-800-799-7233.

If you are currently concerned about stalkerware-type monitoring of your device, or other possible forms of technology-enabled surveillance and abuse, you can visit the National Network to End Domestic Violence’s Safety Net Project here.


David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.