Stalkerware

While there are legitimate uses for surveillance applications, like parental control software monitoring and protecting children online, this technology becomes concerning where it is stealthily installed on a partner’s phone to spy on him/her without consent and may be unwanted, invasive, motivated based on obsessive feelings, and/or illegal.

Stalkerware is an application that is sometimes used by domestic abusers to invade the digital and physical privacy of their partners. The malware, which is typically packaged in apps created by many different developers, can track unsuspecting victims’ GPS locations, record phone calls, retrieve text messages and emails, reveal locally-stored photos and videos, turn a device on and off, and expose web browsing activity.

Stalkerware is predominantly a threat to mobile devices. The actual apps—which Malwarebytes refers to as “stalkerware-type apps”—are more prevalent on Android devices than on iPhone devices. These types of apps can also hide themselves from view or disguise themselves as banal apps, such as an app for a calculator, a calendar, or system updates.

One of the most reliable ways to determine if you have a stalkerware-type app on your phone is by installing and using a malware scanning tool—such as Malwarebytes—on that phone. Users should be warned up front, though, that stalkerware-type apps can often reveal every action taken on a device, including whether a malware scan is run. If you are in a situation in which such a scan could anger an abusive partner, you should first, from a safe device, contact the National Network to End Domestic Violence (NNEDV). NNEDV is a trusted partner in the Coalition Against Stalkerware, which Malwarebytes helped found, and its advocates have the necessary training and expertise on how to support survivors who may be facing the threats of stalkerware.

Users who cannot install and run a malware scanner on their devices can also look for some physical symptoms on their device. These symptoms do not, in isolation or in full, guarantee the presence of a stalkerware-type app, and users should exercise caution if they recognize any of these symptoms on their own devices.

When a stalkerware-type app is installed on a device, some of these symptoms may be present:

• Battery runs out quicker than normal
• The device feels warm even when not in use and not charging
• Increased data usage/Internet activity
• Clicking, static, echo-y, or distant voices can be heard when on a call
• Longer shutdown time than usual
• Longer response times than usual

Before removing a stalkerware-type app from a device, a user should first consider their own safety. Because stalkerware-type apps can provide a view into all the activity that happens on a device, that means such an app can also view whether or not a malware scan has been run, and whether that malware scan has detected a stalkerware-type app.

Further, in situations involving domestic abuse, the removal of a stalkerware-type app could anger an abuser and further endanger a survivor. If you are in such a situation, you should first contact the National Network to End Domestic Violence (NNEDV) from a safe, non-monitored device. NNEDV’s advocates deeply understand stalkerware threats and can guide you through safety planning for your specific situation. Those safety plans can involve obtaining an entirely new device, involving the police—if you choose—or moving to a safer physical location.

For users who know that they can safely scan and remove a stalkerware-type app from their device, the best option is to install and run a malware scanner—such as Malwarebytes—on the device in question. Malwarebytes detects and informs you about whether or not you have a stalkerware-type app on your device. As Malwarebytes believes in user choice, it is up to you if you want to remove such an app from your device.

Depending on how a stalkerware-type app is used, the actions of its owner can be illegal.

For example, a domestic abuser in California who uses stalkerware to record their partner’s phone calls without their knowledge could be violating California Penal Code 632(a), which prohibits recording a phone conversation without all parties consenting, along with the federal Wiretap Act. A domestic abuser in New York who uses stalkerware to track a survivor’s movements through GPS tracking could be in violation of New York state’s “Jackie’s Law.” And a domestic abuser who “roots” someone’s mobile phone to install stalkerware onto the device could be in violation of the federal Computer Fraud and Abuse Act.

In recent years, the US Federal Trade Commission has also zeroed in on stalkerware-type app developers, bringing enforcement actions that restricted those app developers’ business models. In the most recent instance, the US Federal Trade Commission banned an app developer from “offering, promoting, selling, or advertising any surveillance app, service, or business,” and it said the app in question provided a means for users to conduct “illegal secret surveillance.”

Yes, Malwarebytes detects many stalkerware-type applications, and we are constantly growing our database of known threats. On Malwarebytes for Android, our detection scanner will show users whether or not any known stalkerware-type apps have been found on the device, and the apps will be labeled as either “Android/Spyware.” or “Android/Monitor.” with a detection name presented after the period. As hypothetical examples for this format, a user could see something similar to: “Android/Spyware.SpyIncApp” or “Android/Monitor.InvaderTracker”

Because of Apple’s rules for its App Store, Malwarebytes for iOS is not allowed to provide full scans of users’ iOS devices. Though Malwarebytes iOS also works with iPads, the experience has been designed and optimized primarily for iPhones.