Incognito – November 2021: Stalkerware Apps

Welcome to the November 2021 issue of Incognito, a monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month:

• Stalkerware apps. Is it a calendar app or something much more sinister? With the proliferation of stalkerware apps, telling the difference isn’t always easy.
• Recommended reads, including “Firefox Now Shows Ads In Search Bar.”
• Q&A: Can I use Oculus products safely without signing up to Facebook?

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter.

Inconspicuous and poorly understood, stalkerware apps that track and monitor your activities without your knowledge are a growing problem.

What Are Stalkerware Apps?

Stalkerware is pretty much what it sounds like: commercially available software that’s designed to surveil everything that’s happening on a victim’s phone without their consent or knowledge.
When we say “everything,” we’re not joking. Common stalkerware app features include:

• Minute-by-minute location history tracking.
• Call logs and recordings of these calls.
• Text message and social media monitoring.
• Web search data.
• Photo extraction.
• Keylogging and live screen viewing.

However, although some apps can surveil all of the above, most (82%) monitor just one type of device sensor or communication channel. Location, hidden automatic call recordings, and contact lists tend to be the most popular targets for stalkerware apps.

Who Is Using Stalkerware?

Probably someone closer to you than you think. While stalkerware apps are frequently advertised as parental control software or employee monitoring solutions, they’re most often used to spy on former or current partners, hence why they’re also known as “spouseware.”

Some stalkerware apps even boast that they can help users “catch a cheating spouse” or “dispel any doubts in a relationship,” and run blog posts on their sites titled “How to Read Deleted Texts on Your Lover’s Phone.”

Readily available on Google Play Store and Apple App Store, plus countless sites online, you don’t have to be a tech genius to download a stalkerware app onto an unsuspecting person’s phone. Worryingly, if a partner, family member, or anyone else has access to your phone, then they can install stalkerware onto it. And while iPhones and iPads are typically safer from stalkerware because they don’t allow sideloading apps (i.e., downloading apps off the web rather than an official app store), if someone is willing to infect your phone with stalkerware, they’re probably not beyond jailbreaking it, either. In some instances, a victim may receive an iPhone preloaded with stalkerware as a gift.

Scarily, a stalkerware abuser only ever has to access their victim’s phone once — the information collected can be sent directly to their email or a companion app or viewed through a specific URL.

Stalkerware Is Booming

Stalkerware apps have skyrocketed in popularity among suspicious partners during the COVID-19 pandemic.

According to one study, the number of devices that have had stalkerware installed on them increased by 63% between September 2020 and May 2021. And almost 1 in 10 adults in a romantic relationship admit to using stalkerware to monitor their partner’s device activity.

Worryingly, the vast majority (86%) of adults have no idea what stalkerware is, which means they also don’t know how to protect themselves against this rising threat.

What Is Being Done About Stalkerware? 

1. In 2019, ten organizations, including the Electronic Frontier Foundation, The National Network to End Domestic Violence, and several security manufacturers like Kaspersky and Malwarebytes, founded the Coalition Against Stalkerware. Their goal: to encourage research into stalkerware and provide resources to individuals affected by it.

2. In September of this year, the Federal Trade Commission banned Support King, the maker of stalkerware SpyFone and its CEO, from the surveillance businesses. The stalkerware app not only harvested victims’ data but also accidentally exposed it to the internet as a result of an unsecured Amazon cloud storage server, leaving consumers open to cyber attacks. The company was ordered to delete all the data it illegally harvested and notify hacked individuals.

3. In October, Google banned several ads for stalkerware. Although Google does not tolerate apps that promote partner surveillance on its Play Store, most stalkerware ads still get around Google’s policy by marketing themselves as monitoring tools for parents, employers, and private investigators. As a result, some experts have noted that Google’s policy isn’t foolproof because it allows stalkerware developers to change “the face of what they’re selling” but not the “core technology within.”

Stalkerware Privacy Implications

Other than violating someone’s privacy and potentially putting them in grave danger from abusive partners, stalkerware apps can also expose victims to cyber threats. As demonstrated by numerous stalkerware data breaches, companies that make stalkerware apps don’t necessarily have the best security, even though they are in the business of storing people’s secrets.

There’s always the danger that some of these companies may share or sell victims’ data with other third parties, as well.

Stalkerware, Be Gone

Worried you have stalkerware on your phone? Here’s what you can do to find it and remove it from your device.
Keep an eye out for unusual behavior. If your phone battery suddenly starts draining faster than usual, the keyboard keys lag as you’re typing, or your device is constantly overheating, that could be a sign that it has been infected with stalkerware. On the other hand, if you’re an Android user, there are third-party tools that can tell you if there is stalkerware on your phone. While most security apps charge a small fee, you can usually try one free of charge for a trial period.

Remove stalkerware. There are three things you can do here: 1) Delete any apps you don’t recognize, like “Battery Saver” or “System Services;” 2) Perform a factory reset (just remember to back up any important files first); 3) Buy a new phone. However, if you want to report the abuser to the authorities, you may want to keep the app as evidence. Similarly, if you think you’re in danger from the person who installed stalkerware on your phone, you should hold off from removing the app until you’re in a safe place. Otherwise, you may tip them off. The Coalition Against Stalkerware has a list of resources for those who suspect of being stalked.

Lock your phone. To install stalkerware on your device, an abuser typically needs access to your phone. Keep your phone password-protected, and don’t share your password with anyone.

Realize that stalkerware is just one way to track you. There are plenty of other ways someone may keep tabs on you, starting with your iCloud account and ending with Google Play. For most people, it’s also easier to hack into your email or social media accounts than install stalkerware on your device. For this reason, it’s vital that all your account passwords are complex and that you use 2FA where possible. It’s also a good idea to periodically check for unauthorized access to your accounts.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape.

Twitch Data Leaked In a Massive Data Breach

Popular streaming service Twitch was hacked after a server configuration error accidentally exposed its data to the internet. Fortunately, user login credentials and credit card numbers don’t appear to have been affected. However, source code for the video platform itself, internal security tools, and its creators’ earnings have already been leaked on the imageboard 4chan by an individual who thinks Twitch is “a disgusting toxic cesspool.”

Security Flaw in Apple Pay Lets Criminals Make Fraudulent Payments

Researchers say that a vulnerability in Apple Pay and Visa could allow hackers to make unauthorized contactless Visa payments worth up to thousands of dollars from locked iPhones. The vulnerability exists when Visa cards are set up in “Visa Transit” mode, which allows commuters to pay for their fares without unlocking their phone. However, the attack was demonstrated in a lab and, according to Visa, would be impractical in the real world.

Firefox Now Shows Ads In Search Bar

Mozilla recently introduced a new feature, called “Firefox Suggest,” which surfaces “relevant information” as you start typing your search term into the browser’s address bar. Crucially, the suggestions users receive may also include ads from Mozilla’s “trusted partners.” While no new data is collected or shared (the ads are based on users’ open tabs, bookmarks, and history), the new feature is understandably controversial. Luckily, it can be disabled.

California’s Genetic Information Privacy Act Signed Into Law

Last month, California Governor Gavin Newsom signed the SB 41 bill. The bill establishes the Genetic Information Privacy Act, which calls for companies that offer direct-to-consumer genetic tests to get consumer consent before collecting, using, maintaining, and disclosing their data. GIPA also allows consumers to access and destroy their genetic data. Another bill, AB 825, was signed into law, as well, and protects against breaches of genetic data.

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: I’ve heard that you’re not supposed to say anything at all when you get a robocall. Is that true and why?

A: Great question, and yes — that’s true. Generally, it’s best to hang up as soon as you realize that you’re on a robocall, preferably without saying a word.

The reason for that is that scammers will often ask questions like, “can you hear me?” or “are you a homeowner?” and then record your response (i.e., “yes”), which they can then use to sign you up for unwanted (and very expensive) services. With voice-mimicking software on the rise, your answers could also be used to carry out fraud, for example, tricking a member of your family into wiring “you” money.

If you’re not sure if you’re speaking to a real person from a legitimate institution, avoid giving one-word answers and don’t divulge any personal information.

Q: Is browser-based Zoom more secure? 

A: According to the cybersecurity provider Kaspersky, yes. The web browser version of Zoom “sits in a sandbox” and doesn’t have the same permissions as Zoom desktop software, which makes it more secure.

To use Zoom from your browser, look for the “join from your browser” link. However, if Zoom automatically installs the client without giving you this option (as it sometimes annoyingly does), Kaspersky recommends limiting your Zoom use to just one device, ideally one you don’t use daily.

Q: Can I use Oculus safely without Facebook?

A: Yes, you can use Oculus without handing over all your data to Facebook — if you’re willing to pay the price.

In addition to Oculus Quest for consumers, Facebook also offers Oculus Quest for businesses. The hardware between the two is identical, but the business version doesn’t require a Facebook account. However, at $799, it’s much more expensive (the standard Oculus costs between $299 and $399, depending on how much storage you need). And that’s not even including the $180 annual fee that comes into effect a year after purchasing it.
Still, if you really want an Oculus, the price may be worth it, especially considering how much information Facebook collects about you when you use the VR headset.

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @Abine and @DeleteMe).

Share with friends! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Have you heard of stalkerware before today? Also, are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito?
That’s it for this issue of Incognito! Stay safe and we’ll see you in your inbox next month.