Stalkerware show up security and privacy issues
Estimated reading time: 4 minutes
ESET researchers have manually analysed 86 stalkerware apps for the Android platform. That’s 86 different vendors who have their apps in the Android mobile operating system’s store for mobile applications.
This study was revealed when ESET researcher Lukas Stefanko presented his findings over a month ago. Titled, “Security: The Hidden cost of Android Stalkerware”, his presentation highlighted that many serious security and privacy issues by these apps could result in a third-party attacker taking over a victim’s device, as well as the device of the victim’s stalker.
Table of contents
Easy access to stalkerware
Vendors promote their apps as providing protection to children, employees, or women, to avoid being flagged.
They are also pretty easy to find online. ESET discovered a total 158 vulnerabilities on 58 of the Android applications they analysed.
Lukas explained, “What is stalkerware? Simply put it is spyware.”
Vendors promote their apps as providing protection to children, employees, or women, to avoid being flagged.
He said that a stalker would need to have physical access to the the phone to install the application, set it up and enable all the necessary permissions.
According to him, based on the permissions that the app asks, one can tell what the capabilities of the app are. Such apps are also often “… hidden from the victim’s view” and they might even “… impersonate legitimate apps.”
Stalkerware: Legitimate or not?
Stalkerware apps were installed as many as 140,000 times from the Google Play Store alone, according to Lukas. “These apps have become more and more popular in the last few years. In 2019, there were five times more stalkerware detections than the previous year.
To some extent, manually or automatically using verified trustworthy security software can help to detect, inform and remove malicious code.
“Stalkerware gathers more private data about the victims than any other,” Lukas observed.
And since sensitive victim information is accessible by such software, the information is vulnerable to compromise ie. being intercepted by a third-party attacker.
He shared the results of a simple comparison study between a popular social media app and a stalkerware app. “It is important that social media app requests these permissions when necessary, asks a user for their permission once, or during their use of the app.
To some extent, manually or automatically using verified trustworthy security software can help to detect, inform and remove malicious code.
“On the contrary, for a stalkerware app to work properly all the permissions are ticked. As a result, the stalker has full (remote) access (to the smartphone) all the time.”
Potential risk scenarios from stalkerware
Notably, Lukas also demonstrated how an attacker can take advantage of the full access. “An attacker is a person who misuses security issues found in stalkerware, victim device and stalker’s device.The victim and stalker are not aware of the attacker or the actions that the attacker initiates on their devices.
“The attacker could send a simple text message to a victim, and the stalkerware will process it and automatically trigger a phone call back to the attacker who sent the text message,” Lukas described.
He added, this also opened up microphone spying opportunities for the attacker.
In essence, potential threats of stalkerware include, an attacker:
- taking control of a victim’s device,
- taking over a stalker’s account,
- intercepting a victim’s data,
- framing a victim by uploading fabricated evidence, or
- achieving remote code execution on a victim’s smartphone.
These actions could potentially result in the following:
- insecure transmission of users’ personally identifiable information;
- storage of sensitive information on external media;
- exposure of sensitive user information to unauthorised users;
- server leak of stalkerware client information; and
- unauthorised data transmission from device to server.
Find out more about these threats here.
Method of research
ESET focused on analysing stalkerware for the Android platform due to its dominant marketshare.
Lukas added another reason being that only 37 of the 86 app vendors, have an Apple iOS version of their app. “So, that was our plan. We went through 86 applications provided by 86 different vendors and 86 different websites.
“We went through manual static and dynamic analysis to observe each behaviour and capabilities without full penetration testing. Lukas disclosed that they did not pay for any of the software, and hence the research was provided limited functionality and limited access.
“We also focused upon privacy and security issues that actually impact clients.”
Lukas had also shared that they had repeatedly reported discovered issues to the affected vendors. This is in accordance to ESET’s 90-day coordinate vulnerability disclosure policy.
“Unfortunately, to this day, only six vendors have fixed the issues we reported in their apps,” he concluded.