Malwarebytes Labs - Tuesday, October 1, 2019 at 11:00 AM
For Cybersecurity and Domestic Violence Awareness months, we pledge to fight
stalkerware
Starting today, two hallmark holidays are upon us. No, it’s not Halloween and
Thanksgiving. It’s both Cybersecurity Awareness
Month<https://staysafeonline.org/ncsam/about-ncsam/> and Domestic Violence
Awareness
Month<https://www.breakthecycle.org/blog/it%E2%80%99s-national-domestic-violence-awareness-month>.
It’s no coincidence these two awareness campaigns overlap. What were once seen
as separate realities—the physical and the digital—are increasingly blurred as
our offices, schools, and hospitals move from paper to screen. Our homes are
operationally Internet-connected, and our personal and professional
relationships are colored by the way we interact online.
Through the ubiquity of mobile devices and social media, an argument can be
made that we’re already living in an augmented reality. And there is no better
evidence than the real-life fallout experienced by victims of technological
abuse—cyberattacks lead to identity theft and empty bank accounts, frozen
assets for businesses, or worse, whole cities shutting
down<https://blog.malwarebytes.com/ransomware/2019/08/ransomware-continues-assault-against-cities-and-businesses/>.
But no line is as blurry as the one toed by domestic violence abusers, who use
software called
stalkerware<https://blog.malwarebytes.com/glossary/stalkerware/> to leverage
their partner’s digital footprint for physical control. And it’s stalkerware
that we’re here to talk about—and hopefully eradicate—as we kick off a month of
continued awareness and action.
In honor of Cybersecurity and Domestic Violence Awareness months, then, we
renew our pledge to fight stalkerware. And we encourage other vendors to step
up their efforts so we can work together to stomp out this scourge on the
Internet once and for all.
What is stalkerware?
Stalkerware is software that was created to monitor a person’s activities on
their computer or, more commonly, their mobile device—without that person’s
knowledge. Though often advertised as a tool for
parents<https://blog.malwarebytes.com/stalkerware/2019/07/parental-monitoring-apps-how-do-they-differ-from-stalkerware/>
to track their children’s activities, these apps are more commonly used for
nefarious purposes.
Stalkerware applications can track unsuspecting victims’ locations, record
calls, view text messages, pry into locally-stored photos, and rifle through
web-browsing activity, all while hidden from view. To highlight, here is a list
of information that stalkerware can gather—all of which can be sent to a remote
user—as well as activities an abuser can conduct on a user’s device without
their knowing or consent:
* Exact geographic location via GPS
* IP address of device
* SMS message history
* Call history, including call length
* Browser history
* Contacts, including phone numbers and email addresses
* Email account credentials
* Email content from all accounts accessed from device
* Photos, videos, and audio recorded and stored on the device or connected
cloud account
* Can take pictures with front/rear camera
* Can record audio via device mic
* Can remotely turn on and off device
Malwarebytes detects stalkerware applications through the longtime mobile
threat category monitor, which is a subset of potentially unwanted programs
(PUPs). Because some of these stalkerware applications can be used
“legitimately,” they are currently flagged as programs users might not want on
their phones. However, once presented with what stalkerware can do (or once
gaining knowledge of a program that’s been installed on their device without
consent), many users will likely want to delete these apps.
These applications represent real-life threats to domestic abuse victims, who
can readily be tracked down (along with their children), even when hidden in
shelters.
How to fight stalkerware
Historically, the cybersecurity industry has turned a blind eye to stalkerware.
Because many of these applications are available on legitimate platforms
(including iTunes and the Google Play Store) and marketed as harmless
child-monitoring software, an argument could be made for their valid existence.
But reaching back more than five
years<https://blog.malwarebytes.com/android/2019/06/mobile-stalkerware-a-long-history-of-detection/>,
Malwarebytes has drawn a hard line in the sand about its tolerance for
stalkerware. We simply won’t stand for it. We blocked it years ago, doubled our
intelligence and detection capabilities back in June, and continue to press for
awareness and action from advocacy groups, shelters, law enforcement, and other
vendors.
So what can other vendors and individuals do to step up their efforts to fight
stalkerware? For starters, many other antivirus companies don’t detect
monitoring or stalkerware applications at all. Coming up with rules for
stalkerware detection and adding them to their product databases can help users
on any security platform better protect against these threats.
Second, spreading awareness about these types of apps and how to protect
against them is key. Users should Google and Google some more to learn all they
can on stalkerware. We’ve linked many of our own articles in this blog, for
starters.
Advocates should listen closely to their victims who are being tracked through
their phones—does it sound like they have a stalkerware problem? If so,
download security apps<http://www.malwarebytes.com/android> that can scan for
and remove these threats and other forms of surveillance, including spyware.
For other ideas on what cybersecurity companies could do to fight stalkerware,
take a look at what we’ve done so far in 2019:
* Analyzed more than 2,500 samples of programs that had been flagged in
research algorithms at potential monitoring/tracking apps, spyware, or
stalkerware
* Grown our database of known stalkerware to include over 100 applications
that no other vendor detects and more than 10 that are, as of presstime, still
on Google Play
* Developed a set of awareness blogs for domestic abuse survivors and
advocates on what to do if they have
stalkerware<https://blog.malwarebytes.com/stalkerware/2019/07/helping-survivors-of-domestic-abuse-what-to-do-when-you-find-stalkerware/>
on their phones and how to protect their
data<https://blog.malwarebytes.com/privacy-2/2019/08/data-and-device-security-domestic-abuse-survivors/>
* Spoken with local nonprofit and advocacy groups about stalkerware and how
to protect against it, as well as shared intel with local law enforcement and
attorneys general
* Presented at the National Network to End Domestic Violence’s annual Tech
Summit, with information on protecting both domestic violence survivors and the
advocates who are with them in the field
* Released Malwarebytes Browser
Guard<https://blog.malwarebytes.com/malwarebytes-news/2019/09/browser-guard-combats-privacy-abuse-tracking-clickbait-and-scammers/>,
which protects against tracking applications and extensions used on browsers
* Partnered with other vendors and domestic violence awareness advocates on
creating avenues for intel-sharing, definition of the threat, and underscoring
that this issue is deeper than owning proprietary signatures and detections
More to come
While we’ve committed to kicking stalkerware’s ass over the last five plus
years, our work is far from over. Over the next month, we plan to follow up
with articles on how individuals and organizations can do their part to better
understand this threat and the way it can be used to endanger people’s safety.
We’ll also continue with local and national outreach efforts, hoping to both
equip advocates with technological understanding and learn from victims
themselves what else can be done to support their needs.
At the center of themes regarded as important and relevant today—privacy,
technological autonomy, and civic responsibility—sits stalkerware and the
cybersecurity community’s response to it. We must band together to squash this
threat instead of fluffing it off in favor of “sexier” and scarier-sounding
malware. We must pay more than lip service to defending users from physical
harm, instead offering solace and protection for those in need. And we must use
the full capabilities of our technology to keep users safe from stalkerware,
even if it doesn’t directly impact us.
We know what we’ll be doing at Malwarebytes to fight stalkerware. We hope
you’ll join us in the fight.
https://blog.malwarebytes.com/stalkerware/2019/10/cybersecurity-domestic-violence-awareness-month-fight-stalkerware/
David Goldfield
Assistive Technology Specialist
Feel free to visit my Web site
WWW.DavidGoldfield.info<http://WWW.DavidGoldfield.info>