Over 150 Security and Privacy Issues Found on Stalkerware

Who stalks the stalkers? When it comes to Android security, stalkerware presents a double risk. 

It’s common knowledge that mobile stalkerware undermines a target’s privacy. That’s kind of the point. A stalkerware incident often involves someone, such as a spouse, gaining physical access to someone’s smartphone and installing a monitoring app. They then use that software to remotely track what another person is doing on the device or spy on where they’re going.

What’s not so widely known is that stalkerware vendors don’t always code their apps correctly.

For instance, ESET found over 150 errors in 58 stalkerware Android apps. Those issues not only further compromised targets’ Android security and privacy, they also put the snoopers themselves at risk.

Read on to learn which weaknesses appeared most frequently in the apps surveyed.

Android Security Stalkerware Problems at a Glance

Out of the 158 issues ESET found, the most common type was insecure transmission of users’ personally identifiable information. This category accounted for 22 vulnerabilities, ranking higher than storing sensitive information on external media and exposing sensitive user information to unauthorized access, which account for 19 and 17 weaknesses, respectively.

The fourth most prevalent problem, at 17 weaknesses, was server leak of stalker information. ESET found that several stalkerware apps kept information about those using the app to track someone. It also stored a victim’s data on a server — even after the stalker requested that the service delete their information. That data might have included more information about the tracker in the event that they had an existing connection with the target.

Sometimes, victims’ information remained on a stalkerware service’s servers even after the snooper removed their account.

ESET reported the Android security and privacy issues to the stalkerware vendors as part of its 90-day responsible disclosure policy. As of reporting, only six responded by fixing the issues, while seven said that they were working on a fix. One vendor decided not to fix the reported issues; the rest didn’t respond.

The Growth of Stalkerware

ESET’s researchers also found that Android stalkerware detection increased by 48% between 2019 and 2020. This growth has continued into 2021. For example, Avast observed a 93% increase in the volume of spyware and stalkerware app detection over the first two months of the year. That’s compared to the same time period in 2020.

In response, some digital defense groups took action. For instance, the Coalition Against Stalkerware developed a standard definition of stalkerware, which encouraged research into the way it spreads. They also created TinyCheck for the purpose of detecting stalkerware apps, which can pose threats to Android security as well as to other brands of smart phones, in a more efficient manner. 

How to Defend Against Stalkerware

The issues discussed above highlight the need for organizations to defend themselves against stalkerware. One of the ways they can do that is to educate their employees about what to look for. For example, smart phone users should delete unused apps and look for strange changes on their devices. In addition, never leave your devices unattended.

In the event organizations discover stalkerware installed on a connected device, they need to approach removal carefully. The best thing to do is to not notify the victim in a way that could be discovered on the compromised device. Instead, they should speak to the victim in person and proceed from there.