Stalkerware

STALKERWARE

Last Updated March 28, 2022

Dealing with technology side of abusive relationships. Stalkerware refers to an invasive app that a bag guy installs on a victim's device (usually their partner) to spy on them. Often these applications are advertised as tools to monitor children.

In February 2022, Zack Whittaker reported on a family of Android spyware apps that, while they looked different on the outside, were the same internally. The apps are: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. He offered advice on finding and removing them such as: in the Play store app, verify that play Protect is on. In Settings -> Accessibility look for any Downloaded services with names like "Accessibility" or "Device Health". Also look for any device admin apps. For more see Your Android phone could have stalkerware, here’s how to remove it.
How Jamie Spears Spied on Britney Spears Through iCloud by Lorenzo Franceschi-Bicchierai (Oct 2021). Using iCloud to spy on someone's iPhone is an extremely common way abusers spy on their loved ones. All that is needed is the password for the Apple ID of the victim. The article describes detecting this and stopping it. In a browser, I suggest (not in the article) a Chromebook running in Guest Mode. Login to iCloud.com -> Account Settings -> My Devices.
Stalkerware Apps Are Proliferating. Protect Yourself New York Times (Sept. 2021). Has nine defensive tips from The Coalition Against Stalkerware. FYI: An app icon can be changed to that of something innocent looking such as a calculator or calendar app. Apps to detect stalkerware: MalwareBytes, Certo AntiSpy, NortonLifeLock and Lookout.
Stalkerware Resources and Help by Jack Rhysider of Darknet Diaries (undated)
In August 2021, Lodrina Cherne spoke about Stalkerware at the BlackHat conference: A Survivor-Centric, Trauma-Informed Approach to Stalkerware. This link has the slides, she also published a list of Resources.
How to Shut Stalkers Out of Your Tech by Yael Grauer for Consumer Reports (March 2021). People facing domestic abuse can take these steps to lock down their devices and eliminate stalkerware. The article has many many suggestions. For finding stalkerware on Android, use an antivirus app from Eset, Kaspersky and/or Trend Micro. On Windows, use BitDefender, Eset, Kaspersky, Norton and/or Malwarebytes. On an iPhone use the iVerify app from Trail of Bits.
Apple's AirTag trackers made it frighteningly easy to 'stalk' me in a test by Geoffrey Fowler for the Washington Post (May 2021). The article is behind a paywall. A big point in the article is that Apple does not do enough to prevent AirTags being used for domestic abuse. In a test in San Francisco, the AirTag updated its location every few minutes. When moving, the location was accurate to half a block. When stationary, it was precise. An accompanying video is not behind the paywall.
What to do if you find an AirTag or get an alert that an AirTag is with you from Apple (April 2021). How to learn the serial number of an AirTag. It requires NFC and will work on Android too. Note that making a detected AirTag play a sound often failed in Fowler's tests (above).
Clinical Computer Security for Victims of Intimate Partner Violence A white paper and a video to help victims of partner and spousal abuse that are worried their devices are compromised. This is an excellent resource for those who think they're infected with spyware (August 2019).
Concerned with stalkerware? Android users should install Kaspersky antivirus. From Hacker Eva Galperin Has a Plan to Eradicate Stalkerware Wired (April 2019)
IOS
1. Analyzing iOS Stalkerware Applications by Ivan Rodriguez July 2019. The author appears to be a qualified techie, so a worthwhile read. However, it refers to, what is now (Oct 2022), a very old version of iOS with fewer privacy controls.
2. Stalkerware might show up as an app you don't recognize
3. Stalkerware may show up as a malicious profile. Check: Settings -> General -> Profiles & Device Management. If you do not see the last option, it means there is no mobile device management profile installed on the device, which is a good thing. If you do see it, investigate what the profile is by clicking "More Details." There should be a "Remove Management" option in the settings
4. Enable two factor authentication on your iCloud account
5. If you suspect of something, login in icloud.com -> select iCloud Drive -> click on your username -> iCloud Settings -> Sign Out Of All Browsers
6. Stay up to date with software updates for both iOS applications and iOS itself
7. If you share your iCloud password with another person, change it afterwards
8. Advice for Targets of Mobile Spyware by Ivan Rodriguez November 2019. A follow-up to the article above. "The most powerful and relatively easy way to 'clean' your device is to restore it and set it as a new device. When you want to absolutely remove all traces of information and potential spying software from your device, this is probably your best option."
From the Coalition Against Stalkerware: Find direct support if you experience or suspect stalking and Stalkerware detection, removal and prevention
The National Domestic Violence Hotline has trained experts. Call 800-799-7233
Note however that when they say "Computers store information about the websites you visit. ... purchases you make ... messages or emails ... You should always consider that a computer might be monitored ... Safe computers can be found at your local library, Internet cafe, shelter, workplace .." they are leaving out an excellent option, a Chromebook running Guest Mode. It is impossible to install any type of spyware on a Chromebook running in Guest Mode and Guest Mode stores nothing, which makes it a far safer option than the ones they offer. They also say that "Using safe browsing practices (like using a VPN) can help prevent abusive partners from tracking your Internet history." To be clear, the purpose of a VPN is to hide activity from the ISP and from the router you are connected to. VPNs are not designed to hide activity on the computer where they are running.
The National Network to End Domestic Violence
The Safety Net Project
Refuge Tech Safety
The hardest computer to infect with something malicious is a Chromebook. Guest Mode in a Chromebook guarantees that no extra software is/can be installed. It can be used to access any webmail system, such as secure email from ProtonMail and Tutanota. Do not use the Chromebook with a NextDNS account as NextDNS offers logging. See the section on Chromebooks for setting DNS system-wide.
Start using ProtonMail for email. Messages between two ProtonMail customers are end-to-end encrypted. It has a free tier.
There are more secure versions of Android. In the Android topic, see the sub-section on Replacing Android, for an overview of LineageOS, GrapheneOS and /e/ OS.
Listen to The PRIVACY, SECURITY, & OSINT Show, a podcast by Michael Bazzell. He is in the extreme privacy business and has written a book on the subject.
An app that lets you create a new profile/personality (new email address and new phone number) is MySudo. You can send and receive calls, texts and emails from the MySudo app. It runs on iOS and Android. There is a limited free account. Pricing starts at $1/month.
Every now and then turn your phone off (really OFF) and then back on a minute later. While every operating system benefits from a clean boot/startup, if you are targeted by bad guys, certain malicious stuff might be removed when the device is powered off. This applies to routers too.