



Android stalker and spyware detection has skyrocketed 48% over the past year, and not only do these apps compromise user privacy, but vendors aren’t interested in addressing the vulnerabilities found in their creations. It seems.

This week, ESET researcher Lukas Stefanko released telemetry data focused on detecting Android stalkerware. The use of these suspicious apps began to increase in 2019 and has been reported to increase five-fold compared to 2018, a trend that will continue in 2020. Emphasizes their continued popularity.

ESET’s findings are supported by Kaspersky Lab’s past studies. According to this survey, stalkerware infections increased by 40% in 2019.

Stalkerware is a term coined to describe the most invasive type of spyware that is often paid and used by people near the house, rather than an unknown threat actor.

These types of software can be secretly installed on your PC or mobile device and collect data such as GPS location (if available), call logs, contact lists, SMS communications, social media, etc. to greatly enhance your privacy. Track the activity of the compromised user. Usage, browser history, etc.

The data collected by these apps is sent to the operator.

With mobile stalkerware, users tend to be close family members, spouses, or parents because operators often need to gain physical access to sideload malware. It may also be used by businesses to monitor their employees.

Many of these apps are sold as a way to monitor children for safety, but due to the invasive nature of these apps, children are generally considered unethical. Just because it’s sold as a safety net for minors doesn’t mean it can’t be used to track spouses, for example. In either case, the right to privacy can be violated, regardless of the age of the person being stalked.

According to Stefanko, a recent analysis of stalking wear available on the Google Android mobile platform reveals that many vendors are promoting their products as a way to protect not only children but also employees and women. I did.

Vendors creating them for financial gain are also aware that the inherent (and vast) security vulnerabilities contained in their apps endanger “users” and customers in other ways. It doesn’t seem to be.

“If nothing else, stalkerware apps clearly encourage ethically suspicious behaviour, leading most mobile security solutions to flag them as unwanted or harmful,” the researchers said. Says. “But these apps have that amount of particularly sensitive data, given that they access, collect, store, and send more information than any other app installed by the victim. I was interested in how much protection I had. ”

In short, they didn’t.

A survey of 58 Android stalkerware apps from 86 vendors revealed a total of 158 security issues (.PDF). This includes insecure transmission of sensitive data, flaws in command injection, data leaks, information left on the server after the account was deleted, and disclosure of both source code and administrator credentials.

In many cases, not only was the victim’s data misprocessed, but the bug also affected the security of the vendor itself and the stalker customer.

The vulnerability was reported to the affected vendors, but 6 developers fixed the software, 7 promised to apply patches that were not yet retained, and did not respond to ESET disclosure at all. There were 44 people.

“This study should warn potential future clients of stalkerware to reconsider using the software for their spouses and loved ones, because it is unethical. Not only are they revealing their spouse’s personal and intimate information, and they are at risk of cyberattacks and fraud. ”

