The (Continued) Rise of Stalkerware

If only all surveillance was as easy to spot — Photo by Sharon McCutcheon on Unsplash

Maybe I was naive, though you’d think that working with a domestic violence support organization (tried hard to figure out a better way to say that so it didn’t sound like we supported domestic violence, but failed) that I should know better. Perhaps I just wasn’t prepared for the extent of the problem.

A new NortonLifeLock report was just released and it stated that “one in 10 Americans admits to using [stalkerware] on their partner’s or ex’s devices.” Men are more than twice as likely than women to use the apps (I know, I’m shocked as well *eye roll*). The important word in that sentence was “admits to,” which means there is some percentage who will even lie in an anonymous survey — and if you’re using stalkerware, chances are you aren’t the type to be forthcoming in the first place. The number is without a doubt much higher.

These apps are technically legal…

Stalkerware is an explosive new category of app that runs in the background on phones (primarily Android based phones, though there are techniques that can be used on iPhones to accomplish similar goals) and does things like share your location, browser history, text messages, and phone logs with whomever installed and configured that app WITHOUT the phone owner’s knowledge. These apps are technically legal because they are sold with the angle of being safety apps to allow you to monitor your children’s activities (which still feels gross after a certain age).

The problem is they aren’t just being used for safety — they are being used to spy on, harass, and even punish people that are supposedly people you love. If these apps are being used on partners — whether current or past (somehow even more gross) without their knowledge and permission — they are usually part of a larger campaign of stalking, intimidation, and violence.

Some people may say they just want to know if their partner is being faithful to them — my personal opinion to that is that if you feel that you need to stalk and dive into every bit of their personal thoughts and property, then you are the one who isn’t being faithful to them. If you don’t trust them, you shouldn’t be with them.

How to Check for Stalkerware

It would be kinda rude to write an article like this without telling you the main ways to spot such an app, wouldn’t it?

Keep in mind, chances are there are ways that either I don’t know about or are possibly more advanced. Also note that just because you see an app listed in one of these categories, doesn’t mean it’s stalkerware. You’re looking for stuff you don’t recognize and doesn’t belong.

Android

Photo by Stephen Frank on Unsplash

Location

  1. Open Settings
  2. In the search field, type Location (this is kinda in different spots on each phone)
  3. Click On Location
    This should show you a list of all of the apps that have permission to see your location. If there is something you don’t recognize, either delete the app or at least remove its permissions.

Device Admins

This is a big one in these are apps or services that have authority to control and soak up most everything that happens on the device

  1. Open Settings
  2. In the search field type Device Admin
  3. Click on Device Admin apps
    Review the findings. The only thing that should be there on most people’s devices is Google, or your employer if you have company email and other information on your device

Accounts

  1. Open Settings
  2. In the search field type Accounts
  3. Click on Accounts
    See if there are any Google accounts signed in that you don’t recognize. Also, it’s extremely important that only you know the password to your Google account. Trust me, no one else needs to know it or have access to it. You should be able to click on your Account on this screen and it will lead you to places to change the password. Please do this if you’ve ever shared that password with anyone else, or if you use the same password on multiple accounts.

Install Unknown Apps Option

By default, Google limits the apps that can be installed on your device to those that are from the Google Play Store, but you can bypass this. If its been bypassed on your device and you didn’t enable this, chances are someone else did. To check:

  1. Open Settings
  2. Select Apps & Notifications
  3. Select Advanced
  4. Select Special app access
  5. Select Install unknown apps

Review the sources that are enabled, and disable anything you didn’t enable.

Google Play Protect

Google Play Protect is a real-time rogue app scanner that works before you install any app from the Play Store and after you have installed it. So if its disabled, it can certainly be a tell that something has been done to your device. To check:

  1. Open Settings
  2. Select Google
  3. Select Security
  4. Select Google Play Protect (might be called Verify Apps)
  5. Ensure Scan device for security threats is On.

iPhone/iPad

What, your iPhone doesn’t float? — Photo by Neil Soni on Unsplash

Most things on the iPhone/iPad are more straightforward and easier to spot (at least compared to Android). Applications generally can’t run silently in the background unless the device has been jailbroken (not something that happens much these days — btw, one major way to know if your device is jailbroken is to search for an app called Cydia on your device. If you have it, you’re jailbroken), but it’s still good to review these areas

Location

  1. Open Settings
  2. Scroll down to Privacy
  3. Select Location Services
    Review the apps on which you have chosen to share your location. For the majority of mine I have them all set to “While Using.” For instance, if I need a Sausage McGriddle ASAP, I want the McDonalds app to know where I am while I’m actively using it. I don’t however want them to know that I’m at a Chick-fil-a while I’m not using their app.
    Also, on the Location Services page, go into Share My Location and review the people you’ve chosen to share your location with. Perhaps you used to use Find My Friends back in the day with someone, but you’ve had a falling out. Clean stuff like that up.

Text Message Forwarding
This is designed to allow you to forward SMS (green bubble) texts to your other Apple devices from your phone. Handy if this is what you want, but no good if someone else has set this up and is reading all of your texts from their device. To see if it’s enabled and going to devices you don’t want it to:

  1. Open Settings
  2. Scroll down to Messages
  3. Select Text Message Forwarding

Device Administration
Like on Android, this is primarily used by companies to manage devices that receive company data like email or documents. Generally, it’s fine since chances are you’ve expressly allowed it as Apple does a fairly good job of limiting what they can do. Still good to review

  1. Open Settings
  2. Select General
  3. Select Profiles & Device Management
    Review the Management Profiles on your device. It will say what company its from.

Accounts
It’s extremely important that only your iCloud account is signed into your devices and that you are the only one with the password to that account. If someone else has your login, they can sign into another iPhone/iPad and get and see most of the same stuff you have access to. To check:

  1. Open Settings
  2. Click your Profile at the top of the screen
    Review the devices your account is signed into. They will be listed at the bottom of the screen.

If there are any you don’t recognize, select it, select Remove from Account, and then change your password. It will walk you through it.
If you need to change your password, back on the Apple ID screen, select Password & Security, then Change Password. On this screen you can also turn on Two-Factor Authentication for an additional layer of security.

Okay, this list isn’t exhaustive, but it should enable you to get a good sense of how secure and private your device is. If you see anything that makes you uncomfortable, and don’t feel safe, please reach out to our organization’s help site Go Ask Rose and we can provide additional assistance.

Stay safe out there

--

--

--

Looking to share thoughts and strategies on living a more secure and private life in today’s digital world.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Should I Delete My Facebook Account?

Harvest Finance Hack Turns The Spotlight Back On Cybersecurity, DeFi Auditor Discusses Safety…

Top Security Trends For IoT In 2017

How PCI DSS practises will help you to comply with the the GDPR requirements?

OSCP: My journey from Blue Team to Red Team

Understanding timing attacks with code examples

OWASP API #2: Broken Authentication

You will not need passwords anymore

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nickk Shepard

Nickk Shepard

Looking to share thoughts and strategies on living a more secure and private life in today’s digital world.

More from Medium

Fall in Love with the Sounds of the Deep South

1996–2016: How Self-Aware Horror Stayed Alive and Thrived

Our Histories, Our Future: Unbreakable solidarity vs. police unions

190 not out — how The Journal came to be the daily of the North East