| Researchers April 9, 2019


April 9, 2019

Commercial spyware has a new name: stalkerware

By Kristy Edwards

Mobile apps that give another person access to every one of your texts, photos, social media posts and location sound like surveillanceware, don’t they? While there are legitimate uses for some classes of these apps, such as to keep tabs on a child to ensure online safety, they are ripe for abuse. That is why Lookout enterprise and personal products have always detected these threats with staunch warnings and corrective actions, especially when the app attempts to hide its presence, prevent removal, or otherwise attempt to fool the user about its functionality. It sounds like an easy problem to solve, but it’s not. Lookout calls these stealthy commercial spyware apps surveillanceware because they can be used against victims as a way to track their every move.

Before last week, few people were thinking about commercial spyware or stalkerware. Now, thanks to media reports, such as WIRED, following Electronic Frontier Foundation’s (EFF) work on the topic, many are aware of it. EFF’s Eva Galperin called out this class of apps and their use in cases of domestic abuse in advance of her talk at Kaspersky’s Security Analyst Summit (SAS) taking place in Singapore this week. The reports shed new light on a difficult problem Lookout has been fighting for years.

Commercial spyware

Stories about surveillance tools like Pegasus and Dark Caracal’s Pallas are memorable because they tell the story of a severe privacy threat with profound impact on victims’ lives. However, when commercial spyware is used to monitor a partner’s or domestic abuse victim’s every communication (sent or received) and location, the impact can be every bit as serious.

At last count, Lookout found over two dozen commercial spyware apps, costing between $16 and $68 per month, with a small number that are free of charge. Commercial spyware apps may have a valid place when an individual or family actively chooses to install anti-theft, monitoring and content filtering apps with informed consent of everybody using the device.

However, some that are marketed as anti-theft solutions have versions that hide their presence on the device. Some have the ability to hide the app’s icon from the home screen, and others market themselves as having a “stealth mode.”

Fighting commercial spyware

Lookout Personal edition, Mobile Endpoint Security (MES) enterprise solution, and App Defense SDK are able to classify stalkerware as surveillanceware, prompting a detection to the user about the risks the apps present.

 

Lookout detects surveillanceware and shows a short description of the threat on-screen, then guides the user to uninstall it.

Why wouldn’t other mobile threat detection (MTD) vendors warn users when these apps are on their devices? Many vendors lack the nuanced understanding of the mobile threat space as compared to Lookout, which has focused on mobile threat detection and research for over ten years. Some security vendors are just starting to understand the complexity of the problem and are introducing new features to warn about the threat.

But it takes a sophisticated approach to fighting mobile threats to address the problem. A security solution could cause more harm and distrust than good if it blindly convicts every app with data sharing capabilities as surveillanceware, which is a very serious charge.

Lookout is able to leverage the largest corpus of mobile apps in the industry, along with an advanced security engine that combines machine learning (ML) with industry-leading analysis tools to discover malicious apps and behaviors. The sophisticated approach also relies on a skilled research team who understands the challenges of distinguishing legitimate apps from deceptive ones. Malicious apps are quickly detected, and in the case that a device was jailbroken or rooted by the attacker, which is sometimes required in order for commercial spyware to be installed or to gain additional privileges, Lookout also guides the user on remediation actions to take.

A call to action

EFF has called for the industry to take action. Security vendors should follow in the footsteps of Lookout, who has strict criteria defining spyware and surveillanceware, which provide intelligible alerts about the apps’ behavior, severity and remediation actions. Users who already know they’ve installed the tool can easily ignore the warning. Users who did not know their device was compromised in this way could get a clear picture of the potential threat to their privacy or well being.

Expect tweets and articles on EFF’s talk at this week’s Security Analyst Summit to keep the focus on the commercial spyware industry and impact on victims’ lives. The week will also bring to light recent research from Adam Bauer, a Lookout security intelligence researcher, who also is speaking at SAS about another class of surveillanceware based on his recent discoveries.  


Author

Kristy Edwards,
Director, Product Management - Security Intelligence