Seven new stalkerware apps have been spotted for sale on the Android Play Store, despite Google’s policy against the invasive monitoring tools.
By stalkerware, we mean applications scumbags can install on their spouse’s or partner’s device, or dodgy bosses on staffers’ handhelds, to silently track their whereabouts, web browsing, messaging, and other activities. It can also be installed on kids’ gadgets by watchful parents.
The mobile research team at Avast Threatlabs told The Register on Wednesday it believes as many as 130,000 people already downloaded the Android tools, which allow snoops to quietly hoover up contacts, texts, and call histories, and other private details, from devices they are installed on.
As of yesterday morning, four of the surveillanceware applications had been taken down after Avast tipped off Google; the rest have since been pulled. The apps are being pitched under the names “Track Employees Check Work Phone Online Spy Free,” “Spy Kids Tracker,” “Phone Cell Tracker,” “Mobile Tracking,” “Spy Tracker,” “SMS Tracker,” and “Employee Work Spy.”
The Avast team noted the programs are not being pitched outright as stalking tools, but rather as parental control or monitoring kit, perhaps helping them to sneak into the Play Store.
“These apps are highly unethical and problematic for people’s privacy and shouldn’t be on the Google Play Store, as they promote criminal behavior, and can be abused by employers, stalkers or abusive partners to spy on their victims,” said Nikolaos Chrysaidos, Avast head of mobile threat intelligence and security.
“Some of these apps are offered as parental control apps, but their descriptions draw a different picture, telling users the app allows them to ‘keep an eye on cheaters’.”
For those who are able to get their hands on the creepware, the installation is a multi-step process.
Avast says that, first, the stalker must first install the setup app on the target’s phone and configure it with the email address where the harvested data is to be sent. From there, a second payload is installed and hidden, after which the setup app is deleted and the software can run without the target’s knowledge. To do this, the snooper has to get their hands on the phone unnoticed for at least a few minutes. Not difficult for a trusted employer or partner if a handheld is left lying around.
The Threatlabs team believes the apps are all the work of a Russian developer, as the apps dial back to a Russian server with an IP address previously associated with Russian domains.
The Chocolate Factory’s developer policies strictly forbid stalkerware and other covert tracking tools, and once alerted Google is usually quick to remove offending apps.
Security software firms are also increasingly classifying such apps as malicious, thanks in part to a concerted campaign by Eva Galperin, the EFF’s Director of Cybersecurity, and others.