Why you should care
More and more people are falling victim to apps that allow others to spy on their mobile phones.
Jennifer’s boyfriend said she wasn’t allowed to put a password on her phone. “He said I didn’t need it if I trusted him,” she recalls. But that didn’t just mean he could go through her messages if she left the device lying around. “He could see everything I was doing, no matter where I was. When we broke up, he started stalking me. I felt so violated when I found out.”
Apps such as mSpy, TheTruthSpy and FlexiSPY allow users to monitor someone else’s phone activity, including their call logs, the contents of text and chat messages, GPS data and photos. Often billed as “parental control” or “employee monitoring” tools, many stalkerware apps also advertise themselves as a way to catch cheating partners — and note they can be installed invisibly on a target’s phone. Installation generally requires physical access to the device; users can then hide the app’s icon and view the contents of the phone remotely, by logging into an online dashboard that monitors its activity.
Although these apps are secretive about user numbers and revenues, cyber-security company Kaspersky Labs last year found and removed 58,000 instances of stalkerware after customers used its anti-virus app, which looks for malicious code, to scan their devices. By July 2019 its specific anti-stalkerware product, which was released in April, had detected malicious apps on phones belonging to more than 7,000 customers worldwide.
[These apps represent] the democratization of surveillance unlike anything I can think of in recent history.
Christopher Parsons, Citizen Lab
Stalkerware “can be much more severe than other types of malware … because it is made to be used as a tool for the abuse of another person’s privacy and is often used by domestic abusers,” says Kaspersky Labs security researcher Alexey Firsh. Anti-spyware company Certo also said demand had “certainly increased in recent years.”
In 2014 a survey by National Public Radio of 72 domestic violence shelters in the U.S. discovered that 85 percent had assisted victims whose abusers had tracked them using GPS. The same year, the National Network to End Domestic Violence found that 54 percent of abusers had tracked their victims’ mobile phones using stalkerware. Last year, amid rising concerns, U.S. Sen. Richard Blumenthal sought information from nine app makers that offer tracking software, including mSpy and FlexiSPY, about how they ensured their products were not being used for “illegal purposes,” such as stalking or “illicit surveillance.”
Spyware is prohibited by most major app stores, including Apple and Google. In April, Apple removed several parental control apps on the grounds that they were excessively invasive, and Google removed four stalkerware apps from its store this week after researchers at anti-virus company Avast identified them.
However, apps such as mSpy can be downloaded directly on to Android phones via their internet pages. This can’t be done on iPhones unless they are “jailbroken,” a process that removes certain safety settings installed by Apple. Many spyware apps advertise downloads for jailbroken iPhones. Some apps also offer an iPhone workaround, which requires the user to gain access to the target’s iCloud login details. They can then remotely monitor all the information backed up to the iCloud account, though are unable to eavesdrop on calls or listen in to a phone’s surroundings. This workaround does not require the user to gain physical access to the phone, unless two-factor authentication — which asks iCloud account owners to approve logins on new devices — is in place.
While explaining this restriction, a representative of monitoring app Mobistealth provided a link to a webpage that explained how to disable two-factor authentication. Since Apple is unable to determine whether someone with correct iCloud credentials is the account owner or a malicious actor, there is little they can do.
A spokesperson for mSpy said its technology was not spyware, but “parental control software” developed only for that purpose. Parents can hide the app’s icon to prevent children from uninstalling it, they added. Although its app could be “misused,” mSpy said it could not tell whether this was happening since user data are encrypted.
However, researchers at the University of Toronto in June concluded in a study of stalkerware apps that some products were “openly designed specifically to circumvent the [victim’s] privacy and control.” They also suggested the apps were in breach of the E.U.’s new privacy rules, in the General Data Protection Regulation. Given that victims of stalking and monitoring may not know an app is installed on their phone, they are unable to make choices about the collection and processing of their sensitive information — a key part of GDPR — they said.
FlexiSPY, which was named in the report, advertises services such as “spying” on texts, “even deleted messages,” and says its “undetectable” software can help catch “cheating” spouses. Highster Mobile and Mobistealth also market their products as tools to catch unfaithful partners, while Hoverwatch stresses that its “stealth mode” function is useful when “you have to take the situation into your own hands.” TheTruthSpy even talks about its software as an alternative to “hacking” a “victim’s cell phone.”
This is “disclaiming away their liability,” says Cynthia Khoo, a researcher at Citizen Lab and one of the report’s authors. “We didn’t see evidence of these companies taking any proactive measures to prevent abuse or violence.”
In the event of a data breach, stalkerware apps would be obliged to notify their customers. But these people would not necessarily be the ones whose data were at risk. This is a “serious failing,” says Christopher Parsons, the report’s lead author. Several other monitoring apps, including Family Orbit and Retina-X, have been the targets of “ethical hackers,” who have broken into their systems and obtained sensitive data to demonstrate security weaknesses.
The European Data Protection Board says no cases involving stalkerware have been escalated to its level. The Canadian Privacy Commissioner, which helped to fund the Toronto report, says it is reviewing the findings, with a spokesperson adding that some of the recommendations echoed “concerns and recommendations we’ve been raising for some time.” These apps represent “the democratization of surveillance unlike anything I can think of in recent history,” says Parsons. “It’s incredibly intimate and invasive.”