Stalkerware poses particular challenges to anti-virus products

Posted by   Martijn Grooten on   Oct 31, 2019

Did you know that October has been Cyber Security Awareness Month? Of course you did ─ it has been pretty hard to avoid it. But did you know that it has also, at least in the United States, been Domestic Violence Awareness Month?

These two are more closely linked than they may at first seem: a lot of today's domestic violence has a digital component, with the abuser tracking the victim-survivor through digital means. The most obvious, though far from only method is stalkerware: consumer spyware installed on a device, often through physical access to the device.

Stalkerware has received a lot of attention in recent years. This month, the FTC banned one vendor from selling such software after the company in question had repeatedly been breached. Motherboard has published an excellent series on stalkerware and other kinds of surveillance used by and against ordinary people. At VB2017 in Madrid, Motherboard's Joseph Cox (then at the Daily Beast) gave a presentation on stalkerware.

Earlier this year, the EFF's Eva Galperin started working on getting anti-virus products to both improve their detection of stalkerware and display a specific message when such software has been found on a device.

This matters: while from a technical point of view stalkerware isn't particularly interesting and rarely has properties that excite malware researchers, the threat model is very different. Removing the app from a device, which would be the natural thing for an AV product to do, would also inform the abuser of their spying having been noticed, which could lead to further abuse.

The standard advice from AV vendors – to run a scan to find evidence of stalkerware – is also one that may not apply here, at least not as a solution to the problem: if the product misses a new variant, the message that a device is clean could provide a dangerously false sense of security. Moreover, even if indeed no stalkerware is present, there are other ways in which the user could be tracked: the distinction between these and stalkerware may not be clear to most people.

flexispywebsite.pngFlexiSpy is one of the better known kinds of stalkerware. As is typical for this kind of malware, it claims to be made to monitor children and employees.

That doesn't mean that anti-virus doesn't have an important role to play: it is in the unique position of being able to inform the user with a clear message when stalkerware has been found on a device. Vendors can also ensure that new stalkerware samples are shared quickly and broadly with other vendors to improve detection, while they can support frontline defenders such as women's shelters in dealing with potentially infected phones.

This conversation should go both ways though: while AV vendors naturally understand malware well, they often don't understand the particular threat model linked to domestic abuse. They have as much, if not more, to learn about stalkerware by talking to victim-survivors and the organisations that support them. At the same time, these organisations can often be helped in very simple ways.

Though stalkerware is a very serious topic, it is also an intriguing one that forces malware researchers to step out of their comfort zones and tackle an issue where the problem isn't particularly technical in nature. Learning about different threat models benefits security far beyond this particular threat.

Note: domestic abuse/violence is often referred to in literature as 'intimate partner violence'; I used the term more in line with the annual designation. Following the example of others, I have chosen the term victim-survivor to include the more empowering 'survivor' while also reflecting the sad reality that not all victims become survivors.



Latest posts:

VB2019 paper: Operation Soft Cell - a worldwide campaign against telecommunication providers

Today we publish the VB2019 paper by Cybereason researchers Mor Levi, Amit Serper and Assaf Dahan on Operation Soft Cell, a targeted attack against telecom providers around the world.

VB2019 paper: A study of Machete cyber espionage operations in Latin America

At VB2019 in London a group of researchers from the Stratosphere Lab at the Czech Technical University in Prague presented a paper in which they analysed and dissected the cyber espionage activities of an APT group in Latin America through the…

VB2019 paper: The push from fiction for increased surveillance, and its impact on privacy

In a paper presented at VB2019 in London, researchers Miriam Cihodariu (Heimdal Security) and Andrei Bogdan Brad (Code4Romania) looked at how surveillance is represented in fiction and how these representations are shaping people's attitudes to…

VB2019 paper: Oops! It happened again!

At VB2019 in London industry veterans Righard Zwienenberg and Eddy Willems took a detailed look at the relationship between past and current cyber threats. Today, we publish both their paper and the recording of their presentation.

Job vacancy at VB: Security Evangelist

Virus Bulletin is recruiting for a person to be the public face of the company

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.