Posted by Martijn Grooten on Oct 31, 2019
Did you know that October has been Cyber Security Awareness Month? Of course you did ─ it has been pretty hard to avoid it. But did you know that it has also, at least in the United States, been Domestic Violence Awareness Month?
These two are more closely linked than they may at first seem: a lot of today's domestic violence has a digital component, with the abuser tracking the victim-survivor through digital means. The most obvious, though far from only method is stalkerware: consumer spyware installed on a device, often through physical access to the device.
Stalkerware has received a lot of attention in recent years. This month, the FTC banned one vendor from selling such software after the company in question had repeatedly been breached. Motherboard has published an excellent series on stalkerware and other kinds of surveillance used by and against ordinary people. At VB2017 in Madrid, Motherboard's Joseph Cox (then at the Daily Beast) gave a presentation on stalkerware.
Earlier this year, the EFF's Eva Galperin started working on getting anti-virus products to both improve their detection of stalkerware and display a specific message when such software has been found on a device.
This matters: while from a technical point of view stalkerware isn't particularly interesting and rarely has properties that excite malware researchers, the threat model is very different. Removing the app from a device, which would be the natural thing for an AV product to do, would also inform the abuser of their spying having been noticed, which could lead to further abuse.
The standard advice from AV vendors – to run a scan to find evidence of stalkerware – is also one that may not apply here, at least not as a solution to the problem: if the product misses a new variant, the message that a device is clean could provide a dangerously false sense of security. Moreover, even if indeed no stalkerware is present, there are other ways in which the user could be tracked: the distinction between these and stalkerware may not be clear to most people.
FlexiSpy is one of the better known kinds of stalkerware. As is typical for this kind of malware, it claims to be made to monitor children and employees.
That doesn't mean that anti-virus doesn't have an important role to play: it is in the unique position of being able to inform the user with a clear message when stalkerware has been found on a device. Vendors can also ensure that new stalkerware samples are shared quickly and broadly with other vendors to improve detection, while they can support frontline defenders such as women's shelters in dealing with potentially infected phones.
This conversation should go both ways though: while AV vendors naturally understand malware well, they often don't understand the particular threat model linked to domestic abuse. They have as much, if not more, to learn about stalkerware by talking to victim-survivors and the organisations that support them. At the same time, these organisations can often be helped in very simple ways.
Though stalkerware is a very serious topic, it is also an intriguing one that forces malware researchers to step out of their comfort zones and tackle an issue where the problem isn't particularly technical in nature. Learning about different threat models benefits security far beyond this particular threat.
Note: domestic abuse/violence is often referred to in literature as 'intimate partner violence'; I used the term more in line with the annual designation. Following the example of others, I have chosen the term victim-survivor to include the more empowering 'survivor' while also reflecting the sad reality that not all victims become survivors.
