Stalkerware applications, which domestic abusers rely on to monitor their romantic partners’ devices without their consent, often fail to secure the personal information collected during their use, according to ESET research published Monday.
Stalkerware, which is frequently advertised as benign parental controls or employee monitoring software, can surveil targets’ geolocation, texts, phone calls, cameras and more, all without obtaining targets’ consent. ESET examined 86 stalkerware applications, only to identify 158 serious security and privacy issues, according to findings presented at the virtual RSA Conference this week.
The most common security issue affecting the applications was the insecure transmission of stalkers’ and targets’ personally identifiable information from devices to app servers. This vulnerability could allow outsiders to intercept text messages, call logs, contact lists, keystrokes, browsing histories, recorded phone calls, pictures and screenshots, according to ESET.
Other issues included applications storing sensitive information on external media, and exposing data like Facebook and WhatsApp messages or GPS locations to unauthorized users. Some of the apps also allow for unauthorized remote livestreaming of video and audio from the victim device, and maintaining victim data on servers even after account removal.
ESET said it received mixed responses after contacting the app-makers about their issues. The company did not identify the stalkerware vendors in question to avoid publicizing the specific bugs.
“[T]o this day, only six vendors have fixed the issues we reported in their apps,” researchers noted. “Forty-four vendors haven’t replied and seven promised to fix their problems in an upcoming update, but still have not released patched updates as of this writing. One vendor decided not to fix the reported issues.”
It should come as no surprise that vendors of applications that violate people’s privacy might slip up on keeping stalkerware victims’ information secure. ESET researchers note, however, that their findings could also serve to discourage potential abusers who are considering the use of stalkerware in their own relationships. The vulnerabilities indicate that stalkers’ information is also not secured properly.
Some of the stalkerware applications examined keep information about the stalkers on a server even if they request the data be deleted, for instance, according to the report. The fourth most common issue ESET found in analyzing the 86 applications was that some app vendors’ servers was leaking stalkers’ information and what data they stole from targets.
“This research should also serve as a warning to potential future users of stalkerware … since not only is it unethical, but it also might result in revealing private and intimate information of their spouses, children and employees,” the researchers note. “[It]t might lead to exposing private information about the stalker as well.”
Efforts to limit stalkerware applications’ reach and effectiveness have ramped up in recent years.
Two years ago, a group of security firms and victim advocacy groups formed The Coalition Against Stalkerware to work on sharing threat intelligence to deter identify and block stalkerware on devices. Seven out of 10 antivirus products detected between 80 and 100% of the stalkerware tested in an AV-Comparatives analysis.
In recent months some companies have stepped in to try to limit stalkerware apps’ distribution, by implementing bans in the Google Play store, for instance, or curtailing Google advertisements and marketing for stalkerware.