During a pandemic, stalkerware becomes even more sinister

Stalkerware detections have increased, some security researchers say, as the COVID-19 pandemic forces people to possibly quarantine with domestic abusers.
Under normal circumstances, stalkerware can make it difficult for domestic violence victims to get support since it can monitor targets' every move on their phones. But during a pandemic, stalkerware can make it near impossible for victims to get help. (Scoop News Group / Danny McGarvey)

When public health experts started recommending social distancing to reduce the spread of COVID-19, the goal was to place people out of harm’s way. But the policy has forced many domestic violence victims to possibly face a far more insidious danger: isolating with an abuser.

Security researchers tell CyberScoop that data show a rise in invasive surveillance software known as stalkerware — applications that can spy on partners’ texts, calls, social media use and geolocation information — since the coronavirus pandemic began, despite the fact that abusers are much more likely to be sharing the same living space as their victims.

Three antivirus companies tracking stalkerware globally told CyberScoop they saw an increase in stalkerware detections just after governments at all levels put social distancing measures in place. Between January and May, for instance, California-based Malwarebytes and Germany-based Avira said stalkerware detections on their respective customers’ devices spiked by 190% and 99%, respectively. Slovakia-based ESET also found stalkerware detections rose from the fourth quarter of 2019 to the first quarter of this year.

Under normal circumstances, stalkerware can make it difficult for domestic violence victims to get support since it can monitor targets’ every move on their phones. But during a pandemic, stalkerware can make it near impossible for victims to get help, since an internet-connected device may very nearly be their only lifeline to seek outside support during the global health crisis.


Compounding the issue is the data that shows domestic violence is surging in recent months, and victims may feel a more urgent need than ever before to seek outside help or flee — running in stark contrast to the need to stay home to avoid COVID-19. Women are more likely than men, on average, to experience severe intimate partner physical violence, according to the National Coalition Against Domestic Violence.

“When many countries were starting to announce the lockdowns, we see a parallel between that and the [stalkerware] installation rates,” Alex Vukcevic, the director of protection labs and quality assurance at Avira, told CyberScoop. “We considered on the one hand, you’re next to your partner, mostly you’re in the same flat, so there is most likely nothing you really need to stalk, right? But on the other hand, you have more possibility to get access to the device of your partner.”

Domestic violence victims may already feel they have very little recourse, especially if they are isolating with their abusers — but their options to seek help may become increasingly scant when stalkerware is added to the equation. Even looking up hotline numbers or confiding in a friend can be detected by the applications.

“Stalkerware throws a wrench into a lot of things. A lot of the go-to safety plans might be more challenging if there’s stalkerware on the phone,” Erica Olsen, the safety net director for National Network to End Domestic Violence (NNEDV) told CyberScoop in an interview. “Especially at this time, asking friends or family, ‘can I come and stay at your house?’ is a loaded thing. It’s even harder to make that happen — if they even felt like it was an option before [COVID-19].”

There are several nonprofits and cybersecurity companies that have turned their attention to the scourge of stalkerware in recent months, whether that be by rousing antivirus companies to better identify and protect against stalkerware or by helping victims leave abusers without leaving digital traces. But during the pandemic, outmaneuvering the software when abusers and victims live in close quarters has become increasingly difficult, especially as many go-to workarounds, like using clean computers at public libraries or schools, have become inaccessible during the pandemic.


The stalkerware we know about

As is typical of stalkerware, the applications detected on customers’ devices during the pandemic have largely been designed so they can operate without the targets’ knowledge, making them harder to detect and remove, security researchers told CyberScoop.

Three stalkerware applications that antivirus firms have frequently detected during the pandemic all use their inability to be detected or removed as selling points. Two applications flagged by mobile security firm Lookout, mSpy and Mobilespy, list on their websites that the programs can be hidden on a device. Avira detected another program, Cerberus, that advertises it is impossible to remove from a device.

The makers of these products sell them as parental or employee monitoring tools. But the fact that they are designed to be invisible suggests more nefarious goals, making them appealing to people trying to snoop on partners, according to the Coalition Against Stalkerware, an organization formed in recent months in order to more clearly define and detect stalkerware. Kaspersky, Malwarebytes, Avira, the NNEDV, the Electronic Frontier Foundation, and Operation: Safe Escape are each members.

App stores have also been working to make it harder for perpetrators to access stalkerware, but the review process isn’t ironclad.


Kristin Del Rosso, a senior security intelligence engineer at Lookout, told CyberScoop that installations of Highster, another app billed as a parental monitoring tool, has increased since January. When reached for comment about why Highster was sold in the Apple app store, Apple told CyberScoop it removed Highster from the store for violating the App Store Review Guidelines, which are meant to prohibit applications from “collecting, transmitting or compiling personal data without a user’s explicit consent.”

An Apple spokesperson did not address CyberScoop’s repeated questions about whether mSpy, a version of which appears to be in its app store, violates its guidelines.

An Apple spokesperson said, “safety is Apple’s top priority and we are committed to providing users with strong protections against malicious behavior.”

When reached for comment, Retina-X Studios, Mobilespy’s developers, said the data might be referring to another application, claiming Retina-X Studios products were discontinued in 2018. The other applications’ developers did not return requests for comment.

The U.S. government has started to take note of stalkerware, too. The Federal Trade Commission took action against Retina-X earlier this year in part because their applications did not prevent people from using them for nefarious purposes.


Patchwork of visibility

The applications that have been frequently detected during the pandemic do not necessarily represent the full picture of stalkerware use. Getting to that point is something cybersecurity companies struggle with: They have different customer bases and ways of collecting statistics, and the stalkerware market itself is rather dispersed.

“It’s hard to say which version of stalkerware has been more prevalent during the past few months,” Del Rosso told CyberScoop. “There are hundreds of types of commercial stalkerware, many of which are even offered on different websites under different names, but technically the same code.”

Unlike the other antivirus companies, for example, Russia-based Kaspersky said it has seen a decrease in the number of stalkerware downloads, installations, and attempted installations against its customer base during the pandemic.

Even “detecting” stalkerware may not be all that revealing. It could indicate someone tried but failed to install stalkerware because an antivirus product blocked it. It could mean stalkerware was already on a device that just started using an antivirus solution. It could also mean someone downloaded the application but did not try using it.


There are some signs antivirus companies have been getting better at detecting stalkerware in recent months, according to independent antivirus testing lab AV-Comparatives. Between November 2019 and May of this year, ten antivirus products improved their detection rates for stalkerware. And as of May, nine out of 10 products detected between 75% and 95% of stalkerware programs.

The telework conundrum

There are groups working to limit the damage of stalkerware. And although the pandemic may be keeping many domestic violence survivors from their normal support systems, in at least one case, society’s shift to telework has helped one survivor discover she was being watched.

Operation: Safe Escape, which was founded in 2016 to help domestic violence victims escape abusers without leaving digital crumbs, is working on ways victims can communicate safely during the pandemic. The group’s executive director, Chris Cox, told CyberScoop that one survivor his nonprofit worked with in recent weeks received an email from her company’s IT team after she connected her personal cellphone to her employer’s corporate network. When the IT team saw some unusual traffic, she was alerted to possible stalkerware on her phone, Cox said.

She then got in touch with Operation: Safe Escape, which helped her discover that her husband had been using stalkerware to spy on her for at least several months. The program was capable of recording calls, listening via the device’s microphone, activating the camera, and viewing her calendar and emails. Cox declined to share further details, except that the woman left her husband after making the discovery. CyberScoop could not independently verify the woman’s experience.


The story is an example of a new challenge corporate IT teams face in the wake of the pandemic: notifying their employees to signs of surveillance, especially as more of them use their personal devices to do their jobs.

NNEDV’s Olsen says organizations need to consider how to handle such a delicate moment.

“Depending on how an employer reacts to detecting monitoring software, they could put the survivor in an uncomfortable position, or worse, a dangerous one,” Olsen said.

On a technical level, some stalkerware applications alert operators when they’ve been deleted, which could exacerbate abuse. Urging victims to leave their partners may not be safe either, Olsen says.

“What we know from years and years of research is that the point of leaving is very often the most dangerous time for a survivor. For many, this is when abuse, stalking, and assaults often escalate,” Olsen said. “It’s important to trust the survivor and not push them to leave when they are not ready.”


Cox said he is seeing one other trend that is concerning, if anecdotal: During the pandemic, survivors have been increasingly reaching out to Operation: Safe Escape after abusers become violent, not before.

“We’re getting a lot more referral from partner organizations or law enforcement because the individuals aren’t able or don’t have the means to reach out safely,” Cox said. “Communication happens later on in the process, when unfortunately injuries may have already occurred. People are waiting longer or sometimes waiting for a triggering event to contact us because they are being constantly watched.”

If you are a victim or survivor seeking support right now you can call 1-800-799-7233 or 1-800-787-3224 to reach the National Domestic Violence Hotline. For those unable to speak safely right now, the organization advises logging on to or texting LOVEIS to 22522.

If you are afraid your internet usage might be monitored, call the National Domestic Violence Hotline at 1−800−799−7233 or TTY 1−800−787−3224. Users of web browser Microsoft Edge will be redirected to Google when clicking the “X” or “Escape” button,” the hotline says.

NNEDV’s Safety Net, Tech & Privacy Survivor Toolkit


WomensLaw – Cyberstalking

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts