Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Android stalkerware threatens victims further and exposes snoopers themselves

May 17, 2021

ESET analysis reveals that frequent Android stalkerware apps are riddled with vulnerabilities that additional jeopardize victims and expose the privateness and safety of the snoopers themselves

Cellular stalkerware, also referred to as spouseware, is monitoring software program silently put in by a stalker onto a sufferer’s system with out the sufferer’s information. Usually, the stalker must have bodily entry to a sufferer’s system in order to side-load the stalkerware. Due to this, stalkers are normally somebody from the shut household, social or work circles of their victims.

Primarily based on our telemetry, stalkerware apps have grow to be increasingly more widespread within the final couple of years. In 2019 we noticed nearly 5 instances extra Android stalkerware detections than in 2018, and in 2020 there have been 48% greater than in 2019. Stalkerware can observe the GPS location of a sufferer’s system, conversations, pictures, browser historical past and extra. It additionally shops and transmits all this knowledge, which is why we determined to forensically analyze how these apps deal with the safety of the information.

Determine 1. Primarily based on our detection telemetry, utilization of Android stalkerware is growing

For stalkerware distributors, to remain underneath the radar and keep away from being flagged as stalkerware, their apps are in lots of circumstances promoted as offering safety to kids, workers, or girls, but the phrase “spy” is used many instances on their web sites. Trying to find these instruments on-line isn’t troublesome in any respect; you don’t should browse underground web sites. The screenshot under depicts maybe essentially the most unsavory instance of a declare these apps monitor girls for his or her security.

Insecure transmission of user PII (CWE-200) Storing sensitive information on external media (CWE-922) Exposure of sensitive user information to unauthorized user (CWE-200) Server leak of stalkerware client information (CWE-200) Unauthorized data transmission from device to server Incorrect permission assignment for devices with superuser privileges (CWE-732) Insufficient verification of client uploaded data (CWE-345) Improper authorization of SMS commands (CWE-285) Bypass payment to access admin console (CWE-284) Command injection (CWE-926) Enforcing weak registration password (CWE-521) Missing proper password encryption (CWE-326) Victim data kept on server after account removal Leak of sensitive information during IPC communication (CWE-927) Partial access to admin console (CWE-285) Remote livestream of video and audio from victim device (CWE-284) Running as system application Source code and super admin credentials leak (CWE-200)

Determine 2. A stalkerware app’s declare to watch girls allegedly for his or her security

Greater than 150 safety points in 58 Android stalkerware apps

If nothing else, stalkerware apps encourage clearly ethically questionable conduct, main most cell safety options to flag them as undesirable or dangerous. Nonetheless, on condition that these apps entry, collect, retailer, and transmit extra info than some other app their victims have put in, we had been excited by how nicely these apps protected that quantity of particularly delicate knowledge.

Therefore, we manually analyzed 86 stalkerware apps for the Android platform, offered by 86 completely different distributors. On this evaluation we outline an individual who installs and remotely displays or controls stalkerware as a stalker. A sufferer is a focused individual {that a} stalker spies on by way of the stalkerware. Lastly, an attacker is a 3rd social gathering whom the stalker and the sufferer aren’t normally conscious of. An attacker can perform actions corresponding to exploiting safety points or privateness flaws in stalkerware or in its related monitoring companies.

This evaluation recognized many severe safety and privateness points that would end in an attacker taking management of a sufferer’s system, taking up a stalker’s account, intercepting the sufferer’s knowledge, framing the sufferer by importing fabricated proof, or attaining distant code execution on the sufferer’s smartphone. Throughout 58 of those Android purposes we found a complete of 158 safety and privateness points that may have a severe impression on a sufferer; certainly, even the stalker or the app’s vendor could also be at some danger.

Following our 90-day coordinated disclosure policy, we repeatedly reported these points to the affected distributors. Sadly, to today, solely six distributors have mounted the problems we reported of their apps. Forty-four distributors haven’t replied and 7 promised to repair their issues in an upcoming replace, however nonetheless haven’t launched patched updates as of this writing. One vendor determined to not repair the reported points.

Found safety and privateness points

The 158 safety and privateness points in 58 stalkerware apps are ordered primarily based on the prevalence of occurrences discovered within the analyzed stalkerware.

Determine 3. Breakdown of safety and privateness points uncovered on this analysis


The analysis ought to function a warning to potential future shoppers of stalkerware to rethink utilizing software program in opposition to their spouses and family members, since not solely is it unethical, but additionally may end in revealing the non-public and intimate info of their spouses and go away them vulnerable to cyberattacks and fraud. Since there could possibly be a detailed relationship between stalker and sufferer, the stalker’s non-public info is also uncovered. Throughout our analysis, we recognized that some stalkerware retains details about the stalkers utilizing the app and gathered their victims’ knowledge on a server, even after the stalkers requested the information’s deletion.

That is only a snapshot of what we discovered throughout our analysis and so we invite you to learn the entire paper.

Posted in SecurityTags:
Write a comment