Malware, ransomware and spyware are all serious concerns today – now add to the list “stalkerware.” The monitoring software, a form of spyware, isn’t new but it is increasingly being used for cyberstalking. The term was reportedly coined when individuals began to use commercial spyware to track and/or monitor their spouses or other intimate partners. It has also been abused by employers and others to track individuals without their knowledge, and certainly without their permission.

A major concern is that it could compromise the data on mobile phones via key logging, taking screenshots and monitoring internet activities; while there are also worries that stalkerware could even be used in more sinister and nefarious ways to gather information via a mobile device. This form of insidious malware can be used to record video and audio of an individual and operate in a stealth mode so that the application can be invisible in the list of installed programs and even running disguised as a system processes or utility programs.

Thus the phone could potentially secretly record conversations, take photos, and access sensitive communication that occurs on the device. You may not be able to take your phone into the SCIF, but when you’re working from home and having conversations that are unclassified, it can still be giving our adversaries information. Fortunately, the government may be ready to do something to address the dangers this spyware poses to individuals.

Federal Trade Commission Steps in To Address Stalkerware

Earlier this month, the Federal Trade Commission voted unanimously to ban what it called a “stalkerware app company” as well as its CEO from operating in the surveillance business. This was the second case brought against a stalkerware app, yet it was the first time the FTC had obtained such a ban.

The agency alleged that SupportKing, which ran in the Android app SpyFone, had secretly harvested and shared data on people’s physical movements, phone use, and online activities via a hidden device hack. More ominously, the company had even sold “real-time access” of its surveillance, which could have enabled stalkers and abusers to track their targets.

“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection.

“The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security,” added Levine. “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.”

As a result of the FTC’s efforts, SupportKing and its CEO Scott Zuckerman have been banned from offering, promoting, selling, or advertising any surveillance app, service, or business, the proposed settlement requires them to delete any information illegally collected from their stalkerware apps.

Real Time Surveillance

This week Vice.com also reported that another stalkerware company is now in the spotlight for how it has shared some data it collected. pcTattleTale, a software developer of apps that can be used to monitor spouses without their consent, reportedly allows users to view screenshots of an infected device by just visiting specific URLs.

Via its Facebook page, the company even advertised that it can act as a popular keylogger and monitoring app that can allow users to see what children, spouse or employees do online. Security researchers told Vice’s Motherboard that pcTattleTale uploads victim data to an AWS server that lacks authentication to view specific images. A specific URL is sent to the user to see the information, but researchers found that it was possible to reach some of the sensitive data by randomly typing in similar URL addresses.

The FTC has declined to comment whether the agency has considered or is investigating pcTattleTale, but Levine has said that the surveillance-based businesses could pose a significant threat to our safety and security, and added that the agency will be aggressive about seeking surveillance bans when companies “egregiously invade our privacy.”

Worrisome Software

While this software isn’t technically illegal, some security experts have suggested it should be.

“Anyone who creates software like this should have to deal with the consequences,” Chloé Messdaghi, cybersecurity disruption consultant and researcher, told ClearanceJobs.

“If you’re secretly doing these things without informing the individual, it’s a clear violation of privacy,” said Messdaghi, who also formed OverStalkers.com – a site with valuable resources for stalkerware victims and for people interested in helping.

“Most cases of stalkerware were of men using power and control to dominate, such as in abusive cases,” she explained. “This is very serious – to stop it, it’s all about prevention. Once it’s on the device, it’s very hard to detect. Companies have to also inform employees that this is an ongoing problem, and if someone is using their personal device for work, such as to review routine, sensitive, or even classified emails.

“It’s important for employers to mandate that employees use work devices for work, and restrict personal exchanges strictly to personal devices – with full separation,” Messdaghi added. “Next, companies should inform employees that they will routinely collect and review their work devices, and follow up.”

The problem is likely to get worse however, especially in the “bring your own device” (BYOD) era. Some employees may not want to be burdened with two devices, but by doing so may require a company’s IT department to have access to a personal device.

“This comes down to law – the U.S. Government needs to outlaw this type of software,” suggested Messdaghi. “Companies that create stalkerware should be held responsible. They should not be able to advertise, and should be flagged on social platforms.”

 

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at petersuciu@gmail.com.