Stalkerware poses particular challenges to anti-virus products

Posted by   Martijn Grooten on   Oct 31, 2019

Did you know that October has been Cyber Security Awareness Month? Of course you did ─ it has been pretty hard to avoid it. But did you know that it has also, at least in the United States, been Domestic Violence Awareness Month?

These two are more closely linked than they may at first seem: a lot of today's domestic violence has a digital component, with the abuser tracking the victim-survivor through digital means. The most obvious, though far from only method is stalkerware: consumer spyware installed on a device, often through physical access to the device.

Stalkerware has received a lot of attention in recent years. This month, the FTC banned one vendor from selling such software after the company in question had repeatedly been breached. Motherboard has published an excellent series on stalkerware and other kinds of surveillance used by and against ordinary people. At VB2017 in Madrid, Motherboard's Joseph Cox (then at the Daily Beast) gave a presentation on stalkerware.

Earlier this year, the EFF's Eva Galperin started working on getting anti-virus products to both improve their detection of stalkerware and display a specific message when such software has been found on a device.

This matters: while from a technical point of view stalkerware isn't particularly interesting and rarely has properties that excite malware researchers, the threat model is very different. Removing the app from a device, which would be the natural thing for an AV product to do, would also inform the abuser of their spying having been noticed, which could lead to further abuse.

The standard advice from AV vendors – to run a scan to find evidence of stalkerware – is also one that may not apply here, at least not as a solution to the problem: if the product misses a new variant, the message that a device is clean could provide a dangerously false sense of security. Moreover, even if indeed no stalkerware is present, there are other ways in which the user could be tracked: the distinction between these and stalkerware may not be clear to most people.

flexispywebsite.pngFlexiSpy is one of the better known kinds of stalkerware. As is typical for this kind of malware, it claims to be made to monitor children and employees.

That doesn't mean that anti-virus doesn't have an important role to play: it is in the unique position of being able to inform the user with a clear message when stalkerware has been found on a device. Vendors can also ensure that new stalkerware samples are shared quickly and broadly with other vendors to improve detection, while they can support frontline defenders such as women's shelters in dealing with potentially infected phones.

This conversation should go both ways though: while AV vendors naturally understand malware well, they often don't understand the particular threat model linked to domestic abuse. They have as much, if not more, to learn about stalkerware by talking to victim-survivors and the organisations that support them. At the same time, these organisations can often be helped in very simple ways.

Though stalkerware is a very serious topic, it is also an intriguing one that forces malware researchers to step out of their comfort zones and tackle an issue where the problem isn't particularly technical in nature. Learning about different threat models benefits security far beyond this particular threat.

Note: domestic abuse/violence is often referred to in literature as 'intimate partner violence'; I used the term more in line with the annual designation. Following the example of others, I have chosen the term victim-survivor to include the more empowering 'survivor' while also reflecting the sad reality that not all victims become survivors.



Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.