Stalkerware poses particular challenges to anti-virus products

Posted by   Martijn Grooten on   Oct 31, 2019

Did you know that October has been Cyber Security Awareness Month? Of course you did ─ it has been pretty hard to avoid it. But did you know that it has also, at least in the United States, been Domestic Violence Awareness Month?

These two are more closely linked than they may at first seem: a lot of today's domestic violence has a digital component, with the abuser tracking the victim-survivor through digital means. The most obvious, though far from only method is stalkerware: consumer spyware installed on a device, often through physical access to the device.

Stalkerware has received a lot of attention in recent years. This month, the FTC banned one vendor from selling such software after the company in question had repeatedly been breached. Motherboard has published an excellent series on stalkerware and other kinds of surveillance used by and against ordinary people. At VB2017 in Madrid, Motherboard's Joseph Cox (then at the Daily Beast) gave a presentation on stalkerware.

Earlier this year, the EFF's Eva Galperin started working on getting anti-virus products to both improve their detection of stalkerware and display a specific message when such software has been found on a device.

This matters: while from a technical point of view stalkerware isn't particularly interesting and rarely has properties that excite malware researchers, the threat model is very different. Removing the app from a device, which would be the natural thing for an AV product to do, would also inform the abuser of their spying having been noticed, which could lead to further abuse.

The standard advice from AV vendors – to run a scan to find evidence of stalkerware – is also one that may not apply here, at least not as a solution to the problem: if the product misses a new variant, the message that a device is clean could provide a dangerously false sense of security. Moreover, even if indeed no stalkerware is present, there are other ways in which the user could be tracked: the distinction between these and stalkerware may not be clear to most people.

flexispywebsite.pngFlexiSpy is one of the better known kinds of stalkerware. As is typical for this kind of malware, it claims to be made to monitor children and employees.

That doesn't mean that anti-virus doesn't have an important role to play: it is in the unique position of being able to inform the user with a clear message when stalkerware has been found on a device. Vendors can also ensure that new stalkerware samples are shared quickly and broadly with other vendors to improve detection, while they can support frontline defenders such as women's shelters in dealing with potentially infected phones.

This conversation should go both ways though: while AV vendors naturally understand malware well, they often don't understand the particular threat model linked to domestic abuse. They have as much, if not more, to learn about stalkerware by talking to victim-survivors and the organisations that support them. At the same time, these organisations can often be helped in very simple ways.

Though stalkerware is a very serious topic, it is also an intriguing one that forces malware researchers to step out of their comfort zones and tackle an issue where the problem isn't particularly technical in nature. Learning about different threat models benefits security far beyond this particular threat.

Note: domestic abuse/violence is often referred to in literature as 'intimate partner violence'; I used the term more in line with the annual designation. Following the example of others, I have chosen the term victim-survivor to include the more empowering 'survivor' while also reflecting the sad reality that not all victims become survivors.



Latest posts:

VB2019 paper: Domestic Kitten: an Iranian surveillance program

At VB2019 in London, Check Point researchers Aseel Kayal and Lotem Finkelstein presented a paper detailing an Iranian operation they named 'Domestic Kitten' that used Android apps for targeted surveillance. Today we publish their paper and the video…

VB2019 video: Discretion in APT: recent APT attack on crypto exchange employees

At VB2019 in London, LINE's HeungSoo Kang explained how cryptocurrency exchanges had been attacked using Firefox zero-days. Today, we publish the video of his presentation.

VB2019 paper: DNS on fire

In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation.

German Dridex spam campaign is unfashionably large

VB has analysed a malicious spam campaign targeting German-speaking users with obfuscated Excel malware that would likely download Dridex but that mostly stood out through its size.

Paper: Dexofuzzy: Android malware similarity clustering method using opcode sequence

We publish a paper by researchers from ESTsecurity in South Korea, who describe a fuzzy hashing algorithm for clustering Android malware datasets.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.