Stalkerware poses particular challenges to anti-virus products

Posted by   Martijn Grooten on   Oct 31, 2019

Did you know that October has been Cyber Security Awareness Month? Of course you did ─ it has been pretty hard to avoid it. But did you know that it has also, at least in the United States, been Domestic Violence Awareness Month?

These two are more closely linked than they may at first seem: a lot of today's domestic violence has a digital component, with the abuser tracking the victim-survivor through digital means. The most obvious, though far from only method is stalkerware: consumer spyware installed on a device, often through physical access to the device.

Stalkerware has received a lot of attention in recent years. This month, the FTC banned one vendor from selling such software after the company in question had repeatedly been breached. Motherboard has published an excellent series on stalkerware and other kinds of surveillance used by and against ordinary people. At VB2017 in Madrid, Motherboard's Joseph Cox (then at the Daily Beast) gave a presentation on stalkerware.

Earlier this year, the EFF's Eva Galperin started working on getting anti-virus products to both improve their detection of stalkerware and display a specific message when such software has been found on a device.

This matters: while from a technical point of view stalkerware isn't particularly interesting and rarely has properties that excite malware researchers, the threat model is very different. Removing the app from a device, which would be the natural thing for an AV product to do, would also inform the abuser of their spying having been noticed, which could lead to further abuse.

The standard advice from AV vendors – to run a scan to find evidence of stalkerware – is also one that may not apply here, at least not as a solution to the problem: if the product misses a new variant, the message that a device is clean could provide a dangerously false sense of security. Moreover, even if indeed no stalkerware is present, there are other ways in which the user could be tracked: the distinction between these and stalkerware may not be clear to most people.

flexispywebsite.pngFlexiSpy is one of the better known kinds of stalkerware. As is typical for this kind of malware, it claims to be made to monitor children and employees.

That doesn't mean that anti-virus doesn't have an important role to play: it is in the unique position of being able to inform the user with a clear message when stalkerware has been found on a device. Vendors can also ensure that new stalkerware samples are shared quickly and broadly with other vendors to improve detection, while they can support frontline defenders such as women's shelters in dealing with potentially infected phones.

This conversation should go both ways though: while AV vendors naturally understand malware well, they often don't understand the particular threat model linked to domestic abuse. They have as much, if not more, to learn about stalkerware by talking to victim-survivors and the organisations that support them. At the same time, these organisations can often be helped in very simple ways.

Though stalkerware is a very serious topic, it is also an intriguing one that forces malware researchers to step out of their comfort zones and tackle an issue where the problem isn't particularly technical in nature. Learning about different threat models benefits security far beyond this particular threat.

Note: domestic abuse/violence is often referred to in literature as 'intimate partner violence'; I used the term more in line with the annual designation. Following the example of others, I have chosen the term victim-survivor to include the more empowering 'survivor' while also reflecting the sad reality that not all victims become survivors.



Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.