Study finds hundreds of stalker apps, few ways of finding them on your phone

Original Article: Patrick Cain  |  Global News  |  June 13, 2018  |

Hundreds of overt and covert spyware apps are available to abusive partners who want to turn a victim’s Iphone or Android into a surveillance tool, a recent U.S. study found.

And malware detection programs the researchers tested are terrible at finding them, they discovered in a series of tests.

Spyware apps range from those explicitly marketed at people who want to keep track of an intimate partner (as seen below) to more innocent ones, like Find My Phone, which can be re-purposed as tracking tools.

The most intrusive “allow covert monitoring of all communications, remote activation of cameras and microphones, location tracking, and more,” the study warns.

That places extreme demands on the victim’s phone, which can be one way they find out they’re being tracked, says Periwinkle Doerfler of New York University, one of the study’s authors.

“If the app is always running in the background, it’s sending stuff to the remote server, it’s going to be using more data and more battery,” she explains.

Another tipoff is an abusive partner who suddenly seems to know too much about you, she says.

“If you’re in an abuse situation, and you routinely find that someone has information that they shouldn’t have, then that’s a sign too. If you’re dealing with an abuser who seems to always know where you are, or know that you texted your friend, or that you visited his place.”

(Although it’s one of a phone’s apps, spyware often doesn’t have an icon, and can be hidden on the back end to some degree, depending on the app and the phone.)

As well as short battery life and the abuser having surprising knowledge about you, the U.S. Federal Trade Commission points to other danger signals, such as unexplained data use charges and a history of the abuser having physical access to the phone. If your phone is jailbroken (for Iphones) or rooted (for Androids) and you didn’t do it, that’s also a danger sign. (Here’s how to find out.)

The study was published by IPV Tech Research, a group of scholars based at Cornell and New York University who study technology’s role in intimate partner violence.

Anti-malware software, however, isn’t helpful. The researchers tested 40 anti-spyware apps on their ability to find 276 dual-use apps, apps that have a legitimate purpose but can be used as spyware. Some 37 were “completely ineffective,” while the remaining three had a high rate of false positives.

“A lot of the anti-spyware, anti-malware tools that we tried did not have tremendous success,” Doerfler says. “These anti-malware applications weren’t designed to catch this sort of stuff.”

The researchers also found 32 apps explicitly marketed as spyware.

It’s hard to know what to do about the misuse of apps created with a benign purpose, Doerfler says.

“A lot of these apps do have some legitimate use. They have some situation in which they would be legal, and reasonable things to use.”

On the other hand, some mainstream apps’ makers seem well aware of the darker side of their market.

The researchers emailed the makers of 11 dual-use apps posing as ‘Jessica,’ a potential customer asking: “If I use this app to track my husband, will he know that I am tracking him?”

One responded with a “strong admonishment and legal warning,” while two ignored the approach. The others “responded with some version of ‘No, he shouldn’t be able to tell,’ making them complicit in potential abuse,” the authors wrote.

What to do if you’re a spyware victim

Victims face a difficult set of choices.

“Removing the software means that whoever installed the software will no longer have access to your location, to your text messages and that’s positive,” Doerfler says.

On the other hand, that could be triggering to an abuser.

“If we make the fairly reasonable assumption that whoever installed it is not the best of people and maybe is violent, that could lead to a physical confrontation.”

In one case, spyware seems to be marketed with this kind of scenario in mind:

Hello Spy website snapshot

(HelloSpy did not respond to our questions about how their marketing appeared to condone or normalize domestic violence. The original image comes from Shutterstock, a stock photo service, where it is searchable under keywords including ‘brutal,’ ‘aggressive’ and ‘scared’.)

Another option is to leave the spyware in place while using other ways to communicate, Doerfler says.

If you think your phone might be vulnerable to having spyware put on it, the U.S. Federal Trade Commission recommends not losing physical control of the phone, even for a few minutes, and putting a strong password on it – a good idea in any case.

One weakness of spyware is that is usually can only be installed by physically taking control of the victim’s phone. One workaround abusers resort to is giving the victim a phone with spyware already installed. They have also been known to install spyware on devices and give them to the victim’s children.

Replace the phone?

The cleanest solution — but not the cheapest — is to replace the phone.

“There’s a lot of safety in a brand-new device. If people have the money to do it, it’s recommended,” Doerfler says.

If you want to go that route, other experts recommend changing all your passwords using the new device, and then never using them on the old device. Depending on your Google settings, access to your Gmail password may give an abuser access to your real-time physical movements through Google Timeline.

Or just wipe it?

If you think you do have spyware, the FTC recommends resetting your phone and reinstalling the OS after first backing it up, if you have evidence of abusive behaviour you may want to keep.

The FTC warns against synching your backup to a new phone – that risks installing the spyware on the new phone. You should password-protect the new phone and disable Bluetooth and GPS.