Fight against stalkerware: technical and lifeworld obstacles
Marius Becker / dpa
The extent of the stalkerware problem has changed little for the better in 2020 - this is how the new report by IT security company Kasperskys begins on the spread of apps that people use to secretly monitor their partners or other victims of stalking.
Kaspersky registered 53,870 people affected last year.
That is almost 14,000 fewer than in 2019, but around 14,000 more than in 2018. And only those victims are counted here who installed Kaspersky's security app on their smartphone: The actual spread of such apps is likely to be much greater.
Nevertheless, the report provides interesting insights: Firstly, the number of detected stalking apps fell significantly after March 2020, which Kaspersky explains with the start of contact restrictions due to the coronavirus pandemic: Since then, perpetrators have been able to monitor their victims more easily in partnerships.
Second, according to the report, Germany ranks first in a European comparison and sixth worldwide in terms of the number of stalking attempts discovered with the help of sniffing apps.
Kaspersky recorded 1547 victims for 2020. For comparison: In Russia, where Kaspersky's app is possibly more widespread, there were 12,389 cases, in Brazil more than 6,500, in the USA 4,745.
Third, many stalking app vendors do not even try to obscure the purpose of their applications, even though their use will almost always be illegal.
Anyone who calls their app iSpyoo, TheTruthSpy or PhoneSpy wants to address a very specific clientele.
Search engine optimization with "cheating spouse" in the source code
Monitoring software for smartphones can, however, be quite legitimate or at least give itself a look that appears legitimate, for example when it is touted as theft protection or for parents who want to check where their child is.
Some apps are advertised in exactly the same way on the surface, but then in the source code of the website the term "spouse" or "cheating spouse" is visible, especially visible to search engines.
So it's about the supposedly adulterous partner again, or at least about her as well.
Obviously, tactics like this are used to draw people to the site who simply google for stalking apps.
These tricks are well known, but the detection of stalkerware on a smartphone is not a sure-fire success.
Since November 2019 there has been a "coalition against stalkerware", which includes the civil rights organization Electronic Frontier Foundation and victim protection organizations such as the White Ring, including ten IT security companies, including Kaspersky, G Data, Malwarebytes, Avast, Avira and F-Secure.
They exchange ideas and develop new detection methods - but despite their experience in the fight against malware, they have to deal with technical and everyday obstacles.
G Data from Bochum, for example, has integrated stalkerware detection into its Android app since October.
Put simply, smartphone operating systems do not allow in-depth analyzes of running programs, unlike Windows PCs, for example.
It is therefore not possible to simply recognize as yet unknown stalkerware based on their behavior on the smartphone.
That is why G Data only works with a list of known stalker programs on the device itself.
The real work is the ongoing updating of this list using samples.
Monitoring is easier on Android
Every Android app can be taken apart and analyzed if you find its installation file (technical term: APK), and according to Alexander Burris, head of mobile research at G Data, G Data has various sources for this.
"We exchange a lot of samples of malware and stalkerware with other companies in the industry," says Burris.
"We have crawlers who search websites for samples, we look at file sharing sites, or we download them directly from some manufacturers."
The APKs are first scanned by automated systems for known malware patterns, it is said.
Asber, it always needs human analysts to be classified as stalkerware.
A decisive factor is whether an app secretly monitors communication or transmits the location, i.e. without notifying the smartphone owner.
Legitimate programs would, for example, also signal to children that they are active.
The fact that G Data concentrates on Android is due to Apple's closed system: by default, only apps from the strictly controlled app store can be installed, and they also have less access to data from other apps; full monitoring is hardly possible under these circumstances.
There is indeed stalkerware for iPhones, but their installation is so complicated that some providers have switched to selling ready-made iPhones with pre-installed monitoring software - which fewer perpetrators can afford.
Don't delete stalkerware right away
Burris estimates that there are »a few dozen« different stalking apps on the German market.
G Data, however, knows between 2000 and 3000 samples, i.e. ultimately variants of these apps, because the developers keep changing their monitoring programs.
Keeping the list of stalkerware apps up to date is a tedious process.
If G Data finds a problematic app on a smartphone, it is not deleted immediately.
Stefan Mutterlose, team leader in app development, says: »You want to remove normal malware from the device as quickly as possible.
It's different with stalkerware.
The perpetrator would most likely notice if the software suddenly stopped working and could feel cornered.
Then the situation can escalate to the point of domestic violence. "
Victims should therefore keep calm and consider which secure channels they could use to seek help and which other devices or accounts could still be compromised because someone else knows the password or has set up access.
For this reason, G Data initially only shows its users a message explaining that there is an app on the mobile phone that is suitable (depending on its capabilities) for monitoring the location and communication, followed by a link to further information.
The link leads to a website that is not immediately recognizable as a stalkerware information page in case the perpetrator is nearby.
»Only read this article if you are in a safe and trustworthy environment!
If necessary, delete this page from the history of your Internet browser after reading it «, but it is also there as a warning.
The procedure against stalkerware is therefore not a problem that can be solved technically alone.
Those affected must act prudently, even when they are under great pressure.
(We have collected more tips on this here.)
Stalking with apps should be explicitly prohibited by law
After all, there were also some positive developments in 2020.
In autumn, for example, Google finally explicitly banned stalkerware from the Play Store, which at least made the distribution of the programs more complex.
Perpetrators have to use their victim's device to go to a website that offers a surveillance program and install it bypassing Google's standard security settings.
In the best case scenario, a screen lock with a pin, password or fingerprint protects against this.
Antivirus apps are no longer the only way to track down stalkers.
Kaspersky has developed an alternative approach with TinyCheck.
It is an open source software that is installed on a minicomputer like the Rasperry Pi and scans the network traffic for suspicious data between a smartphone and a WiFi router.
The technology is intended, for example, for use in women's shelters, as an aid for those affected who do not want or cannot install an antivirus app on their smartphone.
Something is also moving politically: A week ago, Federal Justice Minister Christine Lambrecht (SPD) presented a draft to tighten paragraph 238 of the Criminal Code, which deals with stalking.
Monitoring with the help of stalking apps should be explicitly included in the prohibited list.
In addition, the minister wants to change the definition of stalking.
According to the draft, it is no longer only those who stalk their victims "persistently" and "seriously" impair their way of life that make themselves punishable;
The goal is "better and easier enforcement," so ultimately there should be more convictions.
Icon: The mirror