Lurking in the shadows: the disturbing rise of stalkerware
Image credit: Landmark Media, Getty Images
With the installation of software to spy on individuals on the rise, advocates plead more needs to be done to ensure no more people fall victim to such heinous crimes.
Sarah thought she was going crazy. Money mysteriously left her bank account, while her phone and internet were intermittently disconnected. Creepy music and odd voices started playing through her smart speaker, lights would turn on and off. Her calendar and social media were hacked.
This was the work of an abusive ex-partner, who’d started turning up unexpectedly wherever Sarah was. As well as breaching her home network, he was also using stalkerware or spouseware to track her via her phone.
“Now she can’t leave the house for fear of him breaking in. She feels like a prisoner in her own home,” says Gemma, an advocate and case worker for victims of stalking with Hertfordshire-based Safer Places, who’s helping Sarah with the aftermath. “It’s had an effect on her teenage child, too – on their physical and mental health. She’s constantly scared. She’s bought a new phone and PC.”
Stalking has always existed, but technology is amplifying the problem with devastating effect, say support services. Once perpetrators know where their partner has been, or what they’ve said, they can play mind games. One psychotherapist says levels of anxiety reach levels suffered with post-traumatic stress disorder, and says cyber stalking has prompted psychosis in some victims.
Since Safer Places began offering a dedicated service for stalking victims last year, it has been overwhelmed by requests for help – and this mirrors a growing problem.
Worldwide, voices in the tech sector are beginning to recognise the damage being wrought by off-the-shelf tracking technology – some of the legitimate apps are designed for parents to keep tabs on their children, but much marketing surreptitiously targets jealous partners and exes. In fact, Twitter was shamed last year into pulling an ad actively promoting spouseware. “It’s hard to explain how crushing this kind of abuse is unless you’ve experienced it,” says Gemma. “They’ve had their intimate lives looked into. Different websites offer different packages to get revenge on your ex or scare them – some are sadistic or humiliating.”
Everyday tech such as Fitbits and children’s phones can be hacked. Physical trackers are so unobtrusive they can be stashed in cars or bags. Software enables users to send messages from a victim’s phone, or to schedule untraceable calls throughout the night.
Many apps masquerade as parental controls, but with sinister design. And they’re scarily cheap – sometimes as low as £5-10 a month, say campaigners, and easy to install. “We’re not talking movie levels of security here – you just need access to a phone,” says David Ruiz, a writer for Malwarebytes. Last year, his organisation analysed 2,500 suspect programs. “These products are extremely invasive – just looking at someone’s browsing history is like reading a personal diary.”
This type of stalking is often linked to domestic abuse or coercive control, says former engineer and psychotherapist Catherine Knibbs, who specialises in cyber abuse. Studies show 70 per cent of women victims of cyber stalking also suffer physical or sexual violence from a domestic partner. “When women – it’s usually women – find out, they feel violated, as if they’d been cheated on. They feel anger, betrayal, mistrust. They’ve missed the red warning flags.” She also discloses that although she hasn’t treated men who have been stalked by their partners throughout her therapy career, she says it does still happen to them.
Knibbs has also delved into the psychological effect cyber stalking can have. When someone is physically attacked or mugged, she says, they spend the next six months to a year replaying it, constantly looking over their shoulder, checking their door is locked and other variants of obsessive behaviour. It’s the same when people discover they’ve been spied on or cyber stalked, she says. “They go from zero to 60 worrying about what has happened, and going through ‘what if’ scenarios. Or they spend time thinking ‘if only I’d done things differently’. The immediate jump they make is similar to post trauma. When trust is betrayed, it almost results in paranoia, and people go down that path very quickly.”
However, Knibbs says that although most therapists witness patients going through these traumas, there is still a widespread lack of awareness over cyber issues contributing to such experiences. “Therapists’ knowledge about privacy, about technology and privacy, is close to zero,” she says. “They think ‘that’s what boffins do’, but it’s part of everybody’s life.”
‘We are trying to tell the world that stalkerware is real. But we’re trying to make the [tech] sector aware of how they might be contributing, what the impact of their tech is on vulnerable people.’
Where once someone might have physically tracked a partner or hired a private detective, technology has lowered barriers and made covert surveillance far easier. Even legitimate apps are open to abuse – the blue tick to show a WhatsApp message has been read, or the Find my iPhone app, or Timeline on Google Maps, says Knibbs. “And the impact of discovering you’ve been monitored might be more intense. You start wondering when it started, how long it’s been going on, and how much they know.”
This is far more than sneaking a peek at a partner’s personal messages or keeping tabs on an errant child, says Kaspersky’s security expert David Emm. Unlike legitimate parental apps, stalkerware won’t show up on your phone. Some apps deactivate anti-virus software or require it to be removed. There’s no sign a phone has been tampered with, even as stalkerware is intercepting messages, audio and video, or remotely operating a camera.
Android phones are more vulnerable, says Emm: “Settings allow you to go off piste more easily.” Unless an iPhone is ‘jailbroken’ or unlocked, it will only run official apps. Both Google and Apple say their stores only sell legitimate parental software – though campaigners dispute this. As of October last year, according to Malwarebytes, ten potential tracking apps were available on Google Play.
Stalkerware infections have soared, latest analysis by Kaspersky shows – though this could be down, in part, to better detection from improved security software. Last year, the company reported some 518,200 cases of stalkerware on devices or detected attempts to install it in the first eight months of 2019 – a 373 per cent increase over the previous year, while numbers of people encountering stalkerware at least once rose 35 per cent in the same period.
Kaspersky’s figures, which refer only to Android devices, don’t give the full picture. Activists say just 25 per cent of cyber stalking is ever reported, as victims are deterred by perceived shame or fear of reprisal. Worldwide, Russia, India, Brazil and the US lead the way in terms of numbers (see ‘The State of Stalkerware in 2019’), says Kaspersky – in Europe, Germany, Italy and the UK hold the top three places.
But police are overwhelmed with incidents of cyber stalking, say frontline staff, and awareness among therapists and women’s support groups is patchy. It’s difficult for victims to act without alerting the stalker he or she has been rumbled – potentially putting themselves in danger.
Domestic abuse is becoming ever more digital, says Ethan Bennett, spokesperson of a new coalition which aims to raise awareness. This is the Coalition Against Stalkerware – comprising ten companies and organisations and convened to shout about the problem and urge more responsible action from the tech sector. “In retrospect, it was obvious this was going to happen as our lives become more connected,” says Bennett. “Phones, devices, can make people vulnerable, and that’s not going away.”
Formed in November 2019, the coalition, which includes security companies such as Kaspersky, Avira, Malwarebytes and Norton as well as non-profit support groups, is ambitious. “We are trying to tell the world that stalkerware is real,” says Bennett. “But we’re trying to make the sector aware of how they might be contributing, what the impact of their tech is on vulnerable people.”
The coalition is also working to get developers and founders on board. That tech can be so easily manipulated for sinister ends is also a symptom of a lack of diversity and imagination about how it might be abused, Bennett adds. “Tracking capabilities shouldn’t be considered the norm – and we want developers to have this in mind when they are building tools.”
Stalkerware leaves an individual vulnerable in other ways, says Emm. “If your personal data – from call logs through to calendars and contacts as well as private conversations – is being siphoned off a device, you have no idea how secure it then is or how it’s stored.”
Of course individuals should secure their phones and home systems with secure and long passwords, says Emm – the kind of stuff we’re all advised to do but often goes by the wayside in a new relationship. But a phone, he says, should be too personal to make available to anyone, especially in a new relationship. “You might want to resist the temptation to overshare,” he says.
Most stalkerware is installed via the phone itself – and as simply as clicking a link. But even if a user can’t see anything, there may be signs that it’s been tampered with – a phone that overheats or rips through data, or a battery that drains quickly. Reputable antivirus software should flag any dodgy apps – unless it’s been removed. Some apps claim system rights, sometimes even taking complete control of the device and the right to install other apps, and deactivate security.
Domestic violence charities and support networks are careful with their advice – it’s better to go to the police rather than risk alerting the stalker, they say. “Anyone who believes such software has been downloaded onto their phone should stop using it immediately,” the Metropolitan Police said in a statement. And working with the Suzy Lamplugh Trust, named after the estate agent who disappeared in 1986, the Met has helped set up the Stalking Threat Assessment Centre (STAC) – a two-year pilot to help fight stalking and protect victims.
What cyber stalkers do is illegal, says Jo O’Reilly, deputy editor at ProPrivacy. “Gaining access to someone’s computer or smartphone without their knowledge or consent is an offence under the UK’s Computer Misuse Act and can carry a two-year prison sentence.” More could be done, she says, to train police to understand the phenomenon “and the tech behind it”.
Support services could also be more tech-savvy, says Knibbs, who helps train therapists to be more aware of cyber stalking – and victims tend to under-report their fear if they have not been physically threatened.
“More people need to know,” agrees Gemma at Safer Places. “Especially with regard to revenge porn and all that tech around Alexa – people don’t realise how it can be used against them.”
Couldn’t developers ensure that any tracking app notifies the user regularly that they are being tracked, and require them to click for continued consent, asks O’Reilly. Apps could go further still and explain that being tracked against your will is a form of abuse, and give details of where to find help. “These are the types of safeguards which could help ensure apps are only being used legitimately.”
This isn’t going to be easy, however, Bennett explains. “We’re not kidding anyone – we know this is a big commitment. It’s an emerging field of abuse and we want to cut it off before it becomes more prevalent than it is already.”
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.