Beware of Stalkerware

In our modern age as internet users, our data is constantly being collected and used, location services can easily track us, and websites monitor our presence online. We make ourselves vulnerable to location tracking, information gathering, and privacy infringement daily. Perhaps you already knew that our personal data and behaviors are being used by developers, researchers, and scientists to study social behavior. But what if the person doing the tracking was actually someone you know? What if it was your boss, your best friend, or your spouse?

These apps now have a name– Stalkerware. A quick Google search shows a variety of alarming articles, warnings from antivirus companies, and forums with questions from concerned citizens trying to find out if they have an unknown app on their phone. 

Stalkerware is broadly defined as spyware (a kind of malware that gathers information about a person secretly) that is meant to intrude into someone’s life. Parsons, et al. (2019) note that “…spyware operates as stalkerware when surveillance software sold for ostensibly legitimate purposes (e.g., monitoring young children or employees) is repurposed to facilitate intimate partner violence, abuse, or harassment.” (17)

“Apps used for stalking and covert surveillance, which tread a fine legal line when it comes to data privacy, are hiding on thousands of phones, despite being banned by major app stores”

“Inside the Secretive World of Stalking Apps”, Financial Times 2019

If you’re wondering if this is legal, the answer depends. Certain countries still do not consider these apps to be illegal, and even then, many developers try to work around legal regulations. Their success lies in their ability to market themselves as ‘parental control’ and ‘employee ‘management’ apps. Yerukhimovich, et al. (2016) write that, “Currently, many gaps exist between regulation and technology: The two are not adequately paired to provide the desired protections.” (2)

In certain cases, even once the app is detected and shut down, many people have already downloaded it onto their devices. In July, Google Play researchers had been tracking down different stalkerware applications and noticed that some apps “had already been downloaded and installed more than 130,000 times all together” (Cuthbertson).

“Over the past year, more than 58,000 users have detected stalkerware on their phones or tablets with the help of our products alone. Of those, 35,000 had no idea about the stalkerware installed on their devices until our protection solution completed its first scan.”

Kaspersky Labs Blog

Case Study: XNSpy

On their homepage they write: “XNSPY is an all-in-one parental and employee monitoring software that will keep you updated on their activities in real-time, all the time!” This app allows managers, or even fellow employees, parents, (and who knows who else!) to track every move that a person takes.

An example of one of these apps is XNSPY.

Take a look at their promotional video:

Upon watching this video, the words “are you suspicious?” immediately stood out to me. They try to scare the potential client by noting that “40% of teens have lied to their parents about their whereabouts“, and that “29% of office thefts are idea thefts“. They claim that the software “lets you monitor [multiple devices] secretly” and that it’s a great way to know about someone’s “app activities and whereabouts“.

They note that “XNspy will hide in their phone and secretly record phone logs, emails, IM chats, photos and videos, current location and location history”, which is typical of Stalkerware software.

Perhaps this app really is being used by managers and parents, by who else is taking advantage of this? Why even insert ‘spy‘ into the name of the app? Why would they include key words such as ‘suspicious‘ and ‘cheating’, ‘hide’, ‘secret‘ in their video? 

Upon browsing their website I noticed the disclaimer:

“The buyer of the XNSPY software must either own the smartphone or tablet or must have written consent from their children or employees. It’s illegal to use Xnspy for monitoring digital devices of your spouse, girlfriend/boyfriend, or partner. Failure to do so is likely to result in violation of applicable law and XNSPY will cooperate with the law-enforcing authorities to the full extent. Therefore, it is the responsibility of the buyer to adhere to the local laws of their country or region. The software is only to be used for ethical monitoring purposes.”

I am curious to know if (1) the employees and children have ever provided written consent to anyone (because let’s be honest, who would ever willingly agree to such a thing) and (2) what they consider ‘ethical monitoring purposes’ to be. Can stalking and monitoring someone’s every move ever be ethical?

Stoilova, et al, (2019) conducted a study that examined children’s media literacy as well as their understanding with regarding digital devices and privacy. She noted that many studies about “the datafication of childhood” were not conducted recently, which is “an added concern given companies’ fast-evolving practices of data harvesting and profiling” (14). She noted that although this issue has been studied in the past, there are still various gaps in the research, due to factors such as children’s age, since they are now being increasingly exposed to technology at younger ages. Even if a child or teen does agree to be ‘monitored’ by such as device, it is unclear whether they understand those implications and what they are agreeing to.

Double the danger

It is important to note that these types of apps are not only dangerous to the victim being stalked or ‘monitored’, but also to the person doing the monitoring. Grustniy writes that “[The] apps pass the collected data to the person who installed them… by uploading it to a server where the user can access it and sift through the catch.”

This makes both of the users’ data available to the developers who make the product, meaning that the data is used by at least two unauthorized parties. Furthermore, this implies that someone’s personal location, activity, and even photos could end up in a stranger (or scammer’s) hands and risk getting leaked to third parties, or even the public.

If this sounds as scary to you as it is to me, then you have the right to be concerned. There is, however, an important distinction to made: parental control apps “do not try to hide themselves on the device, or deactivate the antivirus, and they can be found in official marketplaces… Parental control apps, unlike stalkerware, do not pose a threat to their users”, according to Grustniy.

Curiously, I went on the App store using my iPhone and I noticed that upon searching ‘xnspy’, there are no results, meaning that this is not available to legally download at the moment.

Conclusion

As more and more people use smartphones every day and every year, we are increasingly spending more time with our devices, enabling cyberstalking to occur almost effortlessly, as phones become extensions of ourselves. According to a study by Emarketeer, “The average US adult will spend 3 hours, 43 minutes on mobile devices in 2019.”

Stalkerware raises various concerns including regarding regulation, legality, data privacy, children’s data protection, as well as its moral and ethical implications. Yerukhimovich et al. (2016)notes the limitations in the field saying, “We found that although privacy-preserving technology is improving, users’ privacy concerns have not been fully addressed by the technology itself.” (1)  

What new laws can governments enact to protect their citizens in our digital world? How is creating these types of applications in any way beneficial for human interaction? How are they affecting mutual trust in friendships, relationships, and the workplace?

Perhaps one solution would be to spend less time with our devices and enjoy more experiences in-person!

Works Cited

• Cuthbertson, Anthony. “Stalking apps that spy on employees, partners, and kids discovered on Google Play” The Independent UK. July 2019. Accessed 20 Sept 2019.
• Grustniy, Leonid. “What’s wrong with “legal” commercial spyware”. Kasperky Labs Blog. 13 April 2019. Accessed 20 Sept 2019.
• He, Amy. “Average US time spent with Mobile in 2019 Has increased”. Emarketer. June 2019. Accessed 20 Sept 2019.
• Hogdson, Camilla. “Inside the Secretive world of stalking apps.” Financial Times. July 2019. Accessed 20 Sept 2019.
• Parsons, Christopher, and Adam Molnar, Jakub Dalek, Jeffrey Knockel, Miles Kenyon, Bennett Haselton, Cynthia Khoo, Ron Deibert. “The Predator in Your Pocket: A Multidisciplinary Assessment of the Stalkerware Application Industry” Citizen Lab Research Report No. 119, University of Toronto, June 2019.
• Stoilova, L, Nandagiri, R, & Livingstone, S. “Children’s understanding of personal data and privacy online – a systematic evidence mapping”. Information, Communication & Society. Sept 2019. DOI: 10.1080/1369118X.2019.1657164
• “What is spyware?” Veracode website. Accessed Sept 2019.
• XNSpy Website. 2019
• “XNSPY- World’s most Powerful Mobile spy software” 2015. YouTube. Accessed 20 Sept 2019.
• Yerukhimovich, Arkady, Rebecca Balebako, Anne E. Boustead, Robert K. Cunningham, William Welser IV, Richard Housley, Richard Shay, Chad Spensky, Karlyn D. Stanley, Jeffrey Stewart, Ari Trachtenberg, and Zev Winkelman. “Can Smartphones and Privacy Coexist? Assessing Technologies and Regulations Protecting Personal Data on Android and iOS Devices”. RAND Corporation, 2016. DOI: 10.7249/RR1393