Android stalkerware may be even more dangerous than thought

Kaspersky Report on Stalkerware
(Image credit: Kaspersky)
Audio player loading…

In addition to tracking users without their knowledge, stalkerware apps on Android smartphones (opens in new tab) also contain serious security and privacy issues according to new research from ESET (opens in new tab).

Based on the security firm's telemetry, stalkerware apps (opens in new tab) have become increasingly popular over the last few years. For instance, ESET observed almost five times more Android stalkerware detections in 2019 than in the previous year and 2020 saw a 48 percent increase in the number of these apps installed on users' devices.

In order to avoid being flagged as stalkerware, these apps are often promoted online as employee monitoring software (opens in new tab) or as parental control software (opens in new tab). However, the developers behind these apps often use the word “spy” on their websites to let potential stalkers know their real purpose.

As stalkerware can track the GPS location of a victim's device along with their conversations, images, browser history and more, ESET decided to forensically analyze how these apps protect the data they collect on users.

Riddled with vulnerabilities

To compile data for its new whitepaper which will be released at this year's RSA conference (opens in new tab), ESET manually analyzed 86 stalkerware apps from 86 different vendors. 

Across 58 of the Android stalkerware apps it analyzed, the firm found 158 security and privacy issues that can have a serious impact on a victim though even a stalker or the developers of these apps could be at risk. ESET discovered that an attacker could exploit these vulnerabilities to take control over a victim's device, take over a stalker's account, intercept victim data, achieve remote code execution on a victim's smartphone and even frame a victim by uploading fabricated evidence. 

ESET repeatedly reported these privacy and security issues to the affected vendors but only six of them have fixed the issues in their apps. While 44 of the vendors have not even replied, seven have promised to fix these issues in an upcoming update.

Malware (opens in new tab) analyst at ESET, Lukas Stefanko explained how the company's research into stalkerware apps could dissuade potential stalkers from installing them on a victim's phone in the first place in a new blog post (opens in new tab), saying:

“The research should serve as a warning to potential future clients of stalkerware to reconsider using software against their spouses and loved ones, since not only is it unethical, but also might result in revealing the private and intimate information of their spouses and leave them at risk of cyberattacks and fraud. Since there could be a close relationship between stalker and victim, the stalker’s private information could also be exposed.”

Stalkerware apps are not only unethical but due to the vulnerabilities they often contain, both stalkers and victims could have their personal information exposed online and used by hackers to launch attacks against them. 

  • We've also featured the best VPN (opens in new tab)

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.