Priya (name changed), 16, first approached the eProtect Foundation (an NGO for cybercrime prevention) on the verge of a mental breakdown. She told the support team that her phone had been bugged for two months by her ex-boyfriend. Her ex wanted to find out if she was talking to any other men post the break up. He discovered that Priya had been talking to a man, who she says was a friend. In retaliation, the ex-boyfriend accessed her nude photographs from her phone gallery using stalkerware, and started blackmailing her.
Our phones know a lot more about us than our friends and family. Smartphones also retain more information about ourselves than our minds, so that even if something fades from our memory, it stays on the phone.
But what if someone could see everything that goes on in your phone – read all your messages, scroll through your gallery, contacts, listen to your calls, access your camera – flip to the front or back camera according to their mood, track each and every move you make while sitting in the comfort of their homes?
That is exactly what happens if a stalkerware is planted on your phone. The most unsettling part is that stalkware functions so inconspicuously that you wouldn’t even realise if you were being spied on — and it’s a growing problem. This July, Avast Antivirus reported a 20 percent rise in use of stalkerware apps in India during lockdown.
This isn’t a new phenomenon, but today our phones are an indispensable part of our lives. In India and around the world, many women face a torrent of digital abuse. The good news is that it’s possible to reclaim privacy by making some changes to your technology use. It is an unfair imposition on the victim that they have to take additional precautions, but the problem is that many of the tools being used are actually very useful and have helped even more people, so simply banning the tools wouldn’t be a solution.
Why makes stalkerware more dangerous than other malwares?
Stalkerware describes the way an app is used, and not necessarily how it was intended to function, according to Canadian researchers CitizenLab, which became a household name in 2018 after uncovering the Pegasus spyware, which was used to track activists, journalists, and other people around the world. This means that benign and useful tools that can be misused, such as Find my iPhone (or Find my Device for Android) also count as stalkerware, as they could be used to surveil a person.
Researchers say that the most common users of stalkerware are domestic violence abusers, who load these programmes onto their partner’s computer or mobile device without their knowledge. “Stalkerware has been around for quite a long time, it is just that it got the label ‘stalkerware’ recently,” says Vineeth Kumar, Founder and President, Cyber Peace Foundation, a civil society organisation and cybersecurity think tank based in Jharkhand. Kumar says that his organisation acts as a civil society first responder to the victims of cyber crime. Cyber Peace Foundation is a member of the Coalition Against Stalkerware, a global alliance fighting against stalkerware abuse.
US-based National Public Radio surveyed 70 domestic violence shelters across the US and found out that 85 percent of the shelters were working directly with victims whose abusers tracked them using GPS. A whopping 75 percent were working with victims whose abusers eavesdropped on their conversation remotely, using hidden mobile apps. Domestic abuse via stalkerware is a growing global concern.
Avast is another member of the Coalition Against Stalkerware. Ondrej David, Malware Analysis Team Leader of Avast, says, “We have always recognised personal privacy as a particularly important aspect of people’s digital lives and as such we have always fought against traditional threats such as Spyware, misuse of Remote Access Tools and Information Stealing threats. In the past few years, however, a new market of accessible commercial spyware has emerged.”
“Stalkerware, though technically not illegal in many countries, is certainly viewed by us as unethical and harmful for people’s privacy… There has been a general interest in this topic for the past few years in the security community, which culminated in founding the Coalition Against Stalkerware last year, which we now are a proud member of,” he says.
Malware like stalkerware is commercially sold, making it easier for the predator to purchase it and install it on the phone of the target. This can be done remotely, embedded in links or GIFs or other attachments that seem harmless, Kumar from the Cyber Peace Foundation said.
“From my experience, stalkerware is capable of spying on SMS, record phone calls and surroundings, contact list, location, intercept all user input text (keylogger), spy on sent/ received messages from WhatsApp, Viber, Facebook, Instagram, remotely lock devices and change pins for older Android devices, wipe data,” says Lukas Stefanko, a reverse engineering expert and malware analyst at ESET, an Internet security company in Slovakia.
“These files are most of the time sent to the server of the stalkerware service provider and are accessible to the predator via his credentials in the admin panel. This admin panel is accessible through a web interface, so data can be obtained either through a desktop or smartphone. Besides sending victim’s data to the admin panel of predator, in some stalkerwares, I analysed it was possible to send them directly to their email address,” he adds.
India has a few online websites selling stalkerware apps online. These are often advertised as spywares that can be used to protect your children. Universeindia.in sells Android spyware apps for almost Rs. 15,000. Upon inquiring about the product, they sent us a step by step instruction on how to safely install the stalkerware to the target phone. When asked if it was legal, they instead assured us that it is “hidden in the target phone, don’t worry.” UniversIndia.in also says to use it “only in family.”
Spymarket.in, says that there were a lot of customers for the product including people buying it to spy on their wives. They declined to comment when asked about the legal aspect of it. Both the online stores do not sell spywares for iOS devices, and cited ‘security issues’ as the reason.
What can you do about it?
In Priya’s case, her ex-boyfriend’s first demand was that she pay a small ransom, which she paid off. The abuse didn’t stop here. He then started trying to force her to sleep with a friend of his. He threatened to make her photographs public otherwise. That is when she finally approached the Foundation.
The support team at the NGO took a verbal report from her and then checked her phone. They traced the base of the predator to Singapore. Priya confirmed that her ex-boyfriend was in Singapore. The team got in touch with the man on her behalf. He confessed to installing stalkerware on her phone. The family didn’t file a formal complaint. They didn’t want the burden of a social stigma on their heads.
Kumar says, “People do not find it comfortable going to the police station. This is due to the stigma associated with such cases. Stalkerware are mostly deployed by our spouses or intimate partners and this makes people more hesitant to move ahead with a formal complaint.”
Instead, better personal security is the answer he finds most useful. Many of us don’t install an antivirus but it can alert you to unwanted programs, he says. Apps like Avast and Kaspersky include privacy alert features that can help with this. He adds that people shouldn’t share their phones and should avoid using third-party apps where possible.
The IT team of Cyber Peace Foundation strongly recommends avoiding ‘jail-breaking’. Apple users often jailbreak iPhones and iPads to install programmes that are not available through Apple’s channels. However jailbreaking often increases the risk of malware infection.
Filing a formal complaint
In case you find yourself being spied on without your consent and want to file a complaint against it here is how you can go about it :
Register a written complaint with the cyber crime cell of the city you are currently in. A cyber crime complaint can be registered with any of the cyber cells in India, irrespective of the place where it was originally committed. The support team of the eProtect Foundation says that anonymity is assured to victims if they ask for it.
A police officer is bound to record a Zero FIR from the complainant, which will then be forwarded to the police station under the jurisdiction of the place where the offense was committed.