Stalkerware vulnerabilities endanger both victims and stalkers
Mobile stalkerware, which is software silently installed by stalkers onto victims’ mobile devices without their knowledge, is on the rise, ESET Research finds. In 2019, ESET telemetry recorded almost five times more Android stalkerware detections than in 2018, and in 2020, almost 1.5 times more were recorded than in 2019. In addition, ESET Research has discovered serious vulnerabilities in Android stalkerware apps and their monitoring servers that could result in serious user impact if exploited. “Security: The Hidden Cost of Android Stalkerware” was presented on May 17, 2021, by ESET researcher Lukáš Štefanko from 11:20 to 12:00 PDT (20:20 to 21:00 CEST).
For stalkerware vendors, to stay under the radar and avoid being flagged as stalkerware, their apps are in many cases promoted as providing protection to children, employees, or women, yet the word “spy” is used many times on their websites. “Searching for these tools online isn’t difficult at all; you don’t have to browse underground websites,” explains Štefanko.
ESET researchers manually analyzed 86 stalkerware apps for the Android platform, provided by 86 different vendors. This analysis identified many serious security and privacy issues that could result in a third party – an attacker – taking control of a victim’s device, taking over a stalker’s account, intercepting a victim’s data, framing a victim by uploading fabricated evidence, or achieving remote code execution on a victim’s smartphone. Across 58 of these Android applications, ESET discovered a total of 158 security and privacy issues that can have a serious impact on a victim; indeed, even the stalker or the app’s vendor may be at some risk.
Among the most prevalent issues were insecure transmission of users’ personally identifiable information; storage of sensitive information on external media; exposure of sensitive user information to unauthorized users; server leak of stalkerware client information; and unauthorized data transmission from device to server.
“Following our 90-day coordinated vulnerability disclosure policy, we repeatedly reported these issues to the affected vendors. Unfortunately, to this day, only six vendors have fixed the issues we reported in their apps,” says Štefanko.