Stalkerware is technically software with malicious intent, but security professionals should treat it as a different beast from other malware.

Stalkerware is an app or apps that someone else can install on your device to intercept text messages and phone calls, send call logs, record web browsing activity and keystrokes and even access your location. And stalkerware — a tool often associated with abuse and domestic violence — can be a risk to enterprise data and security in general. Given the difficult nature of detecting stalkerware, and the risk of retaliation by abusers, what can an employer do to protect their employees as well as their company’s data?

How is Stalkerware Unique?

Stalkerware isn’t usually thought of as a major risk to an enterprise. However, it is considered a major threat because it can extract sensitive data from an individual or an enterprise without their consent or knowledge. Plus, anyone with access to commercially available spyware can partake in stalkerware activities.

Stalkerware isn’t as clearly defined as other traditional forms of malware, such as phishing, and, it is difficult to detect. Confusion over the legality of stalkerware has also made it difficult to prosecute, partially because there is no steadfast, legitimate way to obtain forensic evidence that it is happening. Abuse and harassment are hazier from a legal perspective, and what counts as breaking the law can differ from one jurisdiction to the next. Proving harm based on these in a court of law can be a much more difficult task than proving harm in the case of financial crimes.

Adding to the problem, victims are frequently blamed for being a target of abuse.

Shades of Grayware

With the blurry legal lines around abuse and harassment, what counts as stalkerware is equally fuzzy. Many of the tools abusers use to control their victims are hijacked accounts and legitimate software. This activity isn’t something you can detect with traditional anti-malware software. As an employer, there is little you can do to identify or protect employees from this.

Misuse of legitimate software is not the only way abusers can spy on victims through their devices. Applications that straddle the border of being legitimate are considered tools rather than weapons. This grayware is often detected as potentially unwanted software by anti-malware vendors. 

Many of these stalkerware apps are advertised as services for ’employee monitoring.’ Because personal monitoring software is not illegal in most jurisdictions, it’s very easy to find apps that market themselves in this way. And it’s not just shadowy corners of the web where you can find these things; a quick internet search shows how easily they can be found on the official Apple and Google app stores.

Detection of these ‘potentially unwanted’ stalkerware apps can be difficult. Users need to turn on specific settings on their devices that are not enabled by default in order for malware to flag them. Confusingly, as this Wired post notes, some anti-malware software refers to items detected with these settings as ‘not a virus’ or something similarly ambiguous. This vague wording may lead people to ignore the warning. 

Listen to Employees 

How best to protect employees and company data from this can differ depending on whether or not the company has provided the device. More than anything, it’s critical to remember that this is a very personal and possibly violent crime. The safety of your employee is the ultimate goal.

Remember, it’s not the victim’s fault they were targeted. The abuser may have forced or coerced them into sharing their password, or into giving them access to the compromised device. Asking a victim to do security training is not going to correct this, as it is not a lack of knowledge that caused the problem. 

Questions to Ask If You Find Stalkerware

Whereas with regular malware you can simply remove or quarantine a malicious file, with stalkerware you’ll need to take a more hands-on approach. What should happen next will depend on the answer to a couple of questions:   

Is it the employee’s device or the company’s?

If the device was provided by your company, you can proactively prevent some stalkerware installation by allowing only pre-approved software. If stalkerware is detected on a company device, you’ll still need to talk with the employee about what you’ve found. You may wish to offer the option of a replacement device that has been locked down to prevent re-infection, keeping the affected device powered down and in a safe place.

If the device belongs to your employee, you must speak with the employee before performing removal actions. Listen carefully to them, and work with them to find a safe and secure way to proceed. 

Is the detection before or after installation?

If the detection was before installation, you can safely quarantine the file. Keep in mind that this file and detection logs may be considered evidence that must be kept if the victim chooses to pursue legal action. 

If the detection was after installation, whether or not it was on a company device, you need to speak with the employee in person first. Do not notify them in a way that could be intercepted on the compromised device. If the employee feels that removing the stalkerware app may put them in greater danger, do not remove it without their permission.

While you may be worried about the risks to data security with regards to stalkerware, this is minor compared with the physical safety risk to the person being targeted. It’s possible to work with your employee to address these concerns in a way that protects their safety as well.

More from Software Vulnerabilities

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…