Stalkerware is technically software with malicious intent, but security professionals should treat it as a different beast from other malware.

Stalkerware is an app or apps that someone else can install on your device to intercept text messages and phone calls, send call logs, record web browsing activity and keystrokes and even access your location. And stalkerware — a tool often associated with abuse and domestic violence — can be a risk to enterprise data and security in general. Given the difficult nature of detecting stalkerware, and the risk of retaliation by abusers, what can an employer do to protect their employees as well as their company’s data?

How is Stalkerware Unique?

Stalkerware isn’t usually thought of as a major risk to an enterprise. However, it is considered a major threat because it can extract sensitive data from an individual or an enterprise without their consent or knowledge. Plus, anyone with access to commercially available spyware can partake in stalkerware activities.

Stalkerware isn’t as clearly defined as other traditional forms of malware, such as phishing, and, it is difficult to detect. Confusion over the legality of stalkerware has also made it difficult to prosecute, partially because there is no steadfast, legitimate way to obtain forensic evidence that it is happening. Abuse and harassment are hazier from a legal perspective, and what counts as breaking the law can differ from one jurisdiction to the next. Proving harm based on these in a court of law can be a much more difficult task than proving harm in the case of financial crimes.

Adding to the problem, victims are frequently blamed for being a target of abuse.

Shades of Grayware

With the blurry legal lines around abuse and harassment, what counts as stalkerware is equally fuzzy. Many of the tools abusers use to control their victims are hijacked accounts and legitimate software. This activity isn’t something you can detect with traditional anti-malware software. As an employer, there is little you can do to identify or protect employees from this.

Misuse of legitimate software is not the only way abusers can spy on victims through their devices. Applications that straddle the border of being legitimate are considered tools rather than weapons. This grayware is often detected as potentially unwanted software by anti-malware vendors. 

Many of these stalkerware apps are advertised as services for ’employee monitoring.’ Because personal monitoring software is not illegal in most jurisdictions, it’s very easy to find apps that market themselves in this way. And it’s not just shadowy corners of the web where you can find these things; a quick internet search shows how easily they can be found on the official Apple and Google app stores.

Detection of these ‘potentially unwanted’ stalkerware apps can be difficult. Users need to turn on specific settings on their devices that are not enabled by default in order for malware to flag them. Confusingly, as this Wired post notes, some anti-malware software refers to items detected with these settings as ‘not a virus’ or something similarly ambiguous. This vague wording may lead people to ignore the warning. 

Listen to Employees 

How best to protect employees and company data from this can differ depending on whether or not the company has provided the device. More than anything, it’s critical to remember that this is a very personal and possibly violent crime. The safety of your employee is the ultimate goal.

Remember, it’s not the victim’s fault they were targeted. The abuser may have forced or coerced them into sharing their password, or into giving them access to the compromised device. Asking a victim to do security training is not going to correct this, as it is not a lack of knowledge that caused the problem. 

Questions to Ask If You Find Stalkerware

Whereas with regular malware you can simply remove or quarantine a malicious file, with stalkerware you’ll need to take a more hands-on approach. What should happen next will depend on the answer to a couple of questions:   

Is it the employee’s device or the company’s?

If the device was provided by your company, you can proactively prevent some stalkerware installation by allowing only pre-approved software. If stalkerware is detected on a company device, you’ll still need to talk with the employee about what you’ve found. You may wish to offer the option of a replacement device that has been locked down to prevent re-infection, keeping the affected device powered down and in a safe place.

If the device belongs to your employee, you must speak with the employee before performing removal actions. Listen carefully to them, and work with them to find a safe and secure way to proceed. 

Is the detection before or after installation?

If the detection was before installation, you can safely quarantine the file. Keep in mind that this file and detection logs may be considered evidence that must be kept if the victim chooses to pursue legal action. 

If the detection was after installation, whether or not it was on a company device, you need to speak with the employee in person first. Do not notify them in a way that could be intercepted on the compromised device. If the employee feels that removing the stalkerware app may put them in greater danger, do not remove it without their permission.

While you may be worried about the risks to data security with regards to stalkerware, this is minor compared with the physical safety risk to the person being targeted. It’s possible to work with your employee to address these concerns in a way that protects their safety as well.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today