Stalkerware is technically software with malicious intent, but security professionals should treat it as a different beast from other malware.
Stalkerware is an app or apps that someone else can install on your device to intercept text messages and phone calls, send call logs, record web browsing activity and keystrokes and even access your location. And stalkerware — a tool often associated with abuse and domestic violence — can be a risk to enterprise data and security in general. Given the difficult nature of detecting stalkerware, and the risk of retaliation by abusers, what can an employer do to protect their employees as well as their company’s data?
How is Stalkerware Unique?
Stalkerware isn’t usually thought of as a major risk to an enterprise. However, it is considered a major threat because it can extract sensitive data from an individual or an enterprise without their consent or knowledge. Plus, anyone with access to commercially available spyware can partake in stalkerware activities.
Stalkerware isn’t as clearly defined as other traditional forms of malware, such as phishing, and, it is difficult to detect. Confusion over the legality of stalkerware has also made it difficult to prosecute, partially because there is no steadfast, legitimate way to obtain forensic evidence that it is happening. Abuse and harassment are hazier from a legal perspective, and what counts as breaking the law can differ from one jurisdiction to the next. Proving harm based on these in a court of law can be a much more difficult task than proving harm in the case of financial crimes.
Adding to the problem, victims are frequently blamed for being a target of abuse.
Shades of Grayware
With the blurry legal lines around abuse and harassment, what counts as stalkerware is equally fuzzy. Many of the tools abusers use to control their victims are hijacked accounts and legitimate software. This activity isn’t something you can detect with traditional anti-malware software. As an employer, there is little you can do to identify or protect employees from this.
Misuse of legitimate software is not the only way abusers can spy on victims through their devices. Applications that straddle the border of being legitimate are considered tools rather than weapons. This grayware is often detected as potentially unwanted software by anti-malware vendors.
Many of these stalkerware apps are advertised as services for ’employee monitoring.’ Because personal monitoring software is not illegal in most jurisdictions, it’s very easy to find apps that market themselves in this way. And it’s not just shadowy corners of the web where you can find these things; a quick internet search shows how easily they can be found on the official Apple and Google app stores.
Detection of these ‘potentially unwanted’ stalkerware apps can be difficult. Users need to turn on specific settings on their devices that are not enabled by default in order for malware to flag them. Confusingly, as this Wired post notes, some anti-malware software refers to items detected with these settings as ‘not a virus’ or something similarly ambiguous. This vague wording may lead people to ignore the warning.
Listen to Employees
How best to protect employees and company data from this can differ depending on whether or not the company has provided the device. More than anything, it’s critical to remember that this is a very personal and possibly violent crime. The safety of your employee is the ultimate goal.
Remember, it’s not the victim’s fault they were targeted. The abuser may have forced or coerced them into sharing their password, or into giving them access to the compromised device. Asking a victim to do security training is not going to correct this, as it is not a lack of knowledge that caused the problem.
Questions to Ask If You Find Stalkerware
Whereas with regular malware you can simply remove or quarantine a malicious file, with stalkerware you’ll need to take a more hands-on approach. What should happen next will depend on the answer to a couple of questions:
Is it the employee’s device or the company’s?
If the device was provided by your company, you can proactively prevent some stalkerware installation by allowing only pre-approved software. If stalkerware is detected on a company device, you’ll still need to talk with the employee about what you’ve found. You may wish to offer the option of a replacement device that has been locked down to prevent re-infection, keeping the affected device powered down and in a safe place.
If the device belongs to your employee, you must speak with the employee before performing removal actions. Listen carefully to them, and work with them to find a safe and secure way to proceed.
Is the detection before or after installation?
If the detection was before installation, you can safely quarantine the file. Keep in mind that this file and detection logs may be considered evidence that must be kept if the victim chooses to pursue legal action.
If the detection was after installation, whether or not it was on a company device, you need to speak with the employee in person first. Do not notify them in a way that could be intercepted on the compromised device. If the employee feels that removing the stalkerware app may put them in greater danger, do not remove it without their permission.
While you may be worried about the risks to data security with regards to stalkerware, this is minor compared with the physical safety risk to the person being targeted. It’s possible to work with your employee to address these concerns in a way that protects their safety as well.
Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She watched as the internet grew from small, loc...