When Stalkerware Stalks the Enterprise

December 3, 2019
| |
4 min read

Fifty years ago, Cold War spy tradecraft required ingenious, purpose-built spy technologies. These included tiny cameras that photographed through button-holes on microfilm, which were useful for taking pictures of paper documents, tiny microphones that had to be installed in landline telephone receivers or lamps for recording secret conversations, invisible ink — you name it.

Spying was hard. Spies back then couldn’t imagine how easy it would become in the year 2020 thanks to stalkerware and smartphones. They wouldn’t believe that every person would carry in their pocket or purse a connected device that tracks the owner’s location at all times, contains a microphone and camera and transmits nearly all of the owner’s communications. Best of all, the sensors can be remotely activated so all the data can be transmitted to a spy.

In fact, spying is so easy today that anybody can do it. Just download an app, install it on a target’s phone and harvest gigabytes of data. It’s so easy that people are spying on their spouses, ex-partners and even strangers.

Except this kind of spying isn’t called spying. It’s called stalking. And any stalker can just download spying software designed to snoop and track. Stalkerware apps can track one’s location, record audio through the phone’s microphone, copy and transmit text messages, send call logs, record web browsing activity, record keystrokes and more — and all of it can occur without the phone user’s knowledge.

Although this category of spying has been around for many years, news reports are on the rise for two reasons: First, the use of this invasive software is growing worldwide, and second, it’s part of a rising public conversation around domestic abuse.

What’s missing from this important conversation — and from many plans designed to counteract stalking software — is the risk to enterprise data and security in general. In fact, stalkerware is often not considered a major risk to enterprises, and that’s one of the reasons it’s such a big risk. It’s not taken seriously enough or considered a major threat.

How Many Stalkerware Apps Are Even Out There?

No reliable count of the total number of stalkerware apps available on app stores has been published. The most conservative estimate is “dozens” of individual products. The reason for this is that the apps fall into different categories.

Some perfectly legitimate, useful and necessary apps can become stalkerware if they are abused. For example, with physical access to a smartphone, it’s possible for a stalker to turn all kinds of apps into spy apps. A malicious person could share the location of that smartphone with themselves — through Apple’s Find My Phone or Google Maps, for example. Simply stealing a user’s passwords could give access to cloud services ranging from email to text messages to voice mail to photos. In other words, digital stalking doesn’t require malicious software, just malicious intent and access to a phone and passwords. Any app that collects personal data could be weaponized by stalkers.

Other apps, which are designed to spy, can also be used for legitimate purposes. Apps designed to help parents monitor and control their kids’ smartphone use (and behavior in general) are widely available. Some of these let parents set location or app-use boundaries so they are notified when kids cross the line. These parental control apps can be abused by stalkers for spying on other adults.

As we continue our slide down this slippery slope, we come to non-legitimate stalkerware apps that justify their spying features by claiming (often only in the fine print on the company website) that they’re for parental control, employee monitoring or some other ostensibly legitimate use.

A 2018 Cornell University study determined that most apps of this kind available on app stores are ostensibly “dual use” apps. They’re marketed as child-monitoring or anti-theft apps, but they can be used for spying and stalking as well, which can make banning them more difficult.

Some of these apps require that the phone be jailbroken. Users may be using a jailbroken phone without knowing a breach has occurred. Regardless of which category of software a compromised app fits into, its use as a stalking and spying platform is always meant to be hidden from the victim.

After years of stalkerware use and abuse, government agencies are starting to take action against the most egregious companies. The problem is that these companies were allowed to continue operating with minor changes that didn’t prevent their apps from functioning as malicious spy software.

The bottom line is that the threat is real and growing.

Why Stalkerware Is a Threat to the Enterprise

The larger the organization, the more likely it is that some of its employees are carrying phones containing stalkerware. There are two fundamental ways that current stalkerware tools can be used to threaten enterprise data that organizations must recognize.

The first is directly spying on a company. Forget about the intent of stalkerware and look at the effect — it’s the ultimate industrial espionage tool if the person targeted has access to the right company secrets. Or, it can be used to gather data for social engineering hacks.

If a malicious actor can get their hands on the smartphone of someone in your organization who is privy to sensitive company information — say, at a conference or in a hotel room while the person is traveling on business — they may be able to harvest incredible amounts of data by monitoring communications and capturing keystrokes, as well as by listening in on meetings and conversations.

The second may be incidental, but it can be just as damaging. Again, forget about the intent and focus on the effect: Stalkerware can harvest all kinds of data from inside a company and then shuttle it off to an insecure server.

Let’s say an employee is victimized by stalkerware placed on a device by a spouse or a complete stranger. All the data harvested by the stalkerware is transferred to remote cloud servers to enable access by the perpetrator. Then, the shoddy security provided by the app maker can allow the information to be hacked, stolen or put up for sale on the dark web. From there, it can be used as fodder for social engineering, or the data could be used directly for industrial espionage, blackmail or other malicious acts.

How to Combat the Stalkerware Threat

One essential tactic that’s necessary to protect a business from this threat is monitoring outside connections with a unified endpoint management (UEM) solution. Robust training and education must play a major part in protecting against stalkerware as well. Employees should be advised and trained to:

  • Never leave their smartphones unattended
  • Always delete unused apps
  • Regularly search for suspicious apps and activity on phones
  • Use a quality password manager and never share passwords with anyone
  • Change their smartphone pass codes frequently

Above all, don’t make the mistake of thinking that the scourge of stalkerware doesn’t concern your organization. It does, and it needs to be addressed proactively.

Mike Elgan

I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...
read more