Fifty years ago, Cold War spy tradecraft required ingenious, purpose-built spy technologies. These included tiny cameras that photographed through button-holes on microfilm, which were useful for taking pictures of paper documents, tiny microphones that had to be installed in landline telephone receivers or lamps for recording secret conversations, invisible ink — you name it.

Spying was hard. Spies back then couldn’t imagine how easy it would become in the year 2020 thanks to stalkerware and smartphones. They wouldn’t believe that every person would carry in their pocket or purse a connected device that tracks the owner’s location at all times, contains a microphone and camera and transmits nearly all of the owner’s communications. Best of all, the sensors can be remotely activated so all the data can be transmitted to a spy.

In fact, spying is so easy today that anybody can do it. Just download an app, install it on a target’s phone and harvest gigabytes of data. It’s so easy that people are spying on their spouses, ex-partners and even strangers.

Except this kind of spying isn’t called spying. It’s called stalking. And any stalker can just download spying software designed to snoop and track. Stalkerware apps can track one’s location, record audio through the phone’s microphone, copy and transmit text messages, send call logs, record web browsing activity, record keystrokes and more — and all of it can occur without the phone user’s knowledge.

Although this category of spying has been around for many years, news reports are on the rise for two reasons: First, the use of this invasive software is growing worldwide, and second, it’s part of a rising public conversation around domestic abuse.

What’s missing from this important conversation — and from many plans designed to counteract stalking software — is the risk to enterprise data and security in general. In fact, stalkerware is often not considered a major risk to enterprises, and that’s one of the reasons it’s such a big risk. It’s not taken seriously enough or considered a major threat.

How Many Stalkerware Apps Are Even Out There?

No reliable count of the total number of stalkerware apps available on app stores has been published. The most conservative estimate is “dozens” of individual products. The reason for this is that the apps fall into different categories.

Some perfectly legitimate, useful and necessary apps can become stalkerware if they are abused. For example, with physical access to a smartphone, it’s possible for a stalker to turn all kinds of apps into spy apps. A malicious person could share the location of that smartphone with themselves — through Apple’s Find My Phone or Google Maps, for example. Simply stealing a user’s passwords could give access to cloud services ranging from email to text messages to voice mail to photos. In other words, digital stalking doesn’t require malicious software, just malicious intent and access to a phone and passwords. Any app that collects personal data could be weaponized by stalkers.

Other apps, which are designed to spy, can also be used for legitimate purposes. Apps designed to help parents monitor and control their kids’ smartphone use (and behavior in general) are widely available. Some of these let parents set location or app-use boundaries so they are notified when kids cross the line. These parental control apps can be abused by stalkers for spying on other adults.

As we continue our slide down this slippery slope, we come to non-legitimate stalkerware apps that justify their spying features by claiming (often only in the fine print on the company website) that they’re for parental control, employee monitoring or some other ostensibly legitimate use.

A 2018 Cornell University study determined that most apps of this kind available on app stores are ostensibly “dual use” apps. They’re marketed as child-monitoring or anti-theft apps, but they can be used for spying and stalking as well, which can make banning them more difficult.

Some of these apps require that the phone be jailbroken. Users may be using a jailbroken phone without knowing a breach has occurred. Regardless of which category of software a compromised app fits into, its use as a stalking and spying platform is always meant to be hidden from the victim.

After years of stalkerware use and abuse, government agencies are starting to take action against the most egregious companies. The problem is that these companies were allowed to continue operating with minor changes that didn’t prevent their apps from functioning as malicious spy software.

The bottom line is that the threat is real and growing.

Why Stalkerware Is a Threat to the Enterprise

The larger the organization, the more likely it is that some of its employees are carrying phones containing stalkerware. There are two fundamental ways that current stalkerware tools can be used to threaten enterprise data that organizations must recognize.

The first is directly spying on a company. Forget about the intent of stalkerware and look at the effect — it’s the ultimate industrial espionage tool if the person targeted has access to the right company secrets. Or, it can be used to gather data for social engineering hacks.

If a malicious actor can get their hands on the smartphone of someone in your organization who is privy to sensitive company information — say, at a conference or in a hotel room while the person is traveling on business — they may be able to harvest incredible amounts of data by monitoring communications and capturing keystrokes, as well as by listening in on meetings and conversations.

The second may be incidental, but it can be just as damaging. Again, forget about the intent and focus on the effect: Stalkerware can harvest all kinds of data from inside a company and then shuttle it off to an insecure server.

Let’s say an employee is victimized by stalkerware placed on a device by a spouse or a complete stranger. All the data harvested by the stalkerware is transferred to remote cloud servers to enable access by the perpetrator. Then, the shoddy security provided by the app maker can allow the information to be hacked, stolen or put up for sale on the dark web. From there, it can be used as fodder for social engineering, or the data could be used directly for industrial espionage, blackmail or other malicious acts.

How to Combat the Stalkerware Threat

One essential tactic that’s necessary to protect a business from this threat is monitoring outside connections with a unified endpoint management (UEM) solution. Robust training and education must play a major part in protecting against stalkerware as well. Employees should be advised and trained to:

  • Never leave their smartphones unattended
  • Always delete unused apps
  • Regularly search for suspicious apps and activity on phones
  • Use a quality password manager and never share passwords with anyone
  • Change their smartphone pass codes frequently

Above all, don’t make the mistake of thinking that the scourge of stalkerware doesn’t concern your organization. It does, and it needs to be addressed proactively.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read