Privacy Please is an ongoing series exploring the ways privacy is violated in the modern world, and what can be done about it.
The digital window to your soul might just have a Peeping Tom.
Say hello to stalkerware, a noxious class of software designed to surreptitiously run in the background of smartphones. Its purpose is to keep tabs on everything you do, then report it back to whoever decided to spy on the most intimate and personal details of your life.
As smartphones further entrench themselves in our daily lives, the amount of information we both knowingly and unknowingly entrust to these devices likewise grows. This has, in many respects, been a boon — albeit not exclusively to the people we have in mind.
“Stalkerware is especially pernicious because it is such a rich source of information,” explained the Electronic Frontier Foundation’s director of cybersecurity Eva Galperin over encrypted chat. “Stalkerware can track your location, record your phone calls and text messages, steal the passwords to the social media accounts you log into through your phone, reveal your contacts, your photos, your emails, and even your end-to-end encrypted communications.”
And the threat is real. Anti-virus company Kaspersky Lab reports that, in 2018, it found stalkerware on 58,487 mobile devices.
“The use of stalkerware on phones affects people from all walks of life”
As you might expect, journalists and activists are often the target of such attacks. However, that doesn’t mean your average person has nothing to worry about. Far from it, in fact.
Galperin made clear that the use of stalkerware goes hand in hand with modern day domestic abuse.
“Like other forms of domestic abuse, the use of stalkerware on phones affects people from all walks of life,” she wrote. “I have been contacted by men being spied on by women, men being spied on by men, and women being spied on by women, but the majority of cases that I see are of women whose phones are being spied on by a partner or a former partner, who is usually a man.”
While this is a particularly modern concern, it is not necessarily a new one. For a brief stroll down a terrifying stalkerware memory lane, one can look to the great reporting done by Motherboard on the topic. Be warned, it’s not a pretty sight.
Clearly, this is a serious problem with real world consequences. Thankfully, there’s something you can do to protect yourself.
How to check your phone for stalkerware
Stalkerware is designed to run undetected by the victim. Finding such a program on your phone, then, is the first step toward addressing the personal violation and safety risk it poses.
But how to do that? Patrick Wardle, security researcher at Jamf and founder of Objective-See, explained that the easiest way to prevent stalkerware from being installed on your phone is to keep it locked and out of others’ hands.
“Generally, it [is] really hard to install stalkerware on a mobile device [without] physical access … so step 1 is to make [sure] your device is protected against this,” he explained over Twitter direct message. “For example, having a passcode. (That you don’t share!)”
While this is great advice in general, life isn’t always that straightforward. After all, if you’re in an abusive relationship with someone controlling enough to install such monitoring software on your phone, that person may also demand access to your device.
That doesn’t mean you’re helpless, though. If you have a phone running Android, you can scan it for stalkerware with an anti-virus tool from Kaspersky Lab. If there’s a hit, the anti-virus program will alert you.
“We believe users have a right to know if such a program is installed on their device,” explained Kaspersky Lab researcher Alexey Firsh in an April press release. “Our new alert will help them to do that and assess the risk properly.”
“This industry is fucked up and everyone providing these services are one of the worst people on this planet.”
It’s not just phones running Android that are at risk, of course — your iPhone is just as an exciting target for those looking to spy on you.
“For iOS,” explained Wardle, “if there is stalkerware installed it might show up as an app you don’t recognize, or maybe even a malicious ‘profile.'”
To check for stalkerware on your iPhone, go to Settings > General > Profiles & Device Management. If you don’t see the last option, it means there’s not a mobile device management profile installed on your phone (this is a good thing). If you do see it, investigate what the profile is by clicking “More Details.”
There should be a “Remove Management” option in the settings, as well.
“Of course,” added Wardle, “[it’s] worth noting that organizationally owned devices or BYOD devices that have company information on them may have MDM profiles installed and this is expected, not concerning.”
If you’re looking for a deep dive on stalkerware, Security Researcher Ivan Rodriguez breaks down the various types and ways it can be installed on your phone in a great blog post. He includes several tips for keeping your smartphone clear: keep it up to date, enable 2FA on you iCloud account, and if someone randomly gives you a new phone as a gift, consider performing a full restore.
Over Twitter direct message, he explained how the average person can check for signs of stalkerware on their phone. While clarifying that his research focuses on iOS devices, he noted that some of the advice applies to Android phones as well.
“Identifying if your device has stalkerware installed on an iOS device is very difficult,” wrote Rodriguez, “even for security professionals because there’s no easy way to search for modifications within the device and Apple doesn’t allow antivirus apps on the App Store.”
He suggested paying close attention to the following: “From one day to another, the device’s battery doesn’t last as long,” “keyboard keys have some ‘lag’ when tapping (Like a letter’s animation getting stuck),” the “device runs out of space quickly,” or “the location services ‘arrow’ is on all the time.”
In general, Rodriguez has an exceptionally low opinion of those who create and distribute stalkerware.
“This industry is fucked up,” he wrote in his blog post, “and everyone providing these services are one of the worst people on this planet.”
Hopefully, you’ll never find yourself being digitally spied on with stalkerware or any other form of invasive tech. But the reality is that this does happen to people, and there’s nothing wrong with taking an extra moment to make sure the blinds on that digital window to your soul are drawn tight.
UPDATE: Sept. 24, 2019, 11:33 a.m. PDT: This story has been updated to include additional information from Patrick Wardle about MDM profiles.
This story was originally published in September 2019 and updated in August 2021.