Stalkerware and targeted digital surveillance: what it is and what strategies can we use to look out for one another collectively

“This violence is intersectional and may be accompanied by other forms of violence. A person can be physically followed, stalked, or spied on for subsequent threats. It all comes together. A holistic vision is needed to approach this work and undertake a risk assessment that tries to detect digital signals or others,” Marla from Interseclab remarked in the Feminist learning Circle: "Stalkerware and targeted digital surveillance: what it is and what strategies can we use to look out for one another collectively." Marla is a Brazilian researcher specialized in cybersecurity and founder/director of InterSecLab, a transfeminist digital forensics laboratory for civil society focused on Latin America.

In this forum, organized by Dominemos la Tecnología, in which around 30 activists took part, we learned concepts related to stalkerware, often referred to as “cyberstalking” or “stalker virus.” As we saw, attacks of this kind are characterized by the diversity of forms they may take (in different apps and devices, through human intervention, or by installing code on our phones) and how hard it can be to identify, which often occurs when the problem is already among us.

These observations were shared by Marla, who coordinated the laboratory for threats MariaLab and worked as a cybersecurity analyst in partnership with Access Now and CitizenLab on incident response projects to support civil society in Brazil. She also took part in the Amnesty International Security Lab Digital Forensics Fellowship: “What I want to say is that sometimes we fail to see the digital traces of this kind of violence because this kind of tools are engineered to evade all forms of detection. But at times in everyday interactions a former partner may mention thing they had no other means of knowing, contact you at inappropriate times, or approach you directly and in person aided by information they have obtained by means of digital surveillance.”
 

Stalkerware in the first person

In the Feminist Learning Circle one of the first questions participants focused on involves red flags that may lead us to suspect that something unusual is happening on our phones. But, attention! Such red flags are often related not only to technology but also to aspects of our relationships in which sensitive manifestations such as a lack of trust, lying, or constant suspicion regarding one’s affairs, among other emotional stratagems, come into play.

“Usually, when we realize something is out of place, when we feel threatened, our first reaction is to hit delete, to eliminate the threat we have identified on our phones. I understand that but in such cases it’s not advisable as the first step to take. What I recommend is to make a backup of the compromised device, make a backup copy of your data. Because if the attacker, the stalker, the state actor already has you data and you don’t have a backup it unquestionably puts you at a disadvantage,” Marla explains.

“So once they (stalker, state) have your data, it’s also theirs to use and normally there’s nothing you can do about it. And your first reaction might be to delete an extra app. But I would advise against that. First switch your phone to airplane mode, disabling its internet connection so it can’t send out any more data, and make a backup of the device, a copy of all that, a secure copy of all your data, and contact IntersecLab or other organizations that can help address the issue."

In the Circle, questions were raised about how to know what can be considered normal or abnormal on cell phones, like detecting an obstacle that presents greater apparent difficulty. “Usually, identification is not so direct or simple, especially when you look into processes. At times the response to a highly complex attack is quite simple; you just turn off your phone if you suspect that you’re being monitored. Be aware that what matters to you, what you want to protect, should not be discussed near your cell phone. Because if it is actually compromised, you need to create a safe space to avoid such threats.”
 

Identifying the context in which stalkerware grows

As we have seen in the article (https://dominemoslatecnologia.net/es/blog/acecho-en-internet-hablemos-d…) by Anais Cordova Paez, the phenomenon of cyberstalking is a complex subject. In this case, Marla also took time to expand the meaning of what we refer to simply as “stalkerware.” “This phenomenon also includes targeted surveillance, mass surveillance, which may be exercised by the state, may have monetary goals, or may be deployed against activists, and usually is used exclusively by companies. Therefore, forensics should always be part of any investigation to detect the tools governments use in such cases and identify how those tools work and establish traceability in the field.”

This is a problem we face on a daily basis, which is why meeting in a circle with transfeminist activists from Latin America is a fantastic opportunity. As the facilitator observes “We need to discuss how we have experienced these attacks and how we can address them going forward, because it is not simple, it is not easy, but I think the answer is in collective defense. Because we are talking about the meaning of digital surveillance, which may be sponsored by the state, or by companies, or by individuals, as we have seen with former partners, for example, or certain hate groups. And that includes monitoring online activities, data harvesting, and use of technology for spying or to engage in espionage.”
 

How do devices infected with stalkerware work?

“Usually, stalkerware takes the form of applications; it is important to state that it is deployed as apps. It is important to clarify this because some spyware, especially that used for espionage, is not concealed in apps, but is totally binary, making it even harder to detect its presence. But in the case that concerns us here there will be an application, and that will make it somewhat easier to identify”.

In general, use of such apps is seen in contexts of domestic violence as a means of control and monitoring without the victim’s consent, both in domestic settings, for example, with domestic violence against a partner, by current and former partners, and also linked to parental control. In some cases, people take advantage of media campaigns with slogans like “find out what your children are doing to protect them.” They are also sold as tools for monitoring employees from a company, because they have various uses, but “they all imply a power structure,” Marla affirms.

In the cases IntersecLab investigated in Brazil, we investigated the stalkerware app known as Web Detective. This app can be used to record calls, audio, notifications, and images without the victim’s knowledge, and because it uses a very common web technology it can go totally unnoticed and evade detection. It has a keylogger that allows it to also record whatever the user is entering at the time. Among its other functions, it can spy on Instagram, WhatsApp, and Facebook; it can also track your location, record your phone calls, everything entered in your browser history, changes made, photos, audio files, and your phone’s live screen. It can be installed on Android devices only and installation requires physical access to the victim’s device.

InterSecLab also analyzed the app Celular007, a stalkerware variant distributed as Soundy Apk, an Android app extension complete documentation for which is published here. “When the app, with the name Soundy Apk, is downloaded, it appears as a utility related to audio, for example, but the fact is it is performing surveillance.”

The app has different ways of concealing itself, not only from the person being spied on but also to obstruct forensic analysis. It can also conceal its functions and it was difficult even to identify the servers it sends data to. The app’s primary functions are: location monitoring, real time tracking, call recording, audio calls, access to messages for reading and sending copies of SMS to a remote server, screenshots of the device display and camera, and data transmission, and the data collected is sent to a server controlled by the stalker. The operative mechanism is a second level process that is not open on the user’s device, is unseen, works silently, is invisible to the user, and communicates with remote servers. It works with WebRTC, which is a peer-to-peer communication system, without the need for intermediate servers. It connects two devices in real time, and in this context can be used to send sensitive data undetected. Because the technology it uses is very common in video calls, it goes unnoticed by casual users and therein lies the key to its social engineering component.
 

What to do? Interpret signs and take action

Here we share some tips to start changing how we look at our devices and be more alert to their general functions.

Use of data: Firstly, users are advised to pay attention to unknown apps and excessive data consumption. For example, you might find a clock and see that the alarm shows excessive data usage, which could be caused by an anomaly, an operating system error, or a tracker.

Other causes for suspicion include repeated authorizations for Wi-Fi access, to receive SMS, or access to your accounts. All of these are fairly obvious and can help to identify anomalous situations.

It is also helpful to take a more general view; at times we need to investigate an app more thoroughly to see what it really does and know how to investigate app features, and we’ll see how to do that to identify a trace (sic).

App permissions: Usually apps will request permissions; they will request many, sensitive permissions, and for such apps will usually ask for administrator privileges on your device and on your cell phone. You can also check who has administrator privileges in settings under security and linked accounts; if you find an unfamiliar account linked to your device something is amiss.

Google Play Protect: is a setting you should check and make sure it has not been disabled without your knowledge. But it is not the only indication that you may be being spied on.

Security notifications are also important, and because invasive apps will try to block notifications, we should be alert to notifications because they may help to detect something unusual.

Parameters: In general, we need to have parameters, for example: What is a normal battery level and what is excessive? To detect them, permissions to install other apps, camera, microphone, SMS, and calls are always the most sensitive points. You need to see what apps have administrative privileges; in Android, for example, you should check for unknown apps with admin permissions and administrator accounts. In iOS there is no direct equivalent but you can check installed profiles in general settings to check your device or review security settings.

Accessibility services: check what apps have access and permissions on your phone, for example accessibility allows an app to perform actions that a casual user would not ordinarily have access to. This is why apps seek to exploit these spaces, because accessibility can allow them to track keystrokes to unlock an accessibility service. So, if in an installed app, its purported functions have nothing to do with an accessibility service we should consider it suspect because it is requesting a function it does not need. The rule of thumb: If you see extensive authorizations but you are unfamiliar with the app you should distrust it, but it always need to investigate further.
 

Stalkerware, like phishing but not the same!

To date, there are no well documented or reported cases of stalkerware being installed remotely through phishing directly, as seen with more sophisticated spyware like Pegasus. Usually, stalkerware is physically installed on the victim’s device by someone with access to the phone, such as a current or former partner, or using social engineering techniques where the victim is induced to install a malicious app thinking it is inoffensive.

Phishing can be used to induce a victim to download and install malicious apps, but that usually requires the victim to actively complete the installation procedure, granting the permissions the stalkerware needs to operate. Unlike advanced spyware that can exploit vulnerabilities for a silent installation, stalkerware usually relies on a conscious action on the part of the victim, like clicking on a link and following installation instructions.

“One case I worked on,” Marla shared, “involved finding a remote access app installed on a victim’s phone without their knowledge. The app remained on the device for almost two years, allowing the stalker to access the victim’s data periodically. After a device update, the app was automatically disconnected, exposing the email address used by the stalker. Although we did not find clear proof of remote installation, the possibility was not completely ruled out. However, considering all the circumstances, the most likely hypothesis is that the app was installed physically.”

Another case Marla commented on involved the installation of a malicious app through social engineering, where the stalker posed as a bank employee and induced the victim to install the app. Although in this case the primary motive was financial theft, it also illustrates how malicious apps can be installed without the victim’s knowledge.

In view of these scenarios, the best means of protecting oneself against stalkerware and other threats is to adopt preventive measures:

• Restrict physical access to devices and accounts: avoid leaving devices unattended, especially in situations of conflict or rupture in a relationship.
• Establish clear agreements regarding privacy and security with partners: avoiding normalization of exchanging access in couples is fundamental. That includes an open conversation about the importance of privacy.
• Recognize signs of suspicious behavior in current or former partners: signs of possible monitoring include:
• Revealing unexpected knowledge of your activities or private conversations without your having shared such information.
• Insistence on having access to your phone or computer, even after the relationship has ended.
• Controlling behavior, such as demanding to know where you are all the time or with whom you are speaking.
• Identify technical signs of possible compromise:
• Unknown apps installed on your device: Check the list of installed apps regularly and be suspicious of any app you don’t recognize.
• Excessive permissions granted to apps: A calculator app, for example, should not need access to your microphone or your location.
• Unusual security notifications: Pay attention to system security notifications alerting you to suspicious behaviors.
• Unknown devices connected to your accounts: Check if there are unknown devices connected to you Google or Apple account.
• Abnormal battery consumption or overheating: Although these signs may indicate common problems, such as hardware failures or device age, they may also be indicative of stalkerware, especially if they appear suddenly.
   

Look out for one another collectively: how to do it?

Based on its experience, IntersecLab offers to provide technical and scientific support to strengthen protection of human rights in the digital space and protect people subject to surveillance. In this context, they provide support with forensic digital analysis [and] investigation of devices suspected of being compromised by surveillance, which may be cell phones but not only cell phones, since stalkerware can also be deployed on computers and networks depending on each case.

“It is not self-defense but collective -or pack- defense is the most important response. To strengthen the autonomy of Latin America and the transfeminist and feminist movement surrounding these sensitive issues that demand an approach with a transfeminist perspective because, regrettably, the support currently available in this area is headed by men. Yes, and many people are uncomfortable sharing this kind of information with them. Because it involves sensitive matters. And it’s not just a technical issue but one that affects people’s lives, affecting their personal phones or devices they may use for both their personal affairs and their activism. For these reasons, we strive to find ways to do this work that offers people ways to protect other areas and not just the technical part, and not merely determine if a device is infected, but do so based on who is experiencing such a situation.”