Common Android stalkerware apps are affected by vulnerabilities that could expose the privacy and security of the victims.
Mobile stalkerware, also known as spouseware, is used by a stalker to spy on a victim. The app can collect GPS location, spy on conversations, access browser history, images, and other sensitive data stored on the device.
This type of software has become very popular in the last few years. The software which could be easily found online are mostly advertised by their developers as a solution to protect children, but they offer spyware features that could be also abused by a third party.
According to ESET researchers, on analysis of 86 Android stalkerware apps, over 150 security vulnerabilities were discovered in 58 Android stalkerware apps that further expose the victims to other privacy and security risks.
The researchers manually analyzed 86 stalkerware apps for the Android platform, provided by 86 different vendors. A person who installs and remotely monitors or controls stalkerware is defined as a stalker whereas a victim is a targeted person that a stalker spies on using the stalkerware. An attacker is a third party whom the stalker and the victim are not usually aware of. An attacker can perform actions such as exploiting security issues or privacy flaws in stalkerware or in its associated monitoring services.
The flaw could be exploited by the attacker to get control over the victim’s device and it could also threaten the victim by uploading fabricated evidence.
The researchers disclosed the flaw to the development team following their 90-day coordinated disclosure policy. As of now, only six vendors have addressed the flaws discovered by the researchers, and only seven vendors plan to fix them, and in one case a vendor decided not to fix the reported issues.
Most common issues include the insecure transmission of victim’s PII and the storage of sensitive data on external media.
The researchers concluded that this research should be taken as a warning to future clients of stalkerware to reconsider using software against their spouses and loved ones, as it is not only unethical, but also might lead to revealing the private and intimate information of their spouses and leave them at risk of cyberattacks and fraud.
It is also risky to the stalker as there could be a close relationship between stalker and victim and hence their private information could also be exposed.