OVER THE LAST year, Eva Galperin says she’s learned the signs: the survivors of domestic abuse who come to her describing how their tormentors seem to know everyone they’ve called, texted, and even what they discussed in their most private conversations. How their abusers seem to know where they’ve been and sometimes even turn up at those locations to menace them. How they flaunt photos mysteriously obtained from the victim’s phone, sometimes using them for harassment or blackmail. And how none of the usual remedies to suspected hacking—changing passwords, setting up two-factor authentication—seem to help.
The reason those fixes don’t work, in these cases, is because the abuser has deeply compromised the victim’s phone itself. The stalker doesn’t have to be a skilled hacker; they just need easily accessible consumer spyware and an opportunity to install it on their target’s device. An entire industry of that so-called spouseware, or stalkerware, has grown in recent years, one that Galperin argues represents a deeply underestimated scourge of digital privacy.
“Full access to someone’s phone is essentially full access to someone’s mind,” says Galperin, a security researcher who leads the Threat Lab of the digital civil liberties group the Electronic Frontier Foundation. “The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge.”
Now Galperin has a plan to end that scourge for good—or at least take a serious bite out of the industry. In a talk she is scheduled to give next week at the Kaspersky Security Analyst Summit in Singapore, Galperin will lay out a list of demands: First, she’s calling on the antivirus industry to finally take the threat of stalkerware seriously, after years of negligence and inaction. She’ll also ask Apple to take measures to protect iPhone users from stalkerware, given that the company doesn’t allow antivirus apps into its App Store. Finally, and perhaps most drastically, she says she’ll call on state and federal officials to use their prosecutorial powers to indict executives of stalkerware-selling companies on hacking charges. “It would be nice to see some of these companies shut down,” she says. “It would be nice to see some people go to jail.”
Ahead of her talk, Galperin has notched her first win: Russian security firm Kaspersky announced today that it will make a significant change to how its antivirus software treats stalkerware on Android phones, where it’s far more common than on iPhones. Rather than merely flag those spy apps as suspect but label them with a confusing “not a virus” message, as it has for most breeds of stalkerware in the past, Kaspersky’s software will now show its users an unmistakeable “privacy alert” for any of dozens of blacklisted apps, and then offer options to delete or quarantine them to cut off their access to sensitive information.
Galperin, who has been working directly with stalkerware victims, sees the Moscow-based firm’s move as raising the bar for the entire security industry. Once one company begins to call out consumer spyware as a full-fledged security threat, she argues, competition will drive the other antivirus firms to meet that standard. The result, she hopes, will be a broader remedy to a security industry that has long underestimated stalkerware—often because security researchers don’t count spy tools that require full access to a device as “real” hacking, despite domestic abusers in controlling relationships having exactly that sort of physical access to a partner’s phone.
“Stalkerware is considered beneath the interest of most security researchers,” Galperin says. “Changing norms takes time. But it starts with someone standing up and saying this is not OK, this is not acceptable, this is spying.”
A Creepware Crackdown
Within the notoriously shoddy Android antivirus market, the numbers bear out the negligence of stalkerware that Galperin points to: A study last year by researchers at Cornell Tech, New York University, and the University of Washington looked at 70 known Android stalkerware apps and found that antivirus failed to detect a significant portion of those not found in the Google Play Store. Among well-known antivirus products, McAfee antivirus did the best job of those in the study, missing 10 percent of the apps; most others missed 25 to 40 percent. ESET, an otherwise reputable antivirus product, missed 85 percent. Google also allows some surveillance apps—often advertised as for tracking kids or stolen phones—in the Play Store itself; antivirus apps flagged virtually none of them.
“The whole industry hasn’t been looking at these apps seriously enough,” says Alexey Firsh, a malware analyst for Kaspersky who worked on the company’s new approach to consumer spyware. “Some pose as parent control or antitheft, but at the same time you see this software grabs all your browser history. That’s not normal, and it’s not OK.”
Some in the security industry might look askance at Kaspersky’s new anti-stalkerware evangelism. Kaspersky has faced accusations for years that it has ties to Russian intelligence agencies, which the company denies. The US banned Kaspersky software from official federal government use last year. But Galperin points out that fighting stalkerware is one situation where Kaspersky’s alleged Kremlin ties aren’t relevant. The Kaspersky users who worry about domestic abuser spying are rarely the same ones concerned with Russian intelligence.
“It’s really about modeling your threat. Most victims of domestic violence don’t work for the NSA or the US government,” she says. But she also sees Kaspersky’s move as a lever she can use to apply pressure to the company’s US competitors. “I recommend American antivirus companies catch up, so I can recommend them instead. Get up and do it yourself.”
Hands-On With Hacking Victims
Galperin set off on this mission a year ago, when she discovered that a security researcher she knew personally—one who she declines to name—had secretly sexually abused a string of women. In at least one case, Galperin says, the abuser had threatened to hack a victim’s devices as a means of control. With a series of revelatory investigative articles on stalkerware by the tech news site Motherboard in the back of her mind, she posted a message to Twitter: It invited any victims of sexual violence who had also been threatened with hacking to contact her for help.
If you are a woman who has been sexually abused by a hacker who threatened to compromise your devices, contact me and I will make sure they are properly examined.16.3K4:31 PM – Jan 28, 2018Twitter Ads info and privacy9,651 people are talking about this
That tweet, to Galperin’s surprise, would end up taking over a significant portion of her life. It was retweeted nearly 10,000 times. Hundreds of domestic abuse victims, who either believed or feared their computers or phone might be hacked, contacted her over the months that followed. Galperin estimates that since then, she has devoted about a quarter of her work time to acting as a kind of one-woman IT help desk and therapist, assisting people in everything from checking phones for spyware to changing passwords to even checking out a Nest camera one victim believed was being used to spy on her. “I’ve called companies on their behalf. I‘ve helped them find attorneys,” Galperin says. “I’ve sat there and held their hand and told them that everything is going to be OK.”
Galperin found that actual stalkerware was installed on a victim’s phone in only a small fraction of those cases; far more common were hacked accounts, or threats of hacking that never materialized. But stalkerware cases were often the most extreme, she says.
“The stories don’t start with ‘my phone is acting weird,'” says Dave Maass, another staffer for EFF’s Threat Lab, who at one point helped Galperin sort through the flood of requests. “They start with ‘someone beat me up, or raped me, or threatened my children.’ Horrendous stories. Having the emotional fortitude to hear these stories, to probe them, is one of Eva’s real strengths.”
But within months, Galperin could tell that her work as a hands-on stalkerware first responder wouldn’t scale. So she began looking for a different approach. “I looked at the entire problem, and I tried to think about what could create the most bang for the buck,” she says. “If a victim can run antivirus and say ‘you’re not on my phone,’ that would mean a lot.”