Stalkers Get a New Weapon: Stalkerware 2.0

“Stalking is when two people go for a long romantic walk together, but only one of them knows about it.”.

Stalking, in many places, is a crime. But it is not a crime to install stalkerware on someone’s smartphone. Why is this? Because no developer ever names such applications ‘stalkerware’. Naming them as such would not get them onto major app sites. To do this, such software is marketed as ‘child surveillance/parental control’ software’ or ’employee monitoring” software. In truth, both of these do more or less the same thing as stalkerware. It’s all just a matter of degree and intent.

Spyware is another type of nefarious surveillance software. The difference between spyware and stalkerware is that stalkerware is focused on following the actions of one targeted individual. Spyware generally targets groups of people such as journalists or political dissidents. It also lacks the emotional connection to the target that stalkerware almost always has.

There are bigger differences between spyware and child surveillance software. Spyware is installed remotely, using time-tested hacking vectors, and the devices it controls are managed remotely. Spyware wants to remain hidden from the user of the compromised device and it makes a great effort to do so. Child surveillance and employee monitoring software usually show up as an icon on the target device, so it is not hidden, even though it is usually not accessible to the device owner.

Almost all legal monitoring software must be physically installed on the device. Stalkerware, too, requires that the person installing it must have access to the target phone. This, of course, means that they must know the phone’s password or other authentication data. However, there are ways someone could be fooled into downloading and installing stalkerware on their phone. Nobody is better at social engineering than someone who knows you well.

You have to pay for good stalkerware. FlexiSPY, one of the best known stalkerware kits, has prices ranging from $29.95 a month to $199 for three months. Basically, if you want to record phone calls, web calls, make video recordings, or use the compromised device’s camera, you need the higher priced package. Here is what you get for the price.

flex

It’s hard to imagine wanting anything more. In the final analysis, the stalker has full control of the target phone. They can see everything their target does, follow their movements, and even capture all of their passwords.

But it gets worse. To really get control of a device, you need to root it (called ‘jailbreaking’ for iOS devices). Rooting a device gives the user full control over all apps, even those that come pre-installed on the device and that cannot normally be removed. Once a user gains such control, they become a ‘superuser’. There is, in fact, an app called SuperSU that helps with all of this. Still, bad rooting can destroy your phone or void the warranty. But, don’t worry. FlexiSPY will take care of that for you. If you have control of the target device, they will remotely root it for you for $49.99. Rooting the phone will usually leave a visible SuperSU icon on the phone, which could alert the target that something was wrong. FlexiSpy will remove this icon. They will also manipulate phone logs so that no reference to FlexiSPY will be found. Keep in mind that if you want all the services listed above, the phone needs to be rooted.

In addition to all of the above, FlexiSPY will give you a dashboard for your own mobile device through which you can monitor all activity on the target phone. No longer would you need a computer for this, although that option is still available.

You might think that this is as far as any stalkerware could go, but, unfortunately, it’s not. Kaspersky Labs has just discovered a new type of stalkerware which raises cyberstalking to the next level. They have named this malware, MonitorMinor. The name comes from the actual name for the app that positions itself as child surveillance software, Monitor Minor.

monitorminor

Monitor Minor has the unique ability to compromise any app that is using the Accessibility Services API. This is the service that allows messages and other information to be read aloud. If an app, such as WhatsApp, uses this service, Monitor Minor can compromise it, without rooting the device. With this app, the stalker can see or hear what is happening when messenger, video conferencing, and many more apps that use Accessibility Services API are being used by the target. Here are a few listed on the rather confusing Monitor Minor website. They seem, perhaps justifiably, to be quite proud of their exploitation of the Accessibility Services API and their ability to compromise apps without rooting.

messengers

If the targeted device is rooted, Monitor Minor has even more power. It will change the system partition to read-write, copy itself onto the partition, and then change it back to read only. At this point, it cannot be removed with normal tools.

For the purposes of this discussion, here’s a very basic look at how an Android phone boots up.

  • The bootloader loads
  • The bootloader initiates the compressed kernel
  • The kernel decompresses
  • The kernel loads the system partition
  • The system partition loads the Android framework and pre-installed apps.

Now, most antivirus apps are loaded after the system partition loads, which means that they will not detect MonitorMinor. MonitorMinor, in fact, will bypass all of your phone’s security architecture. A phone with MonitorMinor installed will always be transmitting information to a stalker, as long as the stalker pays the monthly subscription fees.

Only deep level security architecture, such as Inzero System’s TwinBoard which actually creates two phones out of one at the pre-kernel level, can keep stalkerware from taking control of a device. Some bootloaders may be susceptible to rooting but others are locked. However, few users are interested in installing a new operating system. They just want more control over the apps that they use.

Be careful about installing any surveillance app not found on the major app stores. The names for nefarious apps are often changed. Monitor Minor appears to be connected to other apps, according to their website. These are Xmobile pro, Selfspy Mobile, and Wiretap.

x

self

wire

There is also a free monitoring app called Safe Minor which looks suspiciously like Monitor Minor, though it may just be trying to benefit from Monitor Minor’s success.

safe         monitorminor

As of this writing, it was still available on Google Play.

safeminor

It’s possible that the developers of Monitor Minor are just testing the waters to see what it takes to bypass Google Play’s filtering algorithms.

Most stalkerware still requires the stalker to have access to the victim’s phone or tablet. They must know the device’s password or other authentication data, such as patterns. If the stalker knows the target well, they might be able to see what these are through simple observation. They then usually wait for the target to leave the phone unguarded. It usually doesn’t take very long to install the stalkerware. The victim may never know that stalkerware like FlexiSPY or Monitor Minor has been installed on their phone.

However, if your phone suddenly ‘lights up’ for no reason, if it seems to be draining the battery faster than usual, if there are unknown apps installed, or if the phone seems to be overheating, you may have stalkerware installed on it. Most people know if they have partners who are overly controlling or suspicious. If this is the case, reset your password or pattern frequently. Of course, you can always do a factory reset on the phone, but this can be troublesome. You can always buy another phone for more private conversations, but this can be expensive. In the end, the best solution may simply be finding a new partner.

 

For more information on stalkerware, see my post “Stalkerware: ‘Even Your Grandad will be Monitoring Phones in No Time'”.

One thought on “Stalkers Get a New Weapon: Stalkerware 2.0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s