Kaspersky antivirus now IDs ‘spouse’ spyware as proper malware

  • Liam Tung (CSO Online)
  • 04 April, 2019 09:16

Kaspersky has launched a new feature for its Android antivirus that aims to tackle commercial spyware bought by people who install it on their spouse’s smartphone.   

The Russian antivirus firm, recently spurned by the US over spying claims, is the first cybersecurity vendor to support a campaign by the Electronic Frontiers Foundation (EFF) for the anti-malware industry to more to detect and prevent the use of legal programs used to spy on spouses, kids, and employees. 

The malicious mobile apps are known as “spouseware" or “stalkerware” and are typically installed on the target’s phone without their knowledge. The apps often have no home screen icon so the target doesn’t know they’re being spied on, and the apps aren’t outright illegal.   

Examples of the class of spyware include FlexiSpy and an app made by US firm RetinaX called PhoneSheriff. 

Details of the each app and its users were exposed after hackers who were opposed to stalkerware leaked two large caches of internal files from each firm

Kaspersky notes there is some overlap in functionality between legal parental control software and find-my-phone apps, but points to a few key differences. 

First, stalker apps are often distributed through online ads outside of the Google Play app store, which is discouraged by Google because they’re not vetted by the Android-maker. The spying app typically needs to be installed manually by the victim using social engineering.

Second, once installed on a phone, the apps are hidden from from the device’s app menu, while running in the background with functions such as recording audio and deleting antivirus.  

The company’s move on stalkerware follows a campaign by Eva Galperin, head of the EFF’s Threat Lab, for the antivirus industry to tackle a form of malware that differs from most. 

Unlike almost most malware, attackers who use stalkerware often already know details about a target, like a phone passcode, and probably has physical access to the device. This would undermine security measures like a user changing passwords and enabling two-factor authentication.  

Added to this, there is a high risk that the malicious app could lead to physical harm for the target. 

"Full access to someone’s phone is essentially full access to someone’s mind," Galperin told Wired.

"The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge.”

Targets of stalkerware are an outlier in the field of cybersecurity, where “targeted attacks”, which don’t pose a risk to the masses, usually mean state-sponsored hackers seeking information about individuals who oppose state policy or employees of organizations whose devices could provide valuable intelligence. 

Kaspersky highlights the rarity of stalkerware by comparing it to widespread ransomware attacks.  

Last year the company say 58,487 instances of devices with stalkerware apps installed on a phone or tablet, compared to nearly 190,000 instances of mobile devices with ransomware infections. At the same time, there’s a huge amount of different stalkerware programs available, totaling 26,619, according to Kaspersky.

Stalkerware apps often ask victims to, in the case of Android, enable app installs from unknown sources outside of the Google Play Store and to disable Google's built-in Android anti-malware solution Google Play Protect.