How to spot the software that could be spying on you

By Ivana Davidovic
Business reporter, BBC News

Published
Image source, Getty Images
Image caption,
Google has now removed several adverts for applications that encourage prospective users to spy on their partner's phone

Maria says she grew up in a "loving" Catholic family on the east coast of America, with large Sunday dinners a weekly staple. Her parents had a good marriage and she wanted that respect and closeness in her own relationship.

When she met her husband in her early twenties, it felt like love.

But romance quickly soured, turning in to a 25-year tale of abuse and control. First there was the name-calling. Then, complete control of her finances, her movements, and eventually over their three sons.

Her husband objected to her having a job where she would interact with other people and he banned her from using the computer.

"He would call me fat every day, he would barricade me out of the house when he was angry" she recalls.

Eventually, the financial abuse ramped up. First, he would take away her paycheque from her cleaning job, then, he applied for credit cards in Maria's name using her social security number.

Six years ago, Maria finally broke down when she heard him say he wanted her dead. With the help of her church and family she slowly formulated an escape plan.

After losing their property to foreclosure, she eventually moved in with her sister. She got a laptop for the first time and finally had the freedom to set up a Facebook account. She started dating.

But soon, her ex-husband would quote her messages to a man she was seeing. Her ex also started turning up wherever she was.

She would suddenly spot him driving behind her on a motorway. Once, she was so terrified that he was chasing her and could possibly pull a gun, that she called the police.

Although she didn't press charges, the stalking eventually subsided and she moved further away. But she found out she had been a victim of so-called stalkerware.

Stalkerware is commercially available software that's used to spy on another person via their device - usually a phone - without their consent.

It can allow the user to view someone else's messages, location, photos, files, and even eavesdrop on conversations in the phone's vicinity.

Image source, CAS
Image caption,
Some kind of technology is almost always involved in domestic abuse says Eva Galperin

To help tackle the problem Eva Galperin formed the Coalition Against Stalkerware in 2019.

She decided to set up the group after looking into reports from a number of alleged rape victims, who were terrified their lives could continue to be ruined by their abuser using tech. When someone has access to your phone the potential for exploitation is huge, she explains. For example a victim could be blackmailed with threats to share intimate photos.

Ms Galperin says that in the domestic abuse cases she encounters, "some level of tech-enabled abuse is almost universally there", and that this often includes stalkerware.

"It's often linked to the most violent cases - because it is such a powerful tool of coercive control," she adds.

Research suggests that proliferation of stalkerware is a growing problem: A study by Norton Labs found that the number of devices indicating that they had stalkerware installed rose by 63% between September 2020 and May 2021.

Its report suggested the dramatic increase could be due to the effect of lockdowns and people generally spending more time at home.

"Personal belongings are easily within arm's reach, likely creating more opportunities for perpetrators of tech-enabled abuse to install stalkerware on their partner's devices," the report found.

Over the last two years, Ms Galperin has managed to convince a clutch of anti-virus companies to take this type of malicious software more seriously, this followed an initial reluctance to mark stalkerware as an unwanted programme - or malware - because of its possible legitimate uses.

In October, Google removed several adverts for applications that encourage prospective users to spy on their partner's phone. These apps are often marketed at parents wishing to monitor their child's movements and messages - but have instead been repurposed by abusers to spy on their spouses.

Image source, Getty Images
Image caption,
US authorities have been cracking down on firms selling software that lets users spy on other devices

One of those apps, SpyFone, was banned by the US Federal Trade Commission in September for harvesting and sharing data about people's movements and activities via a hidden device hack.

Despite these positive moves, some stalkerware apps, and advice on how to use them, are still easily accessible online.

According to Ms Galperin, the next issue the FTC is investigating are firms selling and purchasing phone location data of users without their knowledge. She calls this tech "an extremely powerful tool" for private investigators, who use it to track their targets' locations.

With stalkerware deliberately designed to be difficult to spot, even those who are more tech savvy can still fall prey to it.

One such person was Charlotte (not her real name), a senior cybersecurity analyst.

Soon after she got engaged she slowly realised odd things had started happening to her phone. The battery would quickly drain and her phone would suddenly restart - both tell-tale signs of stalkerware being potentially installed on her device.

It wasn't until her partner made it clear that he always knew where she was, that she finally connected the dots.

To get some advice on what to do, she went to a hacker meet-up. It was an industry her partner worked in and she was familiar with some of the faces.

She was shocked to discover a "culture of acceptance of being able to track your partner".

The "tech bro" environment she encountered spurred her to move into cybersecurity, to bolster the industry's "representation from different perspectives".

Image source, Getty Images
Image caption,
Some in the tech world see nothing wrong with tracking your partner

A quick internet search reveals many services claiming they can hack into someone's smartphone with just a phone number, usually for a few hundred dollars to be paid in cryptocurrency.

However, while software with those capabilities may be accessible to law enforcement agencies, the cybersecurity experts believe these websites are likely scams. Instead, consumer grade stalkerware largely relies on "social engineering," which Charlotte says people can learn to be careful about.

The target might be sent a text message, which looks plausible, inviting them to click on a link.

Or a bogus app, masquerading as a legitimate, one might be shared with them.

Charlotte says "don't be scared" if you try to delete a suspicious app and it throws up a lot of warnings.

"Sometimes they use scare tactics to get the users not to remove the software. They use a lot of social engineering techniques."

If all else fails, Charlotte recommends doing a factory reset of your phone, changing all of your social media account passwords and using two-factor authentication all the time.

Image source, Getty Images
Image caption,
Experts say don't be scared to delete a suspicious app from your phone

So, what would be the best way of tackling the problem?

Most countries already have some sort of wiretapping statute and anti-stalking laws in place.

For example, in 2020, France introduced a new bill on domestic violence which, among others, reinforced sanctions on secret surveillance: geo-tracking someone without their consent is now punishable with one year's imprisonment and a fine of €45,000 (£38,000; $51,000). If this is done by your partner, the fines are potentially even higher.

Ways forward

But, for Eva Galperin, this is not a problem that we can ever expect new legislation to solve entirely.

She thinks that both Google and Apple could, for instance, take action by making it impossible to buy any of these apps on their stores.

Crucially, she adds, the focus has to be on better training for the police to take the problem more seriously.

One of the biggest issues she says she sees is that "survivors come to law enforcement, expect them to enforce the law and essentially get 'gaslit', and told that there's no problem".

The proliferation of cyber-stalking has also brought about a new type of service to support domestic abuse victims.

Clinic To End Tech Abuse - CETA - is one such facility, associated with Cornell University in the US. CETA works directly with abuse survivors, whilst at the same time gathering research about burgeoning tech misuse.

Rosanna Bellini from CETA says that occasionally they might not recommend removing stalkerware from the victim's phone immediately - without doing some safety planning first with a case worker. Past experience has informed this approach: if an abuser's access to the victim's phone is suddenly cut, it can lead to an escalation of violence.

For Maria, who has been free from her abusive marriage for six years, things are not perfect but they are looking up.

"I'm in a good relationship with someone who really cares about me and actually is behind me, telling my story," she says.

There are still times she gets anxious about her phone. She was diagnosed with post-traumatic stress disorder (PTSD). But she wants other survivors to know that cyber-stalking is huge and that they are not alone.

"Don't be scared. There is help out there. I've made huge strides and if I can do it at my age - at 56 - anyone can do it."