Google Pulls Seven Stalkerware Apps Discovered by Security Researchers From the Play Store

By Tom McKay on at

Google has yanked several apps from its Play Store after cybersecurity firm Avast identified them as “all likely designed by a Russian developer to allow people to stalk employees, romantic partners, or kids,” CNET reported on Wednesday.

The seven apps – listed as Track Employees Check Work Phone Online Spy Free, Spy Kids Tracker, Phone Cell Tracker, Mobile Tracking, Spy Tracker, SMS Tracker, and Employee Work Spy – identified by Avast were all able to collect information including location, contacts, call logs, and the content of text messages. According to BleepingComputer, they were also capable of intercepting messages sent on encrypted chat services WhatsApp and Viber if the targeted device was rooted. Avast wrote that the seven apps were collectively installed over 130,000 times and included instructions on how to “uninstall anything noticeable to the phone’s owner,” making them ideal for stalking. All that would be required would be access to the device in question.

One of the apps, Employee Work Spy, touted itself as allowing employers to monitor the movements and activities of their staff during work hours, according to Avast:

Finding a skilled employee is only half a task. The biggest challenge is to keep him faithful to the company and its mission. A lot of employees may be just skipping work during work hours. People usually spy on kids, but employees need a strict control too.

The Spy Tracker app advertised itself as allowing parents to keep total tabs on a child’s activities, noting “It is better to talk to children, but if you are not a good listener…”

According to CNET, Google removed four of the apps on Tuesday and the remaining three on Wednesday after being alerted by Avast and determining they violated its policy on commercial spyware. Cached versions of the Play Store page for Spy Tracker, for example, had several reviews purporting to be from people who had installed it on their spouses’ phones without their consent. Another cached page for SMS Tracker contains a review in which a user claims that the developer is a “pro ethical hacker” before mentioning the app helped him “track my spouse’s sms remotely”.

A screenshot of an interface for tracking a targeted device remotely. Screenshot: Avast/CNET

“These apps are highly unethical and problematic for people’s privacy and shouldn’t be on the Google Play Store, as they promote criminal behaviour, and can be abused by employers, stalkers or abusive partners to spy on their victims,” Avast head of mobile threat intelligence and security Nikolaos Chrysaidos told CNET in a statement. “Some of these apps are offered as parental control apps, but their descriptions draw a different picture, telling users the app allows them to ‘keep an eye on cheaters.’”

As Engadget noted, the apps were only “mildly popular” and are part of a fairly obvious plug for Avast’s security tools, but a recent article in the MIT Technology Review highlighted the pervasiveness of stalkerware. Kapersky principal security researcher David Emm told the magazine his company had identified and removed 58,000 instances of stalkerware in 2018, while experts on partner abuse say that stalking and domestic abuse cases often involve tech-enabled tracking:

The growing role of technology in partner abuse isn’t just confined to stalkerware. The domestic-violence charity Refuge estimates that around 95% of its cases involve some form of technology-based abuse, whether by means of parental control apps, employee tracking, or even just obsessive tracking of a partner’s location using Google Maps or Find My Friends. As the world changes, so do abusers’ methods.

In 2017, Motherboard reported that SecureDrop leaks provided to them by two hackers showed two spyware companies, Retina-X and FlexiSpy, had approximately 130,000 users.

“People think this problem is niche, but that’s not true,” Cornell computer science researcher Rahul Chatterjee, co-author of a recent study that identified hundreds of apps that could be used for surveillance of an intimate partner, told MIT Technology Review. “It’s one in three women and one in six men [who have experienced an abusive relationship]. That’s millions and millions of people in the US alone. We can’t ignore this any longer.”

That study found that Apple has restrictions in iOS (both on what functionality it allows App Store apps to use and how easy it is for users to sideload apps from outside official channels) making remote surveillance more difficult than on devices using Google’s Android mobile OS. Functionality varied from “basic location tracking to harvesting texts and even secretly recording video,” according to the New York Times, though on iOS accessing data other than location required knowing a target’s username and password. A Google spokesperson told the paper the company would “further restrict the promotion and distribution” of apps that could be used in stalking in response.

While digital surveillance of a person without their consent can violate laws against stalking, wiretapping, or hacking, the Times wrote, there have been few cases in which developers were found liable. The paper flagged one case in 2014 in which the Justice Department charged the company behind an app called StealthGenie under laws prohibiting advertising or selling “surreptitious interception” devices – after which some developers moved their servers overseas or removed marketing language explicitly stating the app could be used for spying.

In addition to Avast and Kapersky, security firms Symantec, Malwarebytes, and Lookout have all said they would step up efforts to identify stalkerware, according to CNET. [Avast via CNET]

Featured image: Jeff Chiu (AP)