Note: This story contains descriptions of digital abuse and references to domestic violence.
Early in her marriage, Samantha noticed that her husband would disappear into the bathroom for a long time. When he came out, he’d be angry with her.
“Later on, I found he was reading my text messages,” Samantha told Digital Trends. “They were forwarded to his phone.”
His behavior escalated, according to Samantha. In addition to violent behavior, he attempted to hack into her relatives’ bank accounts. She left him in 2015, but the abuse didn’t end. He registered a car under her name, and he seemed to know whenever — and wherever — she made a purchase or walked outside.
“I was living four states away from him, and somehow as I would be leaving, he would show up,” Samantha told Digital Trends. She declined to give her last name because her husband is still attempting to monitor her digital life.
“It would seem crazy and paranoid to think someone is tracking you like this. People don’t think these kinds of things are possible. It makes you question your sanity Since the abuser could no longer physically control or punish me, this was his way of inflicting pain,” she added.
It was only two years ago, after being continuously terrorized, that Samantha discovered the full extent of her abuser’s monitoring — thanks to the help of domestic abuse specialists and tech labs that scanned her phone. She believes he hacked at least five of her devices with stalkerware over the course of their relationship.
“Stalkerware” is a catchall term for apps that secretly monitor a victim’s communications, location, photos, password keystrokes, and more.
“Right now, the victim and abuser are always together,” said Kaspersky Lab’s research development team lead Victor Chebyshev. “There is no need to monitor activity if they are in the same place.”
Chebyshev fully expects that the use of stalkerware will spike again once more people cease sheltering in place.
“It makes no difference if there is a quarantine, social distancing, or any other crisis situation, as we are continuously on guard without any moment of pause,” he said.
Cybersecurity firm Avast, however, detected an increase of stalkerware use during lockdown. The discrepancy may demonstrate how little of a grasp we have on these numbers.
“It remains to be seen how the numbers of detected stalkerware will look like at the end of the year, as this will show us a clearer picture,” said Chebyshev.
Stalkerware’s disturbing history
Stalkerware has been around for more than a decade, though it has historically fallen under the “spyware” umbrella until recently. Using these apps as a domestic abuse tactic is still a relatively new topic among tech companies and lawmakers, though not due to a lack of prevalence.
Use of stalkerware spiked globally in the past two years, according to Kaspersky, which found that 35 percent more people worldwide had encountered the apps in 2019 than in 2018. These numbers are likely low since they are based on reports by users who managed to scan and locate the stalkerware on their devices.
A February poll conducted by Harris and NortonLifeLock found that 10 percent of Americans have used an app to monitor their ex- or current partner’s calls, messages, emails, and photos without the partner’s knowledge or permission.
“We’ve seen a huge increase, we believe, for two reasons,” said Chebyshev. “One, because we’ve improved our detection, and two, because developers who create stalkerware started to fight against our detection.”
“It was quite shocking as well to see how bad the problem is”
Last year, competing security companies like Norton Lifelock, Kaspersky, Malwarebytes and others banded together to fight the uptick of stalkerware through the Coalition Against Stalkerware.
“It was quite shocking as well to see how bad the problem is,” said Chebyshev, “[COVID-19] provides some time to focus on activities that we are doing together with the Coalition Against Stalkerware in order to increase general awareness about the problem. … Nonetheless, we think that the fight to protect all users against stalkerware will still be there for a while, unfortunately.”
Meanwhile, nonprofits and domestic violence organizations are scrambling to help survivors deal with the invisible problem while they’re in confinement. In a groundbreaking program in New York, Cornell Tech’s Clinic to End Tech Abuse teamed up with Family Justice Centers to scan and wipe survivors’ phones. The service is remote during COVID-19, with tech specialists making appointments in specific boroughs.
“There’s a lot of gaslighting going on with this abuse,” said Jenise Jenkins, director of operations for the NYC Family Justice Centers. “An abuser says ‘You don’t know what you’re talking about.’ It is hugely beneficial for our clients to know and be assured that they were not making this up. They’re hearing confirmation from a professional. Plus, once they know it’s just an app, they can do something about it.”
Cornell Tech has developed an open source antivirus technology called ISDi, which survivors don’t have to install, thereby evading the abuser’s detection. While stalkerware has decreased during COVID overall, Cornell Tech is anecdotally reporting the same number of concerned survivors.
“I thought there would be a drop-off, but we’re busier than ever,” said Diana Freed, doctoral fellow and Ph.D. researcher at Cornell Tech.
Recovering from stalkerware
One size does not fit all when it comes to action plans for survivors. Samantha is currently living at a private address. One of her devices is still hacked — her abuser doesn’t know that she knows he has access to it. She only gives him harmless information. This way, she can control him, rather than vice versa. She is seeking a divorce, but has not gone to the police.
“It’s very difficult to prove, especially when there’s a spouse and you shared a phone plan. Gaslighting and mental warfare, which are nontangible, are difficult to explain to non-trauma informed people,” said Samantha. “Also, if he finds out I know, he might change everything.”
Stalkerware presents a legal puzzle. It is generally legal to develop the technology that underlies many apps used as stalkerware. Users can be brought up on charges like stalking or fraud if they deploy the technology for illegal purposes. However, it is difficult to prosecute; the technology is shadowy and survivors are often unwilling to share their actively monitored devices with forensic police teams. Almost half of domestic abuse cases go unreported.
“Accessing someones’ device can be violating all sorts of computer privacy laws,” said Erica Olsen, director of the Safety Net program at the National Network to End Domestic Violence. “But there are so few options for finding it, proving it, and getting rid of it. Survivors are usually forced to do a factory reset or get a new phone, which means that the evidence is not preserved.”
No easy solution
The U.S. has a huge stalkerware problem, but the nation is ahead of the curve when it comes to fighting it. In October, the Federal Trade Commission brought allegations against three stalkerware companies after they enabled users to engage in illegal monitoring activities on their platforms. Globally, the case is only the second of its kind: In 2014, a U.S. court successfully shut down a Pakistan-based stalkerware app.
Most stalkerware can be downloaded from stand-alone websites or through Google Play for Android phones — though Google has launched initiatives to filter out these apps. The search giant announced last week that it would ban ads for stalkerware apps — specifically ones “that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization.”
Android devices are also susceptible because they are open source and have a diverse ecosystem; several versions of the Android operating system are available simultaneously, making security updates erratic. Stalkerware is less common on Apple devices, since the App Store is strict about development and submission.
It’s impossible to detect many stalkerware apps without a targeted stalkerware scan, and that kind of scanning tech is still in its infancy. These apps are typically buried deep in a victim’s phone system — usually under innocuous file names like “WiFi Check,” meaning victims usually don’t notice them on their own.
Any abuser can upload stalkerware, whether or not they have a tech background.
“It’s pretty simple. You just have to Google the steps,” said Jenkins. “It happens more frequently than the layperson would think. With domestic violence survivors, they’re already dealing with so much that it just compounds their worry and concern for their safety and for their children.”
Once the information reaches the apps, the victims’ problems may only get worse, according to Chebyshev. Many stalkerware apps upload victims’ information onto insecure servers. Hackers can easily retrieve the information, and the app can use it for its own data and marketing purposes since there is no privacy agreement with the victims.
Freed said that anyone who is suspicious of activity on their phone should use reputable antiviral software that detects stalkerware — not just adware. Kaspersky, MalwareBytes, Avira, McAfee, and Avast all reportedly target stalkerware with success. In addition to its anti-stalkerware technology, CETA also provides step-by-step instructions on disconnecting from abusive partners, from removing saved passwords to enhancing Facebook security.
Samantha said she has more than one device, and she uses them all for different purposes in order to throw off her abuser. One device is for educational software for her son, for example. Another is for trusted friends and family. She is extremely careful about giving out her information to anyone.
“I deserve to live a normal life. If this is how I have to do it, that’s what I’m going to do,” she said.
If you or someone you know is experiencing domestic abuse or stalking, contact the National Domestic Violence Hotline at 1-800-799-7233.