Stalkerware – when the smartphone turns into a bugging device

Complete digital privacy has long since been an illusion. Surveillance is something we face in many areas these days. It is no longer a secret that our smartphones or digital speech assistants are also eavesdropping on and observing our activities. Moreover, this is more or less accepted, because often we have no choice. However, targeted, covert espionage – like stalkerware – is terrifying for everyone. This article explains how stalkerware works, the legal situation and how you can protect yourself against it.

Stalkerware is the term used for spy apps and programmes that are secretly installed on smartphones by third parties and which record and store activities in the background. It also makes data transfer easy – be it photos, documents, (encrypted) chat logs, e-mails, calls, passwords, contact details, browser histories, locations, etc. Typically, for this kind of data it is easy to find buyers for on the Darknet. Some apps even allow remote access and, for example, the microphone to be switched on. This allows the perpetrators to virtually follow our entire lives live on the monitor and misuse data, for example for the purposes of blackmail.

The thing is that this technology is cheap and easily obtainable, even in official app stores. You don't have to be a hacker to install software like this, that's why it is often used to spy on (ex-) partners. The software is taking stalking into the digital world with endless possibilities; much to the distress of the victims.

Legal or illegal, that is the question

Different studies have shown that stalkerware is on the increase. Avast, for example, found that around 55% more spy apps were installed during the Covid-19 pandemic. Data from Kaspersky also show that in 2020, around 54,000 smartphones worldwide were illegally hacked with stalkerware – and the trend is upwards, with the number of unreported cases certainly even higher.

Under Swiss criminal law and data protection laws (DSG/GDPR), surveillance is not permitted without the consent of the person being monitored. However, perpetrators know endless loopholes, which is why there is often little evidence for it. But who is actually responsible? Solely the perpetrators or stalkers, or the app and smartphone manufacturers, or is the victim even partly at fault? Unfortunately, it is impossible to answer these questions unequivocally. Fundamentally, app manufacturers are not acting unlawfully. Monitoring apps are mostly advertised for monitoring children, for example, to track where they are at any given time, which of course can be done for their protection. As long as the terms of use are worded correctly and consent is given, the providers are off the hook. At least almost off the hook, because some advertise in the small print that partners can also be monitored, and not all apps that are installed are displayed as icons, so they are concealed.

App platforms have also recognised the problem. They say that suspicious apps are regularly removed from the store. Google, for example, announced last autumn that it would no longer show ads for suspicious apps. But here, too, there are ways to get around it. On the one hand, as already explained, child-monitoring apps are legal. On  the other hand, app providers can use search engine optimisation to publicise their software despite the advertising ban. So, some app manufacturers hide invisible HTML code blocks on their website that are read by search engines but not displayed normally. For example, one provider's source code says: Do you dream of secretly spying on your partner's phone to find out if they are two-timing you?

Where data protection is powerless

The revised data protection laws, both in Switzerland (DSG) and across Europe (GDPR), are intended to protect data subjects more effectively against data misuse in a number of different ways. This is why there are hefty fines if stalkerware is used without consent. Incidentally, this also applies to companies that monitor their staff without good reason, knowledge and consent – at least, that's the case in Switzerland. However, the theory and what happens in practice are contradictory. Manufacturers cannot be prosecuted if a) the stated use is legal, and b) if the DSG or GDPR do not recognise manufacturer liability for data protection contracts. On top of this, most app providers are based in countries like India and China, which are outside the jurisdiction of the DSG/GDPR. Last but not least, many data subjects don’t even notice stalkerware, and if there is no plaintiff, no judgement can be handed down.

How to spot stalkerware

As we have already said, stalkerware is not easy to detect. Nevertheless, there are some signs you can follow if you are suspicious.

  1. Check which apps are using the highest amount of resources (battery, data usage).
  2. Switch off Wi-Fi, mobile internet and geolocation. Now you can check if there are apps that are still consuming data and accessing your location, and which apps these are.
  3. Check your access permissions, as this can potentially allow apps to change settings on their own.
  4. Activate push notifications for app activities that you do not trust or are not familiar with.
  5. Install virus protection. For example, we recommend the free Sophos Intercept X app. Among other things, it can detect stalkerware and identify which apps or background applications are suspicious.
  6. Specific software will help you find out whether your smartphone may have been hacked. On the iPhone, there is the "SystemGuard" app, which shows whether a jailbreak has been secretly carried out. For Androids, the counterpart is "Root Checker". This app shows whether the smartphone has been rooted; or in other words, whether someone has secretly been able to access it.
  7. Protect your smartphone from unauthorised physical access (code, touch or Face ID), because apps can be installed in no time at all.

If you are very suspicious, do not uninstall the app immediately. For one thing, this is the only way law enforcement can track the surveillance and take legal action, and secondly, the perpetrator may notice, which will only make the problem worse.

If you want to learn more about topics such as data protection, mobile security and the latest developments in the world of security, be sure to subscribe to our blog updates!

Subscribe to our Blog Updates!

<< >>

Cyber Risks , IT Security

Michelle Gehri
About the author / Michelle Gehri

InfoGuard AG - Michelle Gehri, Senior Marketing & Communication Manager

More articles from Michelle Gehri

Related articles
Password Stealing – how “safe” is my password
Password Stealing – how “safe” is my password

More and more companies are feeling the impact of password theft. Non-secure passwords and an inadequate IT [...]
Security of information in public areas – how do I protect myself against “shoulder surfing”?
Security of information in public areas – how do I protect myself against “shoulder surfing”?

Whether you‘re working from home or in public areas, the security risk of in-house information being accessed [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media