The stalkerware problem, and its solution

Why stalkerware is a problem not only for targets, but also for security vendors – and what we’re doing to fix it.

Stalkerware (aka spouseware, aka legal spyware) is openly distributed commercial software that allows the person who installs it to spy on the people on whose devices it ends up installed. And it’s a big problem – not only for the intended victims, but for security companies as well.

On a human level, stalkerware is very problematic. First and foremost, it’s a kind of technological abuse, which is unethical to say the least. In addition to that, the security risks stalkerware brings should concern everyone: victims and abusers alike. The malware can leak victims’ data and breach device protection, leaving the door open for malicious software of different kinds, and more.

Why stalkerware is a problem for antivirus vendors

The solution seems simple. Stalkerware is bad, so cybersecurity companies should just regard it as malicious and remove it wherever it’s found. Unfortunately, it’s not that simple. Stalkerware is legal — at least in some countries, and in a lot of others it falls into a kind of gray zone, so you’d need to dig deep into legislation to quantify it. And it’s illegal for a security solution to mark legally distributed software as malicious.

There’s more to it: If a person deletes stalkerware from their device, the operator (or abuser) will know immediately, and the results of that might range from a minor escalation of a conflict to physical violence. That may sound extreme, but such cases have been witnessed by nonprofit organizations working with victims of domestic abuse.

Another aspect is that various security vendors deem stalkerware to be different things, so some detect and remove software that others regard as harmless.

At this point, one cannot just mark all stalkerware as malicious and start automatically deleting it. Yet, it’s absolutely necessary to highlight the presence of stalkerware to the victim. Most antivirus vendors still mark it as not-a-virus or something similar, which may be misleading for the user. Users may perceive software tagged not-a-virus as something that is OK, which stalkerware certainly is not.

We came up with a solution about half a year ago: a privacy alert that explicitly informs the user that we detected software that eavesdrops and monitors their actions on their device. In addition to that, we have significantly improved our detection of stalkerware. But that’s not enough. We need to educate people on what stalkerware is, what to do if they find stalkerware on their devices, and where to go and whom to talk to.

The Coalition Against Stalkerware

We believe it’s necessary for the IT security industry to unite to protect users against stalkerware and to bring in the experience and expertise of the nonprofit organizations that directly help victims of domestic abuse every day. So, together with Avira, the Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Malwarebytes, the National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape, and Weisser Ring, Kaspersky has founded the Coalition Against Stalkerware.

The key objectives of the Coalition include improving detection and mitigation of stalkerware, educating victims and advocacy organizations about technical aspects, and of course raising awareness about the issue.

This joint project launched with the creation of a consensus-based definition and standard criteria for stalkerware detection. The Coalition has also launched a website, www.stopstalkerware.org, that provides helpful tips on how to find out if there’s stalkerware on your device and what to do about it, and provides contacts in organizations that deal with domestic violence and can help prevent or mitigate the damage.

We believe the Coalition will attract more partners – IT security companies, advocacy organizations, and even law enforcement agencies — that will help to unify the perception and detection of stalkerware across the industry, raise awareness among people, including those who have never encountered stalkerware, and improve efforts to help victims of stalkerware.

We hope we will also be able to change the formal legal status of stalkerware, finally making it illegal to spy on other people without their consent.

Tips