Antivirus vendors and non-profits join to form 'Coalition Against Stalkerware'

New cross-industry initiative forms to bring an end to commodity stalkerware apps and victim abuse.

Ten organizations today announced the creation of the Coalition Against Stalkerware, the first global initiative of its kind, with the sole purpose of fighting against stalkerware.

Also known as spouseware, stalkerware is a smaller category of the spyware class. Stalkerware refers to apps that abusive partners install on the devices of their loved ones without their knowledge or consent.

They contain features that allow the abuser to track their significant other's geographical location, web browsing habits, social media activity, log keystrokes inside instant messaging apps, retrieve photos, or even record audio and video without the owner's knowledge.

Stalkerware apps are available for both mobile and desktop operating systems and are often sold commercially under the guise of child trackers, pet trackers, phone-finding apps, remote access toolkits, and so on. This kind of apps live in a gray area of the current app ecosystem where they can be used for both legitimate and criminal purposes, giving app makers an easy excuse when confronted with abuse reports from victims -- albeit some apps are more blatant and advertise themselves as a way to catch cheating girlfriends, although, these cases are rare.

In recent years, the number of such apps has increased exponentially, and so have the number of incidents where partners have used stalkerware to harass, threaten, or physically assault partners.

According to statistics gathered by antivirus vendor Kaspersky, the number of users who had stalkerware-like apps installed on their devices rose by 35%, from 27,798 in 2018 to 37,532 in 2019. In addition, the number of stalkerware-like apps has also increased in recent years, with the antivirus vendor detecting as much as 380 different variants in 2019, a massve 31% rise when compared to 2018.

Coalition Against Stalkerware main goals

This is where the new Coalition Against Stalkerware comes in. The goal of this new initiative is to build a wireframe for fighting abuse perpetrated with the aid of stalkerware. The coalition plans to operate on multiple fronts to achieve this.

It will work with antivirus vendors to improve the detection of known stalkerware apps that are often used by abusers to spy and track their partners.

It will also work to develop and share technical guides on how to deal with stalkerware at the level of frontline non-profits that handle victims of domestic abuse.

Finally, the coalition hopes that sometime in the future, it will establish partnerships with law enforcement agencies to go after the companies that sell stalkerware apps.

In alphabetical order, founding members of the Coalition Against Ransomware include Avira, the Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence (WWP), G DATA CyberDefense, Kaspersky, Malwarebytes, National Network to End Domestic Violence (NNEDV), NortonLifeLock (formerly Symantec), Operation Safe Escape, and the WEISSER RING.

Started from a tweet

However, the driving force behind the new coalition is, without a doubt, Eva Galperin, the Electronic Frontier Foundation's director of cybersecurity.

Her work on raising the flag against stalkerware abuse can be traced back to one single tweet she made in January 2018, when she offered to provide technical support to women who have been the victims of hacking threats.

Unknown to Galperin at the time was that a vast amount of the request she'd receive would be about stalkerware -- a fight she took on, first alone, then aided by her EFF colleagues.

Ever since then, Galperin has been lobbying the cyber-security industry to do better at detecting stalkerware and working to rally public support against the use of such software.

As Galperin has noted in several of the talks she's given on the subject in the past year, stalkerware is not a sexy item of research for cyber-security vendors.

It is a rare occurrence, and not the type of finding that draws headlines. Vendors will tend to invest human resources and technical capabilities into detecting financially-motivated malware or nation-state hacking operations -- the type of research that usually gets all the news headlines and helps push the company brand into the public conscience.

But Galperin's voice and relentless lobbying could not be stopped. In early 2019, she scored her first major victory, when she was asked to present her work on the rising threat of stalkerware at Kaspersky SAS, one of the world's leading security conference. [video below]

By the time the conference got underway, Galperin had already convinced Kasperksy, one of the world's biggest antivirus vendors, to add detections for stalkerware apps.

As she explained in a Wired interview earlier this year, the company was looking for positive media coverage following a ban imposed by the US government on accusations of "spying for the Russian government."

Kaspersky got what they wanted, but Galperin got more. Not only had she convinced the first antivirus vendor to take a stronger stance against stalkerware apps, but she also got to broadcast her voice on one of the loudest stages in the information security (infosec) scene.

A day later, a second antivirus vendor was following in Kaspersky's footprints, with US antivirus vendor Lookout also announcing it was rolling out stalkerware protections.

For the rest of the year, Galperin has been pleading her case at multiple cyber-security conferences, shifting the public opinion to her case, and putting more pressure on other antivirus vendors to take action against this growing threat.

Galperin's efforts paid off. Her case resonated with Martijn Grooten, the primary force behind the Virus Bulletin security conference, and a well respected figure in the infosec scene.

Using connections he'd established during the past decades, Grooten helped bring several antivirus vendors together and talking.

But while Galperin, Grooten, and Kaspersky have helped build the foundation of the Coalition Against Stalkerware, more work is in store. This is only the beginning.

Antivirus vendors need to get together and decide on a common action plan for dealing with stalkerware infections. The current consensus is that removing stalkerware apps from an infected device is bad.

There's a fine line that antivirus vendors need to walk with stalkerware that they don't have to deal with with any other type of malware. If they detect ransomware or banking trojans, they remove the malware right away. With stalkerware, there are multiple other things they need to consider.

In a phone interview last week, Grooten said that there've been many talks about the type of alert victims would see. It's been deemed important that victms must be alerted about stalkerware installed on their device, but the antivirus must not remove the stalkerware app, as this could trigger a violent response from the abuser, and put victims at risk of physical harm.

Working with frontline organizations

Furthermore, there are hundreds of frontline organizations that work with victims of domestic abuse around the world, which will need to be contacted and brought into the fold.

Dealing with stalkerware is a multi-front process that may involve, depending on the case: (1) dealing with removing the threat, (2) removing the victim from an abusive environment, (3) improving the victim's cyber-security posture but leaving her/him in its environment, and/or (4) contacting authorities.

It's these frontline organizations, together with the victims, that will be making these decisions -- based on an initial malware alert a victim might get going forward.

Contacted by ZDNet, the European Network for the Work with Perpetrators of Domestic Violence (WWP), an organization that contacts abusers on behalf of the victims, says it has no technical guidelines to follow when handling cases that involve the use of technology-facilitated abuse or the use of stalkerware specifically by perpetrators. This is where the Coalition Against Stalkerware might help fill the gap.

"The ubiquity of smartphones and the incredible ease with which perpetrators can access information on installing and using stalkerware makes technology-facilitated abuse against women and girls a highly relevant topic," a WWP spokesperson told ZDNet via email last week. "In cooperation with the other coalition members, we will gather data and further develop this field of intervention in perpetrator work."

Stalkerware is mostly a problem on smartphones

Further, as the WWP told ZDNet, the biggest issue today is the ubiquity of smartphones, where it is often way to easy to install an app with stalkerware-like functions, sometimes even from official app stores, without needing to root a device.

Here, Google and Apple will need to join the fold and impose stricter rules on what kind of apps they host on their stores.

"Although spyware for computers is still an available product on the market and a concern, it's not coming up as often," a spokesperson for the National Network to End Domestic Violence (NNEDV) told ZDNet via email this week.

"We are definitely seeing more concerns with stalkerware on smartphones, and it makes sense considering that most of us keep our phones with us throughout the day."

And since almost every teenager or adult nowadays carries around a smartphone, the threat of having a jealous partner install stalkerware on our devices is a major issue. When we asked how common stalkerware cases are, the NNEDV had the following to say:

"It's absolutely not an outlier, but a very common concern," it said. "Overall, in our work, the issue of stalkerware is a serious and consistent concern and has been for some time."

Dealing with all these cases needs to be a coordinated effort, and victims must receive the very best advice. To centralize its response, the NNEDV has recently published a web page that helps victims understand the dangers of stalkerware, and technical guides on dealing with stalkerware and other threats posed by other location-tracking technologies.

Here is where the Coalition Against Stalkerware will also come in to help, centralizing all stalkerwire guides and response measures in one single place, managed and vetted by some of the infosec industry's best experts. Later today, the coalition's website will go live at StopStalkerware.org with more information for both victims and frontline organizations.

Furthermore, one of the new coalition's unspoken goals is to hope to have the impact of another similar project named No More Ransom, a partnership between antivirus vendors and law enforcement that has provided free ransomware decryption tools and has prevented ransomware payments of at least $108 million during the past three years.

Currently, No More Ransom is considered the gold standard in terms of private industry and law enforcement collaboration.

If the Coalition Against Stalkerware manages to get law enforcement on board, it will be a force to be reckoned with, and many companies selling surveillance apps that could be used for stalking purposes will most likely have to rethink their business strategies in the face of possible pending indictments.