Although we often worry about being tracked by companies online, stalkerware apps pose an even greater risk to both our privacy and security, as they are often installed by someone close to us.
Stalkerware and spyware have both seen a huge increase in recent years, despite the fact that you won’t find these types of apps in either the Google Play Store or Apple’s App Store. Instead, they must be manually loaded onto a victim’s device, often by a partner or spouse, which is why stalkerware is also referred to as spouseware.
In addition to violating a user’s privacy and security, many of these apps contain vulnerabilities and other security flaws that can expose a victim’s data to third parties. One such app, called XNSPY, has stolen data from tens of thousands of iPhone and Android users, according to a new report from TechCrunch (opens in a new tab) — but it’s also full of security flaws.
Although you won’t find XNSPY in any app store, it is one of the most popular stalkerware apps today. In fact, data seen by TechCrunch shows that at least 60,000 smartphone users have been tracked by the app since 2014, although there was a recent influx of new victims during the pandemic.
Since this stalkerware has to be loaded manually, the person spying needs physical access to the target device. Android phones must be rooted to use all of XNSPY’s features while an iPhone must be connected to a computer via iTunes during setup.
On its website, XNSPY advertises its long list of spying features, including the ability to check a victim’s phone calls and messages, take screenshots from their device, record their surroundings, see where they use GPS, monitor keystrokes from WhatsApp, Facebook and other messages. platforms, see the locations and names of Wi-Fi networks, and more.
As you might have guessed, using stalkerware apps to track someone is highly illegal, and XNSPY even points this out on its website, saying: “It is outright illegal to spy on your spouse, boyfriend/girlfriend or partner which uses XNSPY. Failure to do so is likely to result in a violation of applicable law and may result in severe monetary and criminal penalties for the violator.”
Full of security flaws
Over the past few months, security researchers Vangelis Stykas and Felipe Solferini have been investigating stalkerware apps to learn more about how they send data and the networks they send it to.
They recently presented their findings at BSides London (opens in a new tab) security conference and revealed that they had identified several common and easy-to-find security flaws in a number of stalkerware apps including XNSPY. These flaws further expose the stolen data to victims, and unfortunately, much of that data is not stored securely to begin with.
Although it is easier to install stalkerware on Android devices since you can sideload apps, in the data it saw, TechCrunch observed more than 10,000 unique iCloud email addresses and passwords used to access a victim’s cloud data. To make matters worse, the data seen by the news outlet was unencrypted.
Unlike other apps that would be pressured by Google or Apple to fix any security flaws they contain, the same cannot be said for stalkerware apps. These apps are not in official app stores, which means no one else holds their developers accountable.
How to stay safe from stalkerware
When it comes to staying safe from stalkerware, the first thing you should do is always have your smartphone with you whenever possible. Don’t leave it unattended while you’re at home, and make sure you always have it with you when you leave the house. Since this is not always possible, you should have a PIN code configured to unlock the device that only you know or better yet, use fingerprint or Face ID.
If you think that XNSPY or another similar stalkerware app might be installed on your device, there are several clear signs to look for. These include your phone using more data than usual and the battery not lasting as long on a charge. Similarly, random errors in apps you use can often indicate that stalkerware is installed.
While best android antivirus apps may be able to detect that stalkerware is installed on your smartphone, this is not always the case. If you feel your privacy and security are at risk, it may be better to upgrade to a new phone instead, although this should be a last resort. When it comes to keeping your iCloud data safe, you should enable Advanced data protection on your iPhone.
Stalkerware continues to pose a threat to people around the world, but Google has made some progress in combating its spread. For example, the search giant has banned stalkerware apps from the Play Store and it has also removed all ads for these types of apps. Unless law enforcement and other government agencies get involved, stalkerware apps will likely continue to exist since there is a market for them.