Kaspersky researchers have found
a new sample of stalkerware with functionality that surpasses all previous
samples. Named MonitorMinor, the software enables
stalkers to covertly access any data and track activity on targeted devices, as
well as the most popular messaging services and social networks.
Stalkerware
is commercial software that is usually used to secretly monitor users' partners
or colleagues. It fundamentally hinders user privacy, putting people's
information and personal lives at risk. If a person's data is being monitored
and controlled, the result often involves real-life consequences for the
victim. However, the creators of MonitorMinor
obfuscate the application, demonstrating that they are well aware of the
existence of anti-stalkerware tools and are trying to counter them.
While primitive stalkerware uses geofencing
technology, enabling the operator to track the victim's location, and in most
cases intercept SMS and call data, MonitorMinor goes
a few steps further. Recognizing the importance of messengers as a means of
data collection, this software aims to get access to data from all the most
popular modern communication tools.
While in a "clean" Android operating system, direct
communication between apps is prevented by the sandbox, that
changes if a superuser-type app (SU utility) is
installed, which grants root access to the system. Once this SU utility is
installed, security mechanisms of the device no longer exist. Using this
utility, the creators of MonitorMinor enable full
access to data on a variety of popular social media and messaging applications
such as Hangouts, Instagram, Skype, Snapchat and others.
Furthermore, using root privileges, the stalkerware is able
to access screen unlock patterns, enabling the stalkerware operator to unlock
the device when it is nearby or when they have physical access to the device.
This is a unique feature which Kaspersky has previously not identified in any
mobile platform threats.
Even without root access, the stalkerware can operate
effectively by abusing the Accessibility Service API, which is designed to make
devices friendly for users with disabilities. Using this API, the stalkerware
is able to intercept any events in the applications and broadcast live audio.
Other features available in this stalkerware give operators
the ability to:
-
Control
devices using SMS commands
-
View
real-time video from device cameras
-
Record
sound from the device microphones
-
View
browsing history in Google Chrome
-
View
usage statistics for certain apps
-
View
the contents of a device's internal storage
-
View
contact lists
-
View
system logs
"MonitorMinor is superior to other
stalkerware in many aspects and implements all kinds of tracking features, some
of which are unique, and is almost impossible to detect on the victim's
device," said Victor Chebyshev, Kaspersky research development
team lead. "This particular application is incredibly invasive - it completely
strips the victim of any privacy in using their devices, and even enables the
attacker to retrospectively look into what the victims has been doing before.
"Existence of such applications underlines the importance of
protection from stalkerware and the need for joint effort in the fight for
privacy. This is why it is important to highlight this application to our users
which, in the hands of the abusers, could become the ultimate instrument for
control. We have also preemptively shared information about this software with
the Coalition Against Stalkerware partners, to protect as many users as
possible, as soon as we can."
"Our issue with stalkerware apps is not just their marketing,
but their core functionality," said Erica Olsen, director of the Safety Net
Project at the National Network to End Domestic Violence, a member-organization
of the Coalition Against Stalkerware. "Rampant stealth access, with no notifications
to the user, creates an app that is truly designed to illegally stalk or
monitor another person. We should not minimize how invasive and abusive these
apps can be. Regulations are needed to address the basic design features."
According to Kaspersky telemetry, India currently has the
largest share of installations of this stalkerware (14.71%). Mexico (11.76%) is
next, followed by Germany, Saudi Arabia, and the UK (5.88% in each country).
Read more about MonitorMinor on Securelist.com.
To minimize the risk of falling victim to a
stalker, Kaspersky recommends the following advice:
-
Block
the installation of programs from unknown sources in your smartphone's settings
-
Never
disclose the password or passcode to your mobile device, even if it is with
someone you trust
-
Change
all security settings on your mobile device if you are leaving a relationship,
such as passwords and applications location access settings. An ex may try to
acquire your personal information in order to manipulate you
-
Check
the list of applications on your devices to find out if suspicious programs
were installed without your consent
-
Use
a reliable security solution that notifies you about the presence of commercial
spyware programs aimed at invading your privacy on your phone, such as Kaspersky Internet Security
-
If
you think you are a victim of stalking and need help, contact a relevant
organization for professional advice
-
There
are resources that can assist victims of domestic violence, dating violence,
stalking and sexual violence.If you have questions about stalkerware and
would like assistance, please contact the Coalition Against Stalkerware, formed
by not-for-profit groups and IT security organizations: www.stopstalkerware.org