New stalkerware reads messaging apps and unlocks devices
Unprecedented features give abusers full access to popular social media and messaging apps, as well as screen unlock patterns
Woburn, MA – March 16, 2020 –Kaspersky researchers have found a new sample of stalkerware with functionality that surpasses all previous samples. Named MonitorMinor, the software enables stalkers to covertly access any data and track activity on targeted devices, as well as the most popular messaging services and social networks.
Stalkerware is commercial software that is usually used to secretly monitor users’ partners or colleagues. It fundamentally hinders user privacy, putting people’s information and personal lives at risk. If a person’s data is being monitored and controlled, the result often involves real-life consequences for the victim. However, the creators of MonitorMinor obfuscate the application, demonstrating that they are well aware of the existence of anti-stalkerware tools and are trying to counter them.
While primitive stalkerware uses geofencing technology, enabling the operator to track the victim’s location, and in most cases intercept SMS and call data, MonitorMinor goes a few steps further. Recognizing the importance of messengers as a means of data collection, this software aims to get access to data from all the most popular modern communication tools.
While in a “clean” Android operating system, direct communication between apps is prevented by the sandbox, that changes if a superuser-type app (SU utility) is installed, which grants root access to the system. Once this SU utility is installed, security mechanisms of the device no longer exist. Using this utility, the creators of MonitorMinor enable full access to data on a variety of popular social media and messaging applications such as Hangouts, Instagram, Skype, Snapchat and others.
Furthermore, using root privileges, the stalkerware is able to access screen unlock patterns, enabling the stalkerware operator to unlock the device when it is nearby or when they have physical access to the device. This is a unique feature which Kaspersky has previously not identified in any mobile platform threats.
Even without root access, the stalkerware can operate effectively by abusing the Accessibility Service API, which is designed to make devices friendly for users with disabilities. Using this API, the stalkerware is able to intercept any events in the applications and broadcast live audio.
Other features available in this stalkerware give operators the ability to:
- Control devices using SMS commands
- View real-time video from device cameras
- Record sound from the device microphones
- View browsing history in Google Chrome
- View usage statistics for certain apps
- View the contents of a device’s internal storage
- View contact lists
- View system logs
“MonitorMinor is superior to other stalkerware in many aspects and implements all kinds of tracking features, some of which are unique, and is almost impossible to detect on the victim’s device,” said Victor Chebyshev, Kaspersky research development team lead. “This particular application is incredibly invasive – it completely strips the victim of any privacy in using their devices, and even enables the attacker to retrospectively look into what the victims has been doing before.
“Existence of such applications underlines the importance of protection from stalkerware and the need for joint effort in the fight for privacy. This is why it is important to highlight this application to our users which, in the hands of the abusers, could become the ultimate instrument for control. We have also preemptively shared information about this software with the Coalition Against Stalkerware partners, to protect as many users as possible, as soon as we can.”
“Our issue with stalkerware apps is not just their marketing, but their core functionality,” said Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence, a member-organization of the Coalition Against Stalkerware. “Rampant stealth access, with no notifications to the user, creates an app that is truly designed to illegally stalk or monitor another person. We should not minimize how invasive and abusive these apps can be. Regulations are needed to address the basic design features.”
According to Kaspersky telemetry, India currently has the largest share of installations of this stalkerware (14.71%). Mexico (11.76%) is next, followed by Germany, Saudi Arabia, and the UK (5.88% in each country).
Read more about MonitorMinor on Securelist.com.
To minimize the risk of falling victim to a stalker, Kaspersky recommends the following advice:
- Block the installation of programs from unknown sources in your smartphone’s settings
- Never disclose the password or passcode to your mobile device, even if it is with someone you trust
- Change all security settings on your mobile device if you are leaving a relationship, such as passwords and applications location access settings. An ex may try to acquire your personal information in order to manipulate you
- Check the list of applications on your devices to find out if suspicious programs were installed without your consent
- Use a reliable security solution that notifies you about the presence of commercial spyware programs aimed at invading your privacy on your phone, such as Kaspersky Internet Security
- If you think you are a victim of stalking and need help, contact a relevant organization for professional advice
- There are resources that can assist victims of domestic violence, dating violence, stalking and sexual violence. If you have questions about stalkerware and would like assistance, please contact the Coalition Against Stalkerware, formed by not-for-profit groups and IT security organizations: stopstalkerware.org
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
About The Coalition Against Stalkerware
The Coalition Against Stalkerware convened in 2019 in order to facilitate communication between those organizations working to combat domestic violence and the security community. The founding organizations have committed to fighting domestic violence, stalking, and harassment by addressing the use of stalkerware and raising public awareness about this issue. Founding partners include Avira, Electronic Frontier Foundation, European Network for the Work with Perpetrators of Domestic Violence, G DATA CyberDefense, Kaspersky, Malwarebytes, National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape and WEISSER RING