Stalkerware—that is, commercially-available apps that can be covertly installed on another person’s device for the purpose of monitoring their activity without their knowledge or consent—is nothing new, but 2021 has underscored just how prevalent and dangerous these apps continue to be and how important it is for companies and government to take action to rein them in.
2021 saw the 2-year anniversary of the Coalition Against Stalkerware, of which EFF is a founding member. In 2021, the Coalition continued to provide training, published tools and research, and worked directly with survivors of domestic abuse and intimate partner violence and the organizations that support them. EFF also took part in dozens of awareness-raising events, including EFF at Home’s Fighting Stalkerware edition in May and a talk on the state of stalkerware in the Apple ecosystem at 2021’s Objective by the Sea.
A 2021 Norton Lifelock survey of 10,000 adults across ten countries found that almost 1 in 10 respondents who had been in a romantic relationship admitted to using a stalkerware app to monitor a current or former partner’s device activity. The same report indicates that the problem may be worsening. Norton Labs found that “the number of devices reporting stalkerware samples on a daily basis increased markedly by 63% between September 2020 and May 2021” with the 30-day moving average blowing up from 48,000 to 78,000 detections. Norton Labs reported that 250,000 devices were compromised with more than 6,000 stalkerware variants in May 2021 alone, with many devices infected with multiple stalkerware apps. Meanwhile, antivirus vendor Kaspersky reported that in the first ten months of 2021, almost 28,000 of its mobile users were affected by the threat of stalkerware. The range in numbers between these two antivirus companies suggests that we may be comparing apples to oranges, but even Kaspersky’s significantly lower number of detections indicates that stalkerware remains a significant threat in 2021.
2021 was also the year that Apple chose to enter the physical tracker market, debuting the AirTag. Apple used all of the existing iPhones to create a powerful network that gave it a major advantage over Tile and Chipolo in location tracking, but it had also created a powerful tool for stalkers with insufficient mitigations. Aside from an easily-muffled beep after 36 hours (shortened after our criticism to 24), there was no way for users outside of the Apple ecosystem to know that they were being tracked. In December, Apple introduced an Android app called Tracker Detect to allow Android users to scan for Air Tags, but there is still a long way to go before iPhone users have the same notification abilities as Android users.
2021 also continued the trend of stalkerware data leaks. In February, developer Till Kottman discovered that stalkerware app KidsGuard, which markets itself both as a stealthy way for parents to monitor their children and also as a useful tool to “catch a cheating spouse,” was leaking victims’ data by exfiltrating it to an unprotected Alibaba cloud bucket. And in September, security researcher Jo Coscia found that stalkerware app pcTattleTale left screenshots of victims’ phones entirely exposed and visible to anyone who knew the URL to go to. Coscia also showed that pcTattleTale failed to delete the screenshots made by users of the 30-day trial of the stalkerware whose 30 days had expired, even though the company explicitly claimed otherwise.
The FTC also cracked down on a stalkerware app maker, issuing its very first outright ban on Support King, maker of the Spyfone stalkerware app, and its CEO Scott Zuckerman. The FTC took action against Spyfone, which it says “harvested and shared data on people’s physical movements, phone use and online activities through a hidden device hack,” not just because the app facilitated illegal surveillance, but because like KidsGuard and pcTattleTale, the product leaked the data collected from victims. The FTC described Spyfone’s security as “slipshod,” stated its intention to “be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy,” and cited our advocacy as inspiration. We hope this means we will see more bans in 2022.
In 2020, Google banned stalkerware ads in its Play store. The result has been the occasional purge of stalkerware ads, including one in October 2021. While many ads were purged, TechCrunch journalist Zack Whittacker found that “several stalkerware apps used a variety of techniques to successfully evade Google’s ban on advertising apps for partner surveillance and were able to get Google ads approved.” The whack-a-mole continues.
With your support, we can move beyond whack-a-mole and continue to fight stalkerware through policy, education, and detection in 2022.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2021.