The state of stalkerware in 2020 (PDF)
Kaspersky’s data shows that the scale of the stalkerware issue has not improved much in 2020 compared to the last year:
Technology has enabled people to connect more than ever before. We can choose to digitally share our lives with our partner, family, and friends regardless of how far we are physically. Yet, we are also seeing a rise in software that enables users to remotely spy on another person’s life via their digital device, without the affected user giving their consent or being notified.
The software, known as stalkerware, is commercially available to everyone with access to the internet. The risks of stalkerware can go beyond the online sphere and enter the physical world. The Coalition Against Stalkerware warns that stalkerware “may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence.” Stalkerware can also operate in stealth mode, meaning that there is no icon displayed on the device to indicate its presence and it is not visible to the affected user. The majority of affected users do not even know this type of software exists. This means they cannot protect themselves, online or offline, especially as the perpetrator using stalkerware usually knows their victim personally.
In recent years, Kaspersky has been actively working with partners to end the use of stalkerware. In 2019, we created a special alert that notifies users if stalkerware is installed on their phones. Following that we became one of ten founding members of the Coalition Against Stalkerware. We also published our first full report on the state of stalkerware in the same year to understand the scale of the problem.
This report continues to examine the issue of stalkerware and presents new statistics from 2020, in comparison to our previous data. The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. All received data is anonymized. To calculate our statistics, we review the consumer line of Kaspersky’s mobile security solutions.
Stalkerware is software that is commercially available to everyone with access to the internet. It is used to spy remotely on another person via their device, without the affected user giving their consent or being notified. Stalkerware operates in stealth mode, meaning that there is no icon displayed on the device indicating its presence, and it is not visible to the affected user. Therefore, the Coalition Against Stalkerware defines stalkerware as software which “may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence”.
According to a report by the European Institute for Gender Equality, “seven in ten women in Europe who have experienced cyberstalking have also experience at least one form of physical and/or sexual violence from an intimate partner”. Echoing these findings, experts from non-profit organizations (NPOs) that help domestic abuse survivors and victims emphasize that cyberstalking is also a form of violence. Just as with physical, psychological, and economic violence, an abuser can use surveillance to obtain complete control of their victim/survivor[1] and stay in charge of the situation.
Using stalkerware, the extent of control held by the abuser can be immense. Depending on the type installed, stalkerware may have a variety of functions to intrude into the victim’s privacy. With the software’s help, an abuser can:
All of this private information can be collected, usually from a mobile device, such as a tablet or a smartphone.
Non-profit organizations from the Coalition Against Stalkerware are experiencing a growing number of survivors seeking help with the problem:
Unfortunately, it is not too difficult to secretly install stalkerware on a victim’s phone. The main barrier that exists is that stalkerware has to be configured on an affected device. Due to the distribution vector of such applications which are very different from common malware distribution schemes, it is impossible to get infected with a stalkerware through a spam message including a link to stalkerware or a trap via normal web surfing.
This means that the abuser will need to have physical access to the target device in order to install stalkerware. This is possible if the device either has no pin, pattern, or password to protect it or alternatively, the abuser knows the victim/survivor personally. Installation on the target device can be completed within a few minutes.
Prior to accessing the survivor’s device, the abuser has to collect a link to the installation package from the stalkerware developer’s webpage. In most cases, the software is not downloaded from an official application store. For Android devices, Google banned applications that are clearly stalkerware from its Google Play application store in 2020. This means the abuser will not be able to install such an application from the general app store. Instead, the abuser must follow several steps before being able to install stalkerware. As a result, the abuser may leave traces in the device settings that a user can check if they are concerned they may be being spied on.
Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on jailbroken iPhones. They still need physical access to the phone to jailbreak it, so iPhone users who fear surveillance should always keep an eye on their device. Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware as a gift. There are many companies who make their services available online to install such tools on a new phone and deliver it to an unwitting addressee in factory packaging to celebrate a special occasion.
The information monitored via stalkerware will be available to at least one person – the abuser who installed stalkerware on the survivor’s phone. However, sometimes it is possible that all the private data may become publically available. Year on year, stalkerware servers are either hacked or left openly unprotected so that information can be accessed and leaked online. For example, in 2020, such a data breach occurred due to a product provided by ClevGuard. In previous years, we have seen similar incidents with Mobiispy in 2019 and with MSpy in 2018 and 2015.
These are just a few examples of a long list in which databases from companies developing stalkerware have been exposed, affecting millions of user accounts. With the possibility to track a person’s location, it means that not only their cyberprivacy is lost but also their security in the physical world may be at risk.
Stalkerware applications are sold and provided by companies under various facades, such as child monitoring or employee tracking solutions. While laws vary from one country and state to another, they are catching up. Generally speaking, it is only illegal to use such tools and apps that record user activity without their consent or that of legal authority. Slowly we are seeing some shifts in legislation. For instance, in 2020, France reinforced sanctions on secret surveillance: geolocating someone without their consent is now punishable with one year imprisonment and a fine of 45,000 euros. If this is done within a couple, the sanctions are potentially higher, including two years’ imprisonment and a fine of 60,000 euros.
Stalkerware tools often violate laws and expose the stalker to legal liability for any recordings made without the victim’s knowledge. Stalkers must realize that they are breaking the law. If the use of stalkerware is reported, the punishment applies to the private perpetrator who installed the software – not its vendor. In the USA, only two stalking app developers have been fined in recent history. One had to pay a record 500,000 US dollar fine, which put an end to the app development process, while the other got off with an order to change the app’s functionality for future sales.
In this section, we look at the global numbers of unique users whose mobile device was found to have stalkerware detected.
The 2020 data shows that the stalkerware situation has not improved much: the number of affected people is still high. A total of 53,870 unique users were affected globally by stalkerware in 2020. Whereas in 2019, 66,927 unique users were affected globally. However, the fact must be taken into account that 2020 was an unprecedented year in which lives have changed in a dramatic way across the globe.
To fight the COVID-19 pandemic, all countries in the world have faced massive restrictions such as self-isolation measures or lockdowns in order to make people stay at home. Considering that stalkerware is used as another tool to control an intimate partner who the abuser lives with as they go about their day-to-day life, this can explain the somewhat lower numbers in comparison with the previous year.
Unique users affected by stalkerware globally from 2018 until 2020 – total per year (download)
When looking at the figures of the total number of unique users affected by stalkerware in 2020 worldwide per month, this trend becomes even more noticeable. The first two months of the year were stable with many cases of affected devices arising, showing stalkerware was quite popular. The situation changed in March when many countries decided to announce quarantine measures. The curve shows a trend that the numbers began to stabilize as of June 2020 when many countries around the world eased restrictions.
Unique users affected by stalkerware in 2020 worldwide – total by month (download)
That said, the 2020 numbers are still on a high, stable level. In comparison, in 2018, there were 40,173 detections of unique users being affected globally by stalkerware. This brings into perspective the total numbers from 2020, as we have seen a growing integration of technology into our lives. Sadly, this also means the software used for stalking is becoming more common as another form of intimate partner violence.
In this section, we analyze which stalkerware samples are actually the most used to control mobile devices on a global level. In 2020 the most detected samples can be seen in the following results.
Top 10 most detected stalkerware samples globally
Samples | Affected users | |
1 | Monitor.AndroidOS.Nidb.a | 8147 |
2 | Monitor.AndroidOS.Cerberus.a | 5429 |
3 | Monitor.AndroidOS.Agent.af | 2727 |
4 | Monitor.AndroidOS.Anlost.a | 2234 |
5 | Monitor.AndroidOS.MobileTracker.c | 2161 |
6 | Monitor.AndroidOS.PhoneSpy.b | 1774 |
7 | Monitor.AndroidOS.Agent.hb | 1463 |
8 | Monitor.AndroidOS.Cerberus.b | 1310 |
9 | Monitor.AndroidOS.Reptilic.a | 1302 |
10 | Monitor.AndroidOS.SecretCam.a | 1124 |
Stalkerware is a global phenomenon that affects countries regardless of size, society, or culture. When looking at the top 10 affected countries worldwide in 2020, Kaspersky’s findings show that largely the same countries remain the most affected, with Russia in the number one spot. Yet, we see an increase in stalkerware activity in Brazil and the USA in 2020 compared to 2019. However, we detected fewer incidents in India, which has fallen in the rankings. We have also detected a higher number of incidents in Mexico, which has risen in the ranking two places.
Top 10 most affected countries by stalkerware – globally
Country | Affected users | |
1 | Russian Federation | 12389 |
2 | Brazil | 6523 |
3 | United States of America | 4745 |
4 | India | 4627 |
5 | Mexico | 1570 |
6 | Germany | 1547 |
7 | Iran | 1345 |
8 | Italy | 1144 |
9 | United Kingdom | 1009 |
10 | Saudi Arabia | 968 |
When considering Europe, Germany, Italy and the UK are the three most affected countries, in that order. They are followed by France in fourth place and Spain in fifth place.
Top 10 most affected countries by stalkerware – Europe
Country | Affected users | |
1 | Germany | 1547 |
2 | Italy | 1144 |
3 | United Kingdom | 1009 |
4 | France | 904 |
5 | Spain | 873 |
6 | Poland | 444 |
7 | Netherlands | 321 |
8 | Romania | 222 |
9 | Belgium | 180 |
10 | Austria | 153 |
It’s hard for everyday users to know if stalkerware is installed on their devices. Generally, this type of software remains hidden which includes hiding the icon of the stalkerware app on the home screen and in the phone menu and even cleaning any traces that have been made. However, it may give itself away and there are some warning signs. Among the most important are:
However, it’s also important to understand that warning signs or symptoms are not necessarily proof that stalkerware is installed on a device.
There are a few pieces of advice that can help to increase your digital safety:
*In the context of domestic violence and abusive relationships it may be difficult or even impossible to deny the abusive partner access to the phone.
Kaspersky is actively working to end the use of cyberviolence and stalkerware, as a company, and together with many other partners. In 2019, we created a special alert that notifies users when stalkerware is installed on their phones. In the same year, with nine other founding members we created the Coalition Against Stalkerware. In 2020, we created TinyCheck, a free tool to detect stalkerware on mobile devices – specifically for service organizations working with victims of domestic violence. TinyCheck can be found on https://github.com/KasperskyLab/TinyCheck. Since 2021, we are one of five partners in an EU-wide project aimed at tackling gender-based cyberviolence and stalkerware called DeStalk, which the European Commission chose to support with its Rights, Equality and Citizenship Program.
The Coalition Against Stalkerware (“CAS” or “Coalition”) is a group dedicated to addressing abuse, stalking, and harassment via the creation and use of stalkerware. Launched in November 2019, the Coalition Against Stalkerware gained 26 partners in its first year. These include founding partners – Avira, Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Kaspersky, Malwarebytes, The National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape, and WEISSER RING. The Coalition looks to bring together a diverse array of organizations to actively address the criminal behavior perpetrated through stalkerware and increase public awareness about this important issue. Due to the high societal relevance for users all over the globe and new variants of stalkerware emerging periodically, the Coalition Against Stalkerware is open to new partners and calls for cooperation. To find out more about the Coalition Against Stalkerware please visit the official website www.stopstalkerware.org
[1] Experts refer in their terminology more and more to the empowering term survivor instead of victim. Hence, in this report, we will use both terms.