'Stalkerware': Scientists study 14 spyware apps to see how they can infiltrate your phone

A recent study finds a number of popular smartphone spyware apps are not only hard to detect and remove, but their poor security means they can leak sensitive personal information.

A team of computer scientists from New York and San Diego looked at 14 leading spyware apps for Android phones as part of the study.

They found that while Google doesn't allow these types of apps to be sold on its app store, Android phones often allow them to be downloaded through the web.

• Tailor the news you receive straight to your inbox by signing up for our newsletters

• Download our app to get breaking news alerts delivered right to you

iOS does not allow what the researchers referred to as "side loading," meaning consumer spyware apps tend to be limited and less invasive, the scientists say.

The researchers disclosed all of their findings to the affected app vendors but say none replied by the time the paper was published.

The paper, called "No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps," will be presented at the Privacy Enhancing Technologies Symposium this summer in Zurich, Switzerland.

"This is a real-life problem and we want to raise awareness for everyone, from victims to the research community," Enze Liu, first author of the paper and a PhD student at the University of California San Diego, said in a story Monday from UC San Diego Today.

Spyware apps run on a device, often without the owner knowing, and can collect sensitive information such as location, texts, calls, audio and video, the researchers say.

Abusers can use these apps to spy on a spouse or partner and only need temporary physical access to a device in order to install the spyware.

Studies during the COVID-19 pandemic have found the use of spyware apps has increased dramatically.

The researchers cited one study from Norton Labs, which found the number of devices reporting spyware apps, or "stalkerware," in the United States rose by 63 per cent between September 2020 and May 2021.

Similar findings from Avast in the United Kingdom found that the use of spyware apps rose 93 per cent in January and February 2021 compared to the same period the previous year.

Spyware apps can sell anywhere between US$30 and $100 a month.

Apps can use an invisible browser to livestream video or activate a phone's microphone. The researchers found several could exploit a phone's accessibility features, intended for people who are visually impaired, to record keystrokes.

Some accept commands through SMS messages – two didn't bother to check if the texts came from the actual user – while one could remotely wipe a victim's phone.

These apps can also hide on a person's smartphone by appearing as a "Wi-Fi" or "Internet Service" icon.

This app launcher on an Android phone displays app icons: the Spyhuman app installed itself as the innocuous-seeming Wi-Fi icon. (University of California San Diego)

On top of their invasive techniques, the researchers found many apps had poor security, whether they were using unencrypted channels or storing data in public URLs.

The researchers found an authentication weakness in one app that allowed the data for every account to be accessed, while four did not delete data even if a user got rid of their account or the app's licence expired. One app continued to collect data even after the free trial period had ended.

Many apps, meanwhile, prevented users from uninstalling them or could automatically restart even if shut down.

The researchers recommend users check the privacy dashboards on their smartphones and all of the apps they have installed, and to use a dashboard that can monitor apps that automatically start on their own.

They say Android should enforce what apps can hide icons, while phones should periodically notify users of any apps that have an excessive number of permissions. Anything capable of accessing sensitive data should also be added to a phone's privacy dashboard, the researchers say.

Other measures they suggest include actions by payment companies such as Visa and PayPal, government and potentially law enforcement.

Since many spyware apps appear to be developed in China and Brazil, the researchers say further study into the supply chain is needed.

"All of these challenges highlight the need for a more creative, diverse and comprehensive set of interventions from industry, government and the research community," the researchers write.

"While technical defences can be part of the solution, the problem scope is much bigger."