When Technology Takes Hostages: The Rise of 'Stalkerware'
NSA zero-days and sophisticated state surveillance tools get all the headlines. But we’re overlooking the dangerous, life-threatening, rise of “stalkerware,” which enables domestic violence.
Image: Ursula Ferrara/Shutterstock
This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
We live in a Golden Age of technology, where apps have been developed to make almost everything convenient: from logistics for a night of Netflix and chill to complete access to someone else's device. We are living in a time when nearly anything can be delivered to us on demand, whether it's date night or domestic violence, everything is easier with a little help from modern technology.
According to The Guardian, approximately 760 people—more than two per day—are killed by their partners in the US each year. These numbers are probably lower than is accurate, which seems likely given that the 2002 FBI Supplementary Homicide Chart reports numbers nearly twice as high. Despite the disparity in numbers, both reports point out that the overwhelming bulk of the people who are killed by intimate partners each year are women, who make up around 70 or 80 percent of total victims.
In any case, it seems that even at a conservative guess, at least two people are dying per day as a result of intimate partner violence, or IPV. And technology is helping streamline this violence with a type of malware frequently referred to as "spouseware," but more aptly called "stalkerware," which can be used to track a person's movements and record all of their communications.
Whether it's date night or domestic violence, everything is easier with a little help from modern technology.
It's hard to know exactly how many people murdered by current or former partners have also been targeted with stalkerware beforehand, but there are tens of thousands of people around the world using stalkerware, making it a very real problem. Stalkerware may be actively preventing some people from safely escaping their abusive relationships, and ultimately costing them their lives.
It can be extremely difficult to leave an abusive partner in the first place, because as the National Center on Domestic and Sexual Violence points out, even in the absence of stalkerware, the deck is already stacked against people in abusive relationships. Abusers frequently target the independence of their partners before anything else, using manipulation to cut off their sources of income, isolate them from their friends and family, and otherwise control every aspect of their partners' lives.
It can be difficult to identify that this is happening at first, and when the realization does set in, it is frequently long after the abuser's target has already been effectively cut off from their support system. Additional factors, such as children, precarious immigration status, housing scarcity, and the psychological effects of abuse may also be working against people needing to get out of abusive and violent relationships.
With so much already working against people in abusive relationships, the introduction of stalkerware can make what was already a difficult escape effectively impossible. If your abuser knows where you are at all times, and knows that you're making plans to get away, there is a significantly increased chance that they may thwart those plans using this information.
Approximately 75 percent of women killed by their abusers are murdered either while leaving, or after they have left their partner. Having a spyware-infected device while planning to escape an abusive partner, or taking a compromised device while making a getaway, opens people up to more risks than the already extreme threat of being in, and subsequently leaving, an abusive relationship.
Listen to pluspluspodcast's episode about the 'Stalkerware' market.
Stalkerware tends to make its way onto a device through one of two ways: through a phishing attack by an abusive party, where the abuser tricks the victim into clicking on a malicious link or installing a malicious app; or through an abuser having physical access to their target's device and thus installing the stalkerware themselves.
In both cases, the abuser is at an advantage, having both intimate knowledge of their target, and also having psychological sway over their victim. Through exploiting the control dynamics of an already abusive relationship, abusers are frequently able to either talk their partners into sharing or even removing the unlock codes for their phones. Even absent this level of control, an abusive partner's consistent proximity to their target makes it fairly easy to "shoulder surf" their PIN or passphrase. From there, it's a trivial matter to access their target's phone while its owner is showering or sleeping, and to download malware onto their device.
Similarly, having intimate knowledge of a person makes it easier to conduct a phishing attack against them, as it is easy to both exploit an existent relationship in order to get someone to click a link, and also easier to predict what sorts of phishing attempts might be successful.
We've seen fairly extensive reporting on similar malware when it's used by governments to spy on dissidents, yet we see comparatively little reporting on other iterations of this spyware. This is troubling for many reasons, not the least of which is that stalkerware is frequently just a repackaged version of state-sponsored malware like FinFisher, sold for consumer use. As such, focusing our research and reporting almost solely on tools of state surveillance is doing a grave disservice to those facing the potentially deadly threat of intimate partner violence. Reporting on nation-state surveillance is important, as is analyzing and discussing the potential risk state surveillance tools may ultimately pose to normal people.
Regardless of its applications, spyware is an egregious (and generally illegal) violation of the privacy of anyone targeted by it. Whether they're activists being targeted by law enforcement, or victims being targeted by their abusers, the tools are the same. The threat faced by people in abusive relationships is as real, dangerous, and possibly fatal as that faced by victims of targeted state surveillance.
If you believe your partner may be targeting you with stalkerware, one of the safest things you can do is to use your phone as though nothing is wrong with it. Continue to chat with friends, post on social media, and browse the internet normally.
Take your phone with you when you leave the house, but find ways to leave it behind so you can speak candidly with people you trust. Perhaps you're going over to your sister's house for coffee, but decide to leave your phone behind while the two of you walk her dog. Maybe you take the kids to soccer practice, but leave your phone in the car while you have a conversation with a teammate's parent. Take your phone to work, but leave it in your locker when you meet your friend for lunch nearby.
However you do it, find ways to be transparent with those you trust, without letting on to your abuser that you know they may be watching. And, if you do find a way to get out, get rid of your device on the way.