Why the security world should take stalkerware seriously

David Ruiz (Malwarebytes)
live only
19:30 UTC on Day 1
WEDNESDAY 30 SEPTEMBER
Last year, cybersecurity vendors, nonprofit organizations and digital rights activists bandied together to present a multifaceted front against a shadowy digital threat that can be used to inflict harassment, harm and violence against domestic abuse survivors. This threat is stalkerware. These apps, which proliferate online and at times sneak into the Google Play store, can pry into a person’s private life, revealing GPS location history, web browsing behaviour, text messages, emails, phone calls, photos and videos, all without consent and hidden from view. The information that is wrongfully accessed by these apps can be used to reveal a domestic abuse survivor’s hidden location, dismantle plans to find safety through a domestic abuse support network, and undo attempts to find help through domestic abuse hotlines.

The numbers on this threat are limited, but staggering. In the first nine months of 2019, Kaspersky reported more than 518,000 detections of either stalkerware installations or installation attempts on Android phones. From 1 March 2019 to 1 March 2020, Malwarebytes detected apps with these capabilities more than 55,000 times on Android devices. Though we have no numbers on the prevalence of these apps within domestic abuse situations, we do know from conversations with domestic abuse advocates, university researchers in intimate partner violence, and local law enforcement, that stalkerware has been used in many situations of domestic violence.

Some of us in the cybersecurity community are working together to better stop this threat, having helped build the Coalition Against Stalkerware, but more help is needed.

In this presentation audience members will receive both information and a call to action to join the fight against stalkerware. First, audience members will see what stalkerware looks like, with a visual demo created by Malwarebytes to show how these apps operate, what capabilities they have, and how easy their user interfaces are to navigate. Next, to fully contextualize how invasive these apps are, audience members will be shown selected results from a one-week, controlled experiment, in which the presenter installed stalkerware on their own device. Actual walking paths, search history and call logs will be shared with the audience to show that this type of information, when put into the wrong hands, can harm the safety of not just victims, both those close to the victim, too.

Finally, the audience will be shown why there is no 'one-size-fits-all' solution to this problem. By focusing on the nuanced circumstances of hypothetical domestic abuse survivors, we will show why, for instance, downloading an anti-malware scanner may not be an option for some survivors. Similarly, for the domestic abuse survivor who lives with their abuser, a scan could further anger the abuser. And, of course, a malware scanner that misses stalkerware could present a false sense of security.

This presentation will show why cross-functional expertise is required to create resources and products that can address the needs of at-risk communities. In the cybersecurity community, we understand the tech. It’s up to us to learn how to make it better protect users.
David Ruiz
Malwarebytes David Ruiz is an online privacy writer at Malwarebytes, covering the intersection of digital rights, online privacy, and the law. He spent several years as a legal reporter covering Big Tech’s biggest legal fiascos, including their alleged involvement in the NSA’s global surveillance regime. David also worked for Electronic Frontier Foundation as a writer and policy analyst, launching public campaigns and meeting with US Senators’ and Representatives’ staff to stop the extension and expansion of NSA surveillance. He has been published, interviewed, quoted, or cited by The Intercept, Buzzfeed News, The London Times, The Huffington Post, TechCrunch, ThreatPost, Geo/Socio/Politico, The Parallax, 2600 Magazine, KQED, The Sacramento Bee, and more. At Malwarebytes, he leads the company's representation in the Coalition Against Stalkerware.
arrow left Back

Why the security world should take stalkerware seriously

19:30 - 20:00 UTC Wed 30 Sept 2020
David Ruiz (Malwarebytes)
Last year, cybersecurity vendors, nonprofit organizations and digital rights activists bandied together to present a multifaceted front against a shadowy digital threat that can be used to inflict harassment, harm and violence against domestic abuse survivors. This threat is stalkerware. These apps, which proliferate online and at times sneak into the Google Play store, can pry into a person’s private life, revealing GPS location history, web browsing behaviour, text messages, emails, phone calls, photos and videos, all without consent and hidden from view. The information that is wrongfully accessed by these apps can be used to reveal a domestic abuse survivor’s hidden location, dismantle plans to find safety through a domestic abuse support network, and undo attempts to find help through domestic abuse hotlines.

The numbers on this threat are limited, but staggering. In the first nine months of 2019, Kaspersky reported more than 518,000 detections of either stalkerware installations or installation attempts on Android phones. From 1 March 2019 to 1 March 2020, Malwarebytes detected apps with these capabilities more than 55,000 times on Android devices. Though we have no numbers on the prevalence of these apps within domestic abuse situations, we do know from conversations with domestic abuse advocates, university researchers in intimate partner violence, and local law enforcement, that stalkerware has been used in many situations of domestic violence.

Some of us in the cybersecurity community are working together to better stop this threat, having helped build the Coalition Against Stalkerware, but more help is needed.

In this presentation audience members will receive both information and a call to action to join the fight against stalkerware. First, audience members will see what stalkerware looks like, with a visual demo created by Malwarebytes to show how these apps operate, what capabilities they have, and how easy their user interfaces are to navigate. Next, to fully contextualize how invasive these apps are, audience members will be shown selected results from a one-week, controlled experiment, in which the presenter installed stalkerware on their own device. Actual walking paths, search history and call logs will be shared with the audience to show that this type of information, when put into the wrong hands, can harm the safety of not just victims, both those close to the victim, too.

Finally, the audience will be shown why there is no 'one-size-fits-all' solution to this problem. By focusing on the nuanced circumstances of hypothetical domestic abuse survivors, we will show why, for instance, downloading an anti-malware scanner may not be an option for some survivors. Similarly, for the domestic abuse survivor who lives with their abuser, a scan could further anger the abuser. And, of course, a malware scanner that misses stalkerware could present a false sense of security.

This presentation will show why cross-functional expertise is required to create resources and products that can address the needs of at-risk communities. In the cybersecurity community, we understand the tech. It’s up to us to learn how to make it better protect users.
David Ruiz
Malwarebytes David Ruiz is an online privacy writer at Malwarebytes, covering the intersection of digital rights, online privacy, and the law. He spent several years as a legal reporter covering Big Tech’s biggest legal fiascos, including their alleged involvement in the NSA’s global surveillance regime. David also worked for Electronic Frontier Foundation as a writer and policy analyst, launching public campaigns and meeting with US Senators’ and Representatives’ staff to stop the extension and expansion of NSA surveillance. He has been published, interviewed, quoted, or cited by The Intercept, Buzzfeed News, The London Times, The Huffington Post, TechCrunch, ThreatPost, Geo/Socio/Politico, The Parallax, 2600 Magazine, KQED, The Sacramento Bee, and more. At Malwarebytes, he leads the company's representation in the Coalition Against Stalkerware.