Skip to content

A New Threat: Stalkerware

What would you do if you attended a political event or protest and the next day, you receive targeted adverts for that political cause?  Would that be cause for concern?  After all, you don’t post about your political views, how did the advertisers know?  You didn’t sign any rosters or register, so how did they know you were there?

I recently became aware of a new category of computer-evil: stalkerware.  I thought I was being clever and would have the privilege of coining a new term, but a few other people have already coined the term.  However, I would like to propose a slightly different definition.  In an article originally appearing on Motherboard, stalkerware is defined as:

Stalkerware is defined as invasive applications running on computers and smartphones that basically send every bit of information about you to another person. This covers the gamut from programs that can be purchased online to give third parties access to basically everything on your computer from photos, text messages and emails to individual keystrokes, to apps that activate your Mac’s webcam without your knowledge.

I’m not really seeing the difference between this definition and “traditional” spyware, but stalkerware as I define it is:

Software that automatically reports your location on a regular basis without your knowledge or consent.

The stalkerware that Motherboard writes about are dedicated programs or apps that someone deliberately installs on a target’s mobile device in order to track their activity for whatever reason.  Stalkerware as I define it is a little different, in that it is not targeted at one individual.  These are applications that are installed on mobile devices that track your every move–literally stalking you–most likely without your knowledge.

Let me explain how it works.  Let’s say that you have an app installed on your phone that uses your location for some feature of the app–a weather application for instance.  In order to give you accurate and useful information, that app has to access your device’s GPS coordinates and other sources of geo-locational data such as WiFi network name in order to determine your location.  Now, imagine you are the developer who built this weather app.  Since you just built the coolest weather app imaginable, you’d probably like to make some money off of this app.  The easiest way to do so is to sell advertising space within your app.  Now you aren’t going to build your own ad server, so there are various ad-exchanges to whom you can rent space.  Yay!  Now you’re making money right and everyone’s happy!  But there’s a little more to this story.

In order to get those ads, the ad exchange wants to know the users’ location so that it can serve more targeted (and more profitable) ads to the end users.  Therefore, when a user opens your app, the users’ locational data is sent not only to your weather tracking app but also to the ad exchange as well as some allegedly anonymous identifiers so that the ad exchange can track not only your current location, but other locations you visit.  I think everyone knows that Google and other large ad exchanges track your activity in this manner, but what you might not be aware is that smaller exchanges also collect this data and then sell it to 3rd parties.  It is totally unclear to me what if any rules or privacy policies apply to the purchasers of this data.  It is also totally unclear to me how an individual would determine whether your data is held by a given company.

But wait, it gets worse…

I recently was made aware of a company called huq.io which purports to help businesses make “Real World Decisions with Digital Precision”.  Huq’s website makes all kinds of claims about how their data can be used for market intelligence purposes.  However, a quick glance at the “AppOwners” tab reveals a slightly darker side.  To quote the Huq site:

Huq operates the world’s largest consumer research panel, powered by thousands of apps and 10x millions of users around the globe.

I would argue that this really should read,

Huq operates the world’s largest involuntary consumer monitoring network powered by thousands of apps and 10x millions of unwitting users around the globe.

So how does Huq work?  According to their website, all an app owner has to do is embed Huq’s SDK into their app and voila!  Your app is now officially stalkerware… I mean consumer research…

To cut through all the marketing BS, app developers embed Huq’s code into their apps which monitor your every move, transmit that to Huq to be sold in raw form to 3rd parties or included in Huq’s own aggregate analysis.   Don’t take my word for it, you can read the technical documentation on Huq’s github repository (https://github.com/huq-industries/sourcekit-ios).

To be clear, I have not seen Huq’s actual data, and if I had I probably wouldn’t be able to write about it.

Why Does This Matter?

You might be wondering what is the significance of this, so please allow me to elaborate… Stalkerware automatically and regularly transmits your location to a 3rd party.  This type of data typically might contain a timestamp, information about the device (ie Android vs Apple), the geo-coordinates of the device as well as the accuracy, as well as some unique allegedly random identifier for the device.  Individually, this data is not particularly interesting unless the target of said surveillance is of interest, but in aggregate, this data becomes enormously valuable for advertisers, law enforcement, and who knows what else.

The scenario I mentioned at the beginning of this post wasn’t something I made up.  That was based on an article I read written by a company called SafeGraph.  During the protests following the inauguration of President Trump, SafeGraph did an analysis of the protesters to determine where the protests lived.

We can estimate the income levels for attendees of the two events by merging SafeGraph movement data with data from the 2015 American Community Survey (conducted annually by the US Census Bureau). Census data is organized by zip code, and SafeGraph data identifies home zip code based on where the device spends the majority of its time.  (https://blog.safegraph.com/inauguration-attendees-make-significantly-less-money-than-womens-march-attendees-7cb8b056556a)

If you aren’t following this, SafeGraph, used people’s GPS data, most likely without their knowledge, to identify individuals who attended a political event and tracked them to their residences.  Even in the days of the cold war, the STASI, KGB, or any other service never had this level of surveillance on their citizens.

Defending Yourself Against Stalkerware

Unfortunately, I don’t really have a lot to offer here… Really, the only way to completely defend yourself against this kind of stalkerware is to completely disable location services.  However, doing this also limits a lot of the things you probably actually want your mobile device to do.  So short of that, what can you do?

What I’d really like to see happen is for mobile device developers to allow users to control the degree of precision of location that apps can see.  For example, a weather app really just needs to know what city I am in, not whether I am standing in my home or my local grocery store. If users can control and limit the accuracy of data they are providing to 3rd parties, a lot of this data would be considerably less valuable and they would likely stop collecting it.  I believe that on Android devices there are two separate levels of permission for access to locational data, but to the best of my knowledge, iOS does not have this feature.

iOS also allows you to reset the “Advertising Identifier” or unique identifier that identifies you on all these ad networks.  The more frequently you do this, the less valuable the data will be to the ad networks.  Personally, I’d like to see some sort of automated something that resets the advertising identifier every 15 minutes.  This control panel can be found under Settings -> Privacy -> Advertising… naturally all the way at the bottom.

Conclusion

The ongoing degradation of privacy is a great concern of mine.  Society seems to be willing to accept ever growing invasions of our personal privacy.  The law lags woefully behind the state of technology and relatively few people seem to be concerned about changing it.  I believe that all this stems from a lack of understanding in the general public of the implications of mass data collection.  Interestingly, in the last few weeks, there have been several articles in the news about Facebook data being used by a firm called Cambridge Analytica to influence elections.  What I find ironic is that Facebook does this themselves.  Facebook has an entire advertising department dedicated to political campaigns.  You can read about it here: https://politics.fb.com.   It is my hope that the general public becomes more aware of the implications of mass data collection and start to demand more accountability and responsibility from tech companies that collect data.

Share the joy

5 Comments

  1. rootgatehacks@tutanota.com rootgatehacks@tutanota.com

    For spyware detection and protection. For all your cybersecurity issues, mail the username, they have been able to help with a lot lately

  2. Anonymous Anonymous

    If we proceed from the definition of “stalking”, then your definition of “stalkerware” is incorrect, since “stalking” is implied to surveillance an individual.

Leave a Reply

Your email address will not be published. Required fields are marked *