EFF's Eva Galperin to give talk at Kaspersky Security Analyst Summit calling for public response to "stalkerware" epidemic

[kuhnertdm]

Source: https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/

 

Story: Eva Galperin, head of the Electronic Frontier Foundation's Threat Lab, will be giving a talk at the Kaspersky Security Analyst Summit next week in Singapore, describing her experience in helping victims of domestic abuse when abusers have compromised the victim's cell phone, and calling on antivirus companies, phone manufacturers, and public officials to start taking the threats seriously.

 

"Stalkerware" is a type of spyware, typically marketed as a tool for parents to keep track of what their kids are doing on their phones, or potentially even where the phones are traveling with GPS data, or some other legitimate purpose. However, it's become a common tool of domestic abusers. Abusers are able to see everything that goes on on the victim's phone, including stealing things like photos and browsing history. Spyware like this has been historically deemed less of an important threat, as it requires a malicious actor to have local access to the phone to install it. In traditional threat models, the attacker typically does not have local access to the device, but in cases like this, it's very easy for an abuser to be alone with the device for enough time to install an app, sometimes directly from the app store. Galperin is calling on companies like Kaspersky to start taking the threat more seriously.

 

Galperin has already made great progress with Kaspersky themselves, who have now implemented much stronger warnings when apps that may violate the user's privacy are found. Previously, their Android antivirus app just displayed a generic categorization of "not-a-virus" and gave the user an option to delete the malware or ignore it. Now, the app gives a much more descriptive warning of the dangers of the malware:

 

Note: Image provided by Kaspersky, sourced through the linked Wired article

 

In addition to phone antivirus providers, Galperin is also challenging other groups to respond to the problem of stalkerware. Apple does not allow antivirus apps on the iOS app store. So, she is calling the phone manufacturer out to challenge them to more strictly monitor the app store for stalkerware apps that may be posing as the "kid tracker" apps mentioned above. In addition, she will be calling on them to put more resources into displaying warnings to the user when their phone has been jailbroken, so that they will be aware if it was done without their knowledge. That said, it's traditionally difficult for Apple to detect this software-side, or otherwise it would be much more difficult to jailbreak an iPhone in the first place.

 

Finally, she plans to issue challenges to public officials. Existing US cybersecurity laws are notoriously strict, and it should be incredibly easy to throw charges at providers of this type of software, that can be used to track someone without their consent.

 

Galperin's work in this field began when she realized that a fellow security researcher had been using his skillset to abuse multiple women, installing spyware on their phones for the purposes of spying, blackmail, etc. She made a public call on Twitter for women who have been victims of this practice to get in contact so that she could help them. Recently, she has decided that she needs to go for the source, and stop this software from being so readily available to abusers.

 

Opinion: This is incredibly important, and as a security engineer myself, it surprised me after reading this article how none of this had occurred to me in the past. From a traditional standpoint, you wouldn't think of apps like kid trackers as a big problem, as they have a legitimate use, and can't be easily installed on the device remotely. In addition, it's not exactly intuitive for antiviruses to say "You have an app on your phone that is meant to track your phone's location and report it to someone", as you'd think that the user of the device would know if they installed something like that. But honestly, the question of "was this installed by a user local to the device" shouldn't ever really be a factor in whether it's deemed a problem to be reported, as it can still be installed local to the device, without the primary user's knowledge.

[williamcll]

A system level identity masking option without needing to root a-la xprivacyLua would be really useful.

 

You know what's even better? Pollute your phone identity with malicious scripts intended to harm databases.

[Fasauceome]

This is a pretty interesting topic, I've seen something similar before but not in this context. It makes me wonder, does using an app like this constitute abuse if you have suspicions of your significant other cheating on you? I mean, still a violation of privacy regardless, but I wonder where the line is drawn. It matters a lot how it's done as well, I'm sure there are some slightly less unreasonable use cases for this occurrence, granted it's no replacement for an honest and personal conversation with your partner.

[RejZoR]

So, when are they going to address Androids "Location access" switch that literally does nothing. Have it on or off, Google still tracks you no matter what. The thing is so bad and carelessly designed I ditched Android and went with iOS for this very reason. Expensive change, but fuck you Google.

 

As for this "stalkerware", while Apple doesn't have it as such, connected iCloud can be used in such a way. Make sure to remove traces and logins when selling phones and changing logins when escaping abusers who may track you that way. I've seen a lot of stuff on Reddit where boyfriends/girlfriends/wife/husband/dog were accessing data through iCloud login...

[Suika]

Just now, fasauceome said:

It makes me wonder, does using an app like this constitute abuse if you have suspicions of your significant other cheating on you? I mean, still a violation of privacy regardless, but I wonder where the line is drawn.

A situation like that goes from one person being wrong and a shitty person, to both people being wrong and shitty persons.

[Fasauceome]

1 minute ago, Suika said:

A situation like that goes from one person being wrong and a shitty person, to both people being wrong and shitty persons.

Assumedly they're only both shitty if one of them is actually cheating. Still, since this is a relatively new phenomenon, I wonder where the courts will decide what's a dick move and what's a form of abuse. A person who's cheating can still be abused so it's not like stalking is the apt punishment for cheating.

[mr moose]

This is a very complex topic, I don't think there is an answer.   If this software was being written in such a way it could be installed remotely without the victims knowledge,  then demanding that all companies involved be more proactive is fine,  but when it comes to having local access to the device, this greatly reduces what companies can do about it, especially when devices these days have personal locks like pattern, pin, finger print security etc.

[Trik'Stari]

16 hours ago, fasauceome said:

Assumedly they're only both shitty if one of them is actually cheating. Still, since this is a relatively new phenomenon, I wonder where the courts will decide what's a dick move and what's a form of abuse. A person who's cheating can still be abused so it's not like stalking is the apt punishment for cheating.

I'm remembering a very long interview with John McAfee where he basically stated the following:

 

"If everyone, knew everything, about everyone else, society would immediately breakdown, beginning with a string of spousal shootings"

 

As well as

 

"If someone had complete and total access to your location data, it would not be difficult to convince your spouse that you are in fact cheating on them".

 

And yet people still act like he's the crazy one.

[Sauron]

16 hours ago, fasauceome said:

It makes me wonder, does using an app like this constitute abuse if you have suspicions of your significant other cheating on you?

Yes. Cheating is despicable, but not illegal - unlike privacy violations, which are both. You don't own your partner's body, you don't have a right to spy on them even if you think they're seeing someone else. If your relationship is at a point where you have so little trust in your partner, it's clearly not working out anyway.