Earlier this year Google removed Stalkerware (Spy Tracker) apps from Google Play Store after Avast Threat Labs reported on it.

These apps are promoted to be used for genuine purposes such as keeping a tab on loved ones, especially to monitor kids’ activities, or for finding one’s phone. However, most of the time they are used for what the name implies – Stalk/Spy.

Some of the things that Stalkerware can do without being noticed in a victim’s device are given below:

  • Track SMS, email, location and third-party messaging apps (WhatsApp, Snapchat, Facebook Messenger, WeChat, Telegram, Hangouts, etc.,)
  • Secretly track a person’s activity
  • Access camera and microphone for recording incoming calls, viewing live feeds, etc.,
  • Access contact list, call log history, photos and videos, web browsing history, etc.,

Infection Vector

Stalkerware need not necessarily be found only on the Google Play Store; they are mostly found in third-party markets or as a direct download from the vendor website, as shown in Figure 2. 

The stalker needs to have at least temporary physical access to the victim’s device to install the app. This app also requests permission to take complete control of the victim’s device. For instance, from the Figure 1 we can see that the stalker can read your contact list, know your location, know who you have spoken to etc.,

Once installed, these apps try to hide themselves from the user; for obvious reasons, the app does not appear in the App Drawer list. This is possible due to the fact that these apps typically have no icons and leave no obvious traces of their presence.

Figure 1: Permissions requested by a deceptive Android app

A few deceptive apps are given in Figure 2,3,4 and 5.

Figure 2: Android Monitor
Figure 3: FreeAndroidSpy
Figure 4: Reptilicus

Some apps instruct the user to enable “Unknown Sources” on the device and to disable “Google Play Protect”, so as to be able to install and avoid being flagged by a security product.

Figure 5: Spy Phone App

These apps are also seen to violate Google’s Security Policy as shown in the Figure below.

Figure 6: Google’s Security Policy about deceptive apps

We also noticed that even though many stalkerware apps were removed from the Google Play Store, as mentioned earlier, there were still a few stalkerware apps remaining on the store. For example, EaseMon iSpy Tracker, a parental monitoring app was still available on the Google Play Store as shown in Figure 7. However, at the time of publishing this blog, we noticed that the app has subsequently been ejected from the Google Play Store.

Figure 7: EaseMon iSpy Tracker

The detection details are as below:

File name: iSpyTracker (com.aws.ispytracker.apk)

Md5: 6FD9B156316F6AF6C134A0763F731278

Detection name: Spyware ( 00557f6c1 ) 

AppEsteem, a US-based certifier of apps across platforms, publicly classifies these apps as deceptive, if they violate any of AppEsteem’s deceptor requirements. The app type could be Windows, macOS, Chrome extensions, Affiliates, Download Sites, call centers and, most recently, Android apps. These deceptive apps and deceptor violations are shared with cybersecurity vendors and the world at large.

Figure 8: AppEsteem’s Deceptor page

Tips to stay safe

  • Lock your device by ensuring you set a PIN, pattern or by using biometrics.
  • Never leave your device unattended.
  • Ensure your OS is up-to-date with the latest security patches.
  • Install a reputable mobile security product such as K7 Mobile Security and ensure that it is kept up-to-date.

Indicators of Compromise (IoCs)

App Name Hash Detection Name
SPAPP Monitoring3745E46C14664AEBC8D3D28271F74D91 Trojan ( 0054fddb1 )
Reptilicus 8B58CFA79D7A6BA7D95CC0CA7FBB6C06 Trojan ( 00557ad51 )
Mobile Tool CFFE2E8644383FA355B8BAC993590B54 Trojan ( 0054e9761 )
Hoverwatch 0213169357EFFA5C8BAEC66806318D4A Trojan ( 00557ad61 )
Free Android Spy 803EC87ED407BDD67EBE7B0671FFCC15 Trojan ( 0054e9761 )
Android Monitor AB80B7240696CCB7DC676CD141C81752 Trojan ( 0054e9761 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    Leave a comment

    Your email address will not be published. Required fields are marked *