Ell Marquez is a self-described scientific hooligan, infosec noobie, and recovering Linux Administrator. As the creator of the It’s Okay To Be New campaign, she hopes to encourage others to circumvent gatekeeping while enjoying their journey into the land of technology.
Using your skills to help others
As I noted in my earlier post, Mastering the Basics, giving back to the community is an essential part of my journey. Unfortunately, the path to educating and helping others isn’t always clear. But sometimes, opportunities present themselves when you least expect them.
I ran smack into one such opportunity when I met Chris Cox at Black Hat in 2019. I didn’t realize it at the time, but this chance encounter would prove life-changing. Chris told me about the work he was doing through Operation Safe Escape, a 501(c)(3) non-profit dedicated to helping victims of domestic violence take back their digital lives (learn more about their work through Jupiter Extras). This is how I first learned about stalkerware.
What is stalkerware?
While there’s no universally agreed upon, standard definition of stalkerware, the Coalition Against Stalkerware suggests defining it as “software, made available directly to individuals, that enables a remote user to monitor the activities on another user’s device without that user’s consent and without explicit, persistent notification to that user in order to intentionally or unintentionally facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence.”
Can stalkerware be considered malware? That’s a gray area. Many stalkerware applications are legally available and marketed as child or employee monitoring solutions. One defining trait of stalkerware is that it can be used without the target’s consent or knowledge. Because stalkerware is often used to monitor spouses and other intimate partners, it’s sometimes called spouseware.
With stalkerware, information such as text messages, calls, GPS locations, and even keystrokes gets sent to a third party without the target’s knowledge. Many even offer “daily reports” of activities that have occurred on the target device. Stalkerware thus becomes a powerful surveillance tool that allows the attacker/adversary/stalker to take control of their victim’s digital lives.
It’s worth pausing here to note that stalkerware is generally legal to purchase and download, but generally illegal to use without the target’s consent (or the approval of the appropriate legal authorities).
How prevalent is this problem?
Kaspersky, a multinational cybersecurity and antivirus provider, reports that from January to August 2019, they registered more than 518,223 cases of stalkerware on users’ devices — a 373% increase from the same period in 2018. For all of 2019, 67,500 unique users were attacked by stalkerware, a 67% increase from 2018. And these are just the numbers from one antivirus company. Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation (EFF), reports that many antivirus companies do not detect this type of malware.
According to c|net, 1 in 10 Americans admits to using stalkerware to track their partners or exes.
The current lockdowns and ongoing pandemic have caused a rise in domestic violence reports, while also limiting the victim’s ability to escape. And stalkerware just adds another layer of risk. It may tip an abuser off to the victim’s plans to leave, and if they can find the resources to get out, it can let the abuser track them down, creating a higher risk of increased retaliation and even death.
Stalkerware can also have a severe impact on a business. As more employees are working from home and using their work devices for personal use, stalkerware may be installed on corporate-owned devices. If the device were to be used for sensitive data and corporate secrets, the abuser would be able to see every keystroke, rendering company VPNs and encryption useless. This alone could have consequences, as it has potential issues with regulatory compliance in many industries.
Sensitive data could also be leaked and used by others for their own gain. Seem far-fetched? Sophos reports that ClevGuard, makers of consumer-grade stalkerware, recently left their Alibaba cloud storage bucket open and unprotected, leaking private data from thousands of devices. And this wasn’t an isolated incident. In March 2019, for example, records were leaked by MobiiSpy, and mSpy’s database leaked in 2015 and again in 2018 exposing millions of reports.
Although stalkerware is relatively easy to install, the abusers rarely stop there. One of the strengths that the abuser has is that they’re often more technical than the victim. Abusers use stalkerware to convince the victim that their technical skills will always enable them to know whom the target speaks to, what they are doing, and where they are.
You can help by lending your technical knowledge to aid organizations such as Operation Safe Escape, The National Coalition Against Domestic Violence (NCADV), or the Coalition Against Stalkerware. Extending your expertise in this way, you can help shield others from their abuser’s reach.
Are you able to set up secure cloud storage? Do you have experience in application or web development? Your knowledge could be a tremendous help in assisting the creation of tools that can support these organizations. For example, cloud storage skills could be used to secure copies of documents like birth certificates, passports, or even their children’s photos. Many of these items might not be possible to obtain safely on the day of their escape.
Often, an abuser will sever ties between the victim and their family, or at the very least have their communications under surveillance. Are you familiar with using TailsOS? Educating individuals on how to use TailsOS or other resources can aid in establishing secure and private conversations, in turn enabling families and organizations to assist and provide support in escaping the abuser.
Helping can help you
Already familiar with the technologies above and the concepts presented in my last post about working securely from home? Well, it’s often been said that “if you can’t teach it, you don’t know it”. The best way to test your skills is to pass them on to others.
You can offer to mentor non-profit organizations that require technical expertise. You can help the broader community by writing approachable how-to guides that anyone, regardless of technical aptitude, can understand and follow. You can even help raise stalkerware awareness on your social channels. One tweet, one shared article, one link to a non-profit could be the thing that helps a victim start to chart a path out of their situation.
Not familiar with some of the concepts above? That’s okay, too. Understanding the skills you need to strengthen and develop is the first step in creating an action plan for your growth. Companies are often willing to hire individuals with preliminary knowledge — if they’ve proven they can learn by doing. Make the time to learn the basics and dedicate yourself to hands-on experiences that can set you apart from others in your field. Been around the industry for a while? There are always new things to learn. Why not challenge yourself by learning cloud security or the basics of parsing network traffic through Wireshark?
Special thank you
I want to give a special thanks to Eva Galperin for educating me on the topic, and Chris Cox and all of the volunteers at Operation Safe Escape who volunteer their time and skills to help save lives. I would strongly recommend you take the time to watch Eva speak on stalkerware at SAS.
Learn to play it safe
Master the art of defense with security-focused courses and labs from A Cloud Guru