The apps had been installed more than 130,000 times and promoted stalking people’s location and providing call logs.
You’d think it would be difficult to find an app that can secretly track a person’s every move. But researchers have found them right in the open on Google’s Play Store.
Antivirus company Avast said Wednesday that it’s found seven stalkerware apps available on Android’s market. In all, they had been installed more than 130,000 times. Google removed four of the apps after Avast reported the privacy violations on Tuesday, and removed the last three on Wednesday.
Google said its policy prohibits commercial spyware apps and encourages people to report any apps that violate its standards.
Stalkerware apps often pose as software designed for children’s safety or finding stolen phones, but they are mostly used for abusers stalking people in personal relationships. They have the ability to track and send location data, as well as provide contacts, call logs and text messages.
On “Spy Tracker,” an app that promotes itself as a way to keep kids safe, the majority of the reviews are centered around surveilling their significant others. The attackers need physical access to the victims’ devices to install these apps, but can keep them relatively hidden as they secretly track a person’s every move.
“These apps are highly unethical and problematic for people’s privacy and shouldn’t be on the Google Play Store, as they promote criminal behavior, and can be abused by employers, stalkers or abusive partners to spy on their victims,” Nikolaos Chrysaidos, Avast’s head of mobile threat intelligence and security, said in a statement. “Some of these apps are offered as parental control apps, but their descriptions draw a different picture, telling users the app allows them to ‘keep an eye on cheaters.'”
It’s hard to tell if your device has stalkerware installed on it, as researchers found in 2018 that many antivirus programs didn’t flag known stalkerware apps.
On all seven of the apps that Chrysaidos discovered, they prompted the attacker to install other software and then delete the initial download. That allowed these stalkerware apps to spy on victims without an app icon, so people wouldn’t know they were being tracked.
In April, cybersecurity company Kaspersky announced that it would start clamping down on stalkerware as malicious trackers and warn people if they are being surveilled.
In 2018 alone, Kaspersky’s antivirus discovered stalkerware on 58,487 devices. Other antivirus companies, like Symantec, Malwarebytes and Lookout, also noted that they were ramping up their efforts to block stalkerware. Avast said its threat detection also detects stalkerware and warns its users.
The developers behind the stalkerware apps didn’t immediately respond to requests for comment.
Originally published July 17, 10:46 a.m. PT.
Update, 12:43 p.m. PT: Adds response from Google.