Google Store is set to ban stalkerware apps but leaves a loophole for hackers to launch services

Google has officially banned stalkerware from the Play Store.

Stalkerware apps allow users to spy on someone’s phone, tablet or other devices without their knowledge or consent, allowing hackers to track children, employees, spouses, or even complete strangers. 

The tech giant announced the ban, which goes into effect on October 1, in an update Wednesday to its Developer Program policies.

However, the firm is allowing such apps in the store that are intended for parents to track their children’s online behavior. 

This may be a loophole for online attackers to design applications in a way that appear to be family friendly. 

MobileSpy is one of three monitoring apps that the FTC recently banned. Google has announced that such ‘stalkerware’ will be prohibited on the Play Store as of October 1

The company defined stalkerware as ‘code that transmits personal information off the device without adequate notice or consent and doesn’t display a persistent notification that this is happening.’

Such software ‘cannot be used to track a person (a spouse, for example) without their knowledge or permission unless a persistent notification is displayed while the data is being transmitted,’ the policy reads.

But it added that ‘policy compliant apps exclusively designed and marketed for parental (including family) monitoring or enterprise management may distribute on the Play Store with tracking and reporting features.’

As TechRadar points out, this means stalkerware developers can simply masquerade their apps as tools for parents, while still selling them to hackers, crooks, stalkers and abusive partners.

Hundreds of stalkerware apps are currently available on the Play Store right now. These applications will have a 15 day grace period to either change or (theoretically) get off the platform

Hundreds of stalkerware apps are currently available on the Play Store right now. These applications will have a 15 day grace period to either change or (theoretically) get off the platform

Hundreds of stalkerware apps are currently available on the Play Store right now. 

These applications will have a 15 day grace period to either change or (theoretically) get off the platform.

Google banned vendors from advertising stalkerware in July, the same month digital security firm Avast released a report indicated use of spy- and stalkerware had soared 51 percent during the coronavirus lockdown. 

‘Stalkerware is a growing category of domestic malware with disturbing and dangerous implications,’ said Avast chief information security officer Jaya Baloo. 

WHAT IS ‘STALKERWARE?

Stalkerware is software that allows you to spy on someone’s phone or tablet.

They are often advertised to parents who wish to track the online activity of their child, or bosses looking to snoop on their employees.

Typically, stalkware allows you to remotely intercept messages, photos, browsing history, GPS coordinates and even phone call data.

They work by pairing an online account to an app that is installed on the device you wish to spy on.

Users can then remotely access the phone’s data without the owner knowing they are under surveillance.

Stalkerware apps are technically legal, but have stirred controversy in the past when people have employed them for illicit spying. 

‘It steals the physical and online freedom of the victim. Usually installed secretly on mobile phones by so-called friends, jealous spouses, ex-partners, and even concerned parents, stalkerware tracks the physical location of the victim, monitors sites visited on the internet, text messages, and phone calls.’  

Reports of domestic violence have also risen during lockdown.

Stalkerware ‘gives abusers and stalkers a robust and invasive tool to perpetrate harassment, monitoring, stalking, and abuse,’ said Erica Olsen of the National Network to end Domestic Violence, saying it can be ‘terrifying and traumatizing’ for the victim. 

Olsen said the spike could be tied to increased detection of stalkerware by victims under stay-at-home orders, or ‘be reflective of an abuser increasing or changing their tactic if the victim is now actually out of the house more often, if they are an essential worker in healthcare, for example.’

In October, the Federal Trade Commission voted unanimously to block the sale of three stalkerware apps produced by Retina-X.

The company previously marketed MobileSpy, PhoneSheriff and TeenShield as subscription apps that help parents monitor their children’s smartphone use by tracking text messages, calls, and GPS location.

In 2018, the three apps had about 18,000 subscribers.

‘Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses,’ the FTC’s Andrew Smith said in a statement.

‘Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.’

Retina-X can begin selling the apps again if it can guarantee their use will be limited to children, employees, or adults who have provided written consent.

But experts say such guarantees are almost impossible to enforce.

In 2017, anonymous hackers accessed the stored data Retina-X kept from its users, adding concerns that the apps not only might be used to spy on a user without their knowledge but that the company’s security devices around the data collected from that surveillance was insecure.  

Leave a Comment