Android Stalkerware: Hunting, analysis, and detection

Shankar Raman Ravindran

NortonLifeLock

Abstract:

Stalkerware can be considered as a variant of Spyware. With the advent of smartphones, they are now available to everyone in a pretense of regular parental control and tracking applications. Stalkerware is the term we use to call them when they violate certain conditions that affect the user’s privacy.

Stalkerware applications were made available to the public via PlayStore, 3rd party App stores, and vendor websites. Google removed most of them from PlayStore a couple of years back, but many App stores did not. Despite Google’s efforts, developers are finding ways to spread Stalkerware applications using PlayStore. We came across one such case during our research and reported them to PlayStore.

3rd party App stores are widespread and highly used across different countries and languages. Stalkerware applications residing in the App stores are still freely available for the public to download. With this app, unskilled mobile users can snoop around their partners, friends, and family members. We found that Search engine operators (Google, Bing) can come in handy for hunting stalkerware applications. It is also possible to automate the hunting process using these search operators with the help of SERP APIs. We will discuss the hunting techniques here.

Stalkerware application has grown a lot in recent days in terms of functionalities offered: from a simple program that silently transmits SMS, location details to a complex one that exfiltrates WhatsApp messages, Keystrokes, and other sensitive information. The popular Stalkerware programs in the market usually collect these data and store them on a remote server, while applications on App stores provide options to transmit these sensitive data via Email, SMS, or even to a configured IP address. We will analyze a couple of them and explore the technical details required for the next section of the talk.

Android provides a wide range of APIs and developers use these APIs to implement features in their applications. So, APIs reflect the behavior of the applications. Chaining API calls is one of the techniques used in detecting (static) malicious applications. A class of Stalkerware applications can be detected effectively using the technique – by chaining the forensic artifacts, standard Android: API methods, class names, alongside the string constants (such as the content URI path) found in the application. We demonstrate the detection with the help of a simple PoC written using the androguard Python library.