The nasty breed of commercial software used to monitor foes and prey has reached new levels of sophistication and illegality.

Stalkerware is commercial software that is usually used to secretly monitor colleagues, partners or other acquaintances. While most stalkerware will facilitate monitoring and control without cybersecurity consequences, a malicious new breed has been detected.

Kaspersky researchers have found a new specimen of stalkerware named MonitorMinor, that this enables stalkers to covertly access any data, track activity on targeted devices, and even spy on the users’ contents in the popular messaging services and social networks.

The creators of MonitorMinor even go through obfuscation of the application, demonstrating that they are well aware of the existence of anti-stalkerware tools and try to counter them. While primitive stalkerware uses geofencing technology, enabling the operator to track the victim’s location, and in most cases intercept SMS and call data, MonitorMinor goes a few steps further. Recognizing the importance of messengers as a means of data collection, this software aims to get access to data from all the most popular modern communication tools.

Active in rooted or unrooted devices

In a stock build of a mobile device running the Android operating system, direct communication between apps is prevented by the sandbox. However, if a user already has root access to the device, MonitorMinor can install a superuser-type app (SU utility) to bypass all security mechanisms of the device. Using this utility, the creators of MonitorMinor can gain full access to data on a variety of popular social media and messaging applications installed on the device, such as Hangouts, Instagram, Skype, Snapchat and others.

Furthermore, using root privileges, the stalkerware is able to access screen unlock patterns, enabling the stalkerware operator to unlock the device when it is nearby or when they next have physical access to the device. This is a unique feature that Kaspersky has previously not identified in any mobile platform threats.

Even without root access, the MonitorMinor can operate effectively by abusing the Accessibility Service API, which is designed to make devices friendly for users with disabilities. Using this API, the stalkerware is able to intercept any events in the applications and broadcast live audio.

Other features available in this stalkerware gives operators the ability to:

  • Control devices using SMS commands
  • View real-time video from device cameras
  • Record sound from the device microphones
  • View browsing history in Google Chrome
  • View usage statistics for certain apps
  • View the contents of a device’s internal storage
  • View contacts lists
  • View system logs

Comments Victor Chebyshev, Kaspersky’s research development team lead: “MonitorMinor is superior to other stalkerware in many aspects and implements all kinds of tracking features, some of which are unique, and is almost impossible to detect on the victim’s device. This particular application is incredibly invasive—it completely strips the victim of any privacy, and even enables the attacker to retrospectively look into what the victims has been doing before.”

The existence of such commercial applications underlines the importance of protection from stalkerware and the need for joint efforts in the fight for privacy. “This is why it is important to highlight this application which, in the hands of abusers, could become the ultimate instrument for control. We have also pre-emptively shared information about this software with the Coalition Against Stalkerware partners, to protect as many users as possible, as soon as we can,” said Chebyshev.

According to Kaspersky’s telemetry data, India currently has the largest share of installations of this stalkerware (14.71%). Mexico (11.76%) is next, followed by Germany, Saudi Arabia, and the UK (5.88% in each country).

Said Erica Olsen, Director of the Safety Net Project at the National Network to End Domestic Violence, a member-organization of the Coalition Against Stalkerware: “Our issue with stalkerware apps is not just their marketing, but their core functionality. Rampant stealth access, with no notifications to the user, creates an app that is truly designed to illegally stalk or monitor another person. We should minimize how invasive and abusive these apps can be. Regulations are needed to address the basic design features.”

Tips for foiling stalkerware

To minimize the risk of falling victim to a stalker, Kaspersky recommends the following practices:

  • Block the installation of programs from unknown sources in your smartphone’s settings
  • Never disclose the password or passcode of your mobile device, even if it is with someone you trust
  • If you are leaving a relationship, change all security settings on your mobile device, such as passwords and applications’ location-access settings. An ex may try to acquire your personal information in order to manipulate you
  • Check the list of installed applications on your devices to find out if suspicious programs have been installed without your consent
  • Use a reliable security solution that notifies you about the presence of commercial spyware programs aimed at invading your privacy on your phone
  • If you think you are a victim of stalking and need help, contact a relevant organization for professional advice
  • There are resources that can assist victims of domestic violence, dating violence, stalking and sexual violence. If you have questions about stalkerware and would like assistance, please contact the Coalition against Stalkerware, formed by not-for-profit groups and IT security organizations: