No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps
Authors: Enze Liu (UC San Diego), Sumanth Rao (UC San Diego), Sam Havron (Cornell Tech), Grant Ho (UC San Diego), Stefan Savage (UC San Diego), Geoffrey M. Voelker (UC San Diego), Damon McCoy (New York University)
Volume: 2023
Issue: 1
Pages: 207–224
DOI: https://doi.org/10.56553/popets-2023-0013
Abstract: Consumer mobile spyware apps covertly monitor a user's activities (i.e., text messages, phone calls, e-mail, location, etc.) and transmit that information over the Internet to support remote surveillance. Unlike conceptually similar apps used for state espionage, so-called "stalkerware" apps are mass-marketed to consumers on a retail basis and expose a far broader range of victims to invasive monitoring. Today the market for such apps is large enough to support dozens of competitors, with individual vendors reportedly monitoring hundreds of thousands of phones. However, while the research community is well aware of the existence of such apps, our understanding of the mechanisms they use to operate remains ad hoc. In this work, we perform an in-depth technical analysis of 14 distinct leading mobile spyware apps targeting Android phones. We document the range of mechanisms used to monitor user activity of various kinds (e.g., photos, text messages, live microphone access) — primarily through the creative abuse of Android APIs. We also discover previously undocumented methods these apps use to hide from detection and to achieve persistence. Additionally, we document the measures taken by each app to protect the privacy of the sensitive data they collect, identifying a range of failings on the part of spyware vendors (including privacy-sensitive data sent in the clear or stored in the cloud with little or no protection).
Keywords: Android Spyware, Android Security, Consumer Spyware Apps, Reverse Engineering, Android API Abuse
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.