Stalkerware Exposed – Martijn Grooten, Internews

[00:00:00] Martijn Grooten: Generally when I speak to someone who suspects stalkerware, I don't ask about their phone, I ask about their life. And does your partner or ex-partner... they suddenly know a lot of things that they shouldn't know and let this know to you? If they consistently seem to know the content of your WhatsApp messages with your sister, that could be a telltale sign.

[00:00:21] Cyril Noel-Tagoe: Hello everyone and welcome to Cybersecurity Sessions, our regular podcast exploring all things cybersecurity. I'm your host, Cyril Noel-Tagoe, principal security researcher at Netacea, the world's first fully agentless bot management product. Our reliance on personal mobile devices leaves us vulnerable to attack not just from anonymous criminal groups, but in some cases from those closest to us. Stalkerware, which is tools that enable someone to secretly spy on another person's private life via their mobile device, is a growing concern for security and privacy advocates as well as law enforcement agencies. To discuss more about this growing threat, I'm pleased to welcome my special guest for this episode, Martijn Grooten from the Coalition Against Stalkerware. Welcome Martijn. Thanks for joining us today.

[00:01:07] Martijn Grooten: Thanks for having me.

me

[00:01:08] Cyril Noel-Tagoe: Would you like to start by introducing yourself to our listeners?

[00:01:11] Martijn Grooten: Sure. So I'm Martijn Grooten. I am a Dutch cybersecurity professional, currently based in Greece. I've been working in cybersecurity or digital security almost 16 years now, in various roles. I'm currently working for... my main job is, at an NGO, but I'm not representing them here. And I've done some other work on the side focusing on what we call tech abuse. And one of those projects is the Coalition Against Stalkerware.

[00:01:39] Cyril Noel-Tagoe: And how did you become involved in researching and talk about stalkerware?

[00:01:43] Martijn Grooten: I had been working in cybersecurity for years, and I've always had an interest in the impact of security on vulnerable groups and populations. And one of these vulnerable groups is abuse survivors. People who have a real reason to be worried about their partner or ex-partner, who quite often can be violent. Spying on them, monitoring them, tracking them. And knew some people who were doing some work on stalkerware who were trying to get antivirus companies involved. And at the time I had a job where I was working with a lot of antivirus companies. So I kind of joined these conversations and kind of that's how things started. And that's when we, the group of us, started the Coalition Against Stalkerware over three years ago.

[00:02:26] Cyril Noel-Tagoe: What kind of organizations are involved in the Coalition Against Stalkerware now?

[00:02:30] Martijn Grooten: It's a very large number of organizations. I think we have more than 50, well, at least more than 40 partners, from all over the world. Some of them work directly with survivors. There are some groups that have women's shelters, that run women's shelters. There are a number of organizations that at a national level, focus on domestic abuse or intimate partner violence. We have a fairly large number of cybersecurity companies as well, and I like the mix of those. Like we support each other. We use the technical knowledge of these companies as well as the knowledge of what things are like on the ground to work.

[00:03:08] Cyril Noel-Tagoe: Sure. Let's get into kind of the stalkerware apps themselves, you know, what do they do? What are their kind of core capabilities?

[00:03:16] Martijn Grooten: So stalkerware. a phone thing. So let's just focus on phones. Sure. Stalkerware spies on the activities of the phone and therefore implicitly of the phone's user. It can read messages, it can see who you call. Sometimes it can listen in on calls. It often can see your location and quite often in real time, like where you are at a particular moment, it can sometimes turn on the microphone to listen to its surroundings, listen to conversations happening near the phone. Not all stalkerware has all of these capabilities. But I would also recommend not to overthink if you're worried about stalkerware, assume that it can do a lot and try to mitigate that.

[00:04:01] Cyril Noel-Tagoe: And what's the distinction between stalkerware and and spyware?

[00:04:04] Martijn Grooten: So spyware is generally used as a term for any app that spies on a device, that's a phone or a computer, and its users. And, stalkerware is spyware that is tailored to be used as spy on a partner, which is different from other kinds of spyware, which might be used by criminals who want to spy on someone who's handling a lot of money, to spy on their transactions and maybe redirect them, or the spyware that's used by governments sometimes to track people they suspect of criminal activity. Sometimes people, they just don't like critical journalists, opposition activists.

[00:04:44] Cyril Noel-Tagoe: I mean, in addition to those, we also hear about kind of corporate data collection, you know, like employers, kind of intercepting stuff from employees. And I was speaking recently to some researchers from the University of Bath who were looking into the kind of the ethics and risk around remote employee monitoring software and some of the software they were looking at, worryingly included stuff like key loggers and quite privacy intrusive monitoring. And that kind of sounds quite similar to kind of what you're talking about in stalkerware. do you think there's scenarios where this software, which is advertised as monitoring or legitimate surveillance softwares then abused by stalkers?

[00:05:23] Martijn Grooten: That's definitely the case. Stalkerware, when it's advertised, like on the websites that people can use to buy it, they rarely make it explicit that this is tailored towards abusers. So they say this is for employers to monitor their employees. They sometimes talk about work from home. It's very important to note that, much all stalkerware is hidden, and that's a key feature and I think that employers monitoring employees is a very dubious ethically practice in general, even if it's done openly with explicit knowledge of the employees. But it should never, ever be used in a secret way. And employers should not secretly monitor employees.

[00:06:06] Cyril Noel-Tagoe: Yeah. Yeah, I agree. And yes, some of the stuff they were looking at, you know, we had key loggers, they had, we could turn on the camera and take pictures. I thought that that really looks like something that's probably trying to pretend to be employee monitoring software than it really is. But apart from that, are there other ways, you know, people can get these? Are they advertised on hacker forums or is it really always through these kind of legitimate looking apps?

[00:06:32] Martijn Grooten: There are probably like underground places where people discuss on partners more openly. I mean, most probably these exist. But, and without trying to make it too explicit, because I don't want to give advice to people who want to spy on their partners, because I think that's something you shouldn't do, but yeah, you don't have to go on the dark web, so to say. You can do it all... these things can be found on the open internet and can be purchased on the open internet. You don't have to be like a skilled hacker to use these.

[00:07:08] Cyril Noel-Tagoe: Right. And how are they installed on the victim's device? Is it just you need kind of physical access to the device or can stuff be done kind of remotely?

[00:07:17] Martijn Grooten: Yes, you need physical access. It is extremely rare for this to be installed remotely because phones are actually pretty secure and we know that spyware access is installed remotely. Governments use that sometimes. Your, listeners may have heard of something like Pegasus, but that is orders of magnitudes more complex and also orders of magnitudes more expensive. And that's basically something that an average user cannot get access to. So yes, the stalkerware when it's installed, requires physical access to the device, which is, on the one hand that it's good because it means that, not every abuser has physical access to that, to a target's phone because sometimes the relationship has broken up and they don't have that access anymore. But at the same time, many people still live together. Even if they don't live together, they may have reason to visit each other. I know many cases that are like, they share children, so they visit each other and that's why there's physical contact and short term access to a phone.

[00:08:19] Cyril Noel-Tagoe: You mentioned domestic abuse survivors. Are there any other kind of groups which are affected by stalkerware, or is it really just those?

[00:08:28] Martijn Grooten: There are other groups, when there's like a power imbalance, and one thing, and we know very little about that. But I know anecdotally that that occurs. Migrants who are forced to use traffickers. And they have like a power imbalance there. They're often dependent on these human traffickers and there are cases where they install something on their phone. This may happen with their knowledge because the power imbalance is so that they often don't have a way to refuse these things.

[00:08:58] Cyril Noel-Tagoe: Right.

[00:08:59] Martijn Grooten: is also the case in some domestic abuse situations like, stalkerware, a main feature of stalkerware is that its secret, but not every abuser needs to be secret about spying on them. Sometimes they explicitly tell their partner, ex-partner that they're doing this. And if it's someone who's very violent, there's not always options to refuse them.

[00:09:19] Cyril Noel-Tagoe: Right, because sometimes, you know, even the fact that the victim knows that they'll be spied on as part of the, you know, part of the abuse themselves. That's part of the power play.

[00:09:28] Martijn Grooten: True. And I even know of cases where believe, or I believe they weren't being spied on, but people just claimed that they were spying on someone.

[00:09:38] Cyril Noel-Tagoe: And how widespread is stalkerware, kind in terms of kind of reported cases, or at least anecdotally that you've spoken to people about?

[00:09:47] Martijn Grooten: So, software is really hard to measure. I know some security companies, they measure what people with their security product on their devices see or have on their devices. done some back of the envelope calculations and extrapolated some data. I think that we can confidently talk about a million cases a year.

[00:10:08] Cyril Noel-Tagoe: Oh.

[00:10:08] Martijn Grooten: Yeah, I don't know how many of these are actively being used. How many of these are people are just testing out something without actually using it? people are using it to their children, which is another case that's often sold as, and again, I... if you want to monitor your children, there's no reason to do this secretly.

[00:10:28] Cyril Noel-Tagoe: And lots of phones have kind of parental controls on them anyway, that provide some sort of monitoring.

[00:10:35] Martijn Grooten: Yeah. And good parental control software makes it clear that the phone's being monitored. And I can understand with young children, parents may want to do that, but there's no reason to hide this fact

[00:10:45] Cyril Noel-Tagoe: Yeah.

[00:10:45] Martijn Grooten: the children.

[00:10:46] Cyril Noel-Tagoe: And then kind of those billion or so, is that in specific geographies or is it kind of more of a worldwide thing?

[00:10:53] Martijn Grooten: It is really a worldwide problem. And I don't have a good feeling of if there are certain countries where it's more common than other countries. Recently one of the main stalkerware makers, their database was, I was gonna say hacked, but basically they hadn't secured it. It was basically all out in the open and some people were looking into it and they found the top 10 countries of number of users. And it included the US and the UK because, you know, these are large countries with many people online, but in the top 10 were also Tanzania and Ghana. So it is really a global issue. There may be certain countries where it's more common than others, but I find it really hard to say. It is a global problem.

[00:11:33] Cyril Noel-Tagoe: And then I think in your coalition, you've got kind of representatives from across the globe dealing with it as well. Right. Brilliant. So let's talk about the legality of using this software. Because, cause obviously this, there's gonna be laws around kind of stalking and harassment and domestic abuse. Does this fall into that or because it's through kind of technology, does it fall into some kind of loophole?

[00:11:58] Martijn Grooten: So Stalkerware in itself as software is hard to be banned. And it's probably legal to exist and to purchase in most of the world . Personally, I'm not sure if that's necessarily a bad thing because otherwise you're thinking about banning code, like programming code, and that's a very slippery slope. The use of stalkerware to spy on a partner or an ex-partner, someone else. And I've seen it used like in family, on siblings as well. It is almost always illegal under existing laws, because people have privacy in relationships, there needs to be consent for these things. If there's not, then it's illegal.

[00:12:38] Cyril Noel-Tagoe: And what are some of the telltale signs that there might be stalkerware installed on your device?

[00:12:43] Martijn Grooten: So that's a very good question and there's a lot to say about this. So, I know people who, for testing purposes, installed a lot of stalkerware on their own phone, just to see, and they say there were barely any tell tale signs. The phone didn't run significantly more slowly. Apps didn't suddenly crash. And, and I mention this because sometimes people who are worried, you know, maybe they have an abusive partner, ex-partner, and they're worried about stalkerware. They say, well, my phone suddenly is being funny. And if your phone is being funny, it's always because the phone is old or just buggy or, you know, you've installed too many apps or some of these apps that you install are kind of buggy themselves. The only exception is, that may be noticeable to a normal user is battery life because stalkerware, if it uses location, it needs to turn on GPS. And GPS is just heavy on battery. But there's more to say to this, because sign But there is a big caveat to make here. That's a tell sign of them somehow spying on you, which could be stalkerware, but actually a lot of the cases that I've dealt with, people I've worked with. They didn't have stalkerware on their phone, but, there was something else. For example, access to their Google account

[00:14:00] Cyril Noel-Tagoe: right.

[00:14:00] Martijn Grooten: their Facebook account or some other social media account. And someone who's worried about stalkerware, the first thing I would recommend them to do is just do a security check on all your accounts that you regularly use. Basically think about this password that I use on that. Is there any chance they could guess it or maybe know it? Because people in a relationship share passwords. if you haven't changed that after the relationship goes bad, and people break up. It's possible that someone can still log in. And pretty much all social media or email apps or services let you do a security check so you can see which devices are connected with. So if you use Gmail, you can check your account, you can see, was this account last looked into, which devices are connected to, and if you suddenly see like, "Hey, there's an iPhone access to this Gmail, but I don't use an iPhone."

[00:14:48] Cyril Noel-Tagoe: Yeah.

[00:14:49] Martijn Grooten: And there are ways to kind of exclude someone and, I think it's beyond the scope of this podcast to explain how to do this for every service. But you use Gmail or Yahoo or Outlook, and then it's Facebook, Twitter, Instagram. They all have security checks, and they're usually pretty user friendly, and just use a search engine find them or ask a friend for help to go through, do like a security checkup of your account, if you conclude that, "Okay. There's no access to any of theses account." Then a next step might be, maybe there is something on my phone. And then I would always ask yourself what the question is, because software requires physical access. Could this person have had physical access to my device, to install something.

[00:15:36] Cyril Noel-Tagoe: And does the stalkerware require the device to be rooted or jailbroken?

[00:15:42] Martijn Grooten: On an iPhone? Yes. iPhone, Apple is, at least currently Apple has a very strict policy, so you can't really install an app manually on the phone if it's not on their store. And people have tried to upload stalkerware to the app store and then they got removed. so on an iPhone it requires to be jailbroken. In practice it means that it needs to run an older version of iOS, the operating system, so people can check what version of iOS they're running. If it's the not the latest version, update you don't have to have an excuse to update. Like if you're worried about your partner, updating is a generally good thing for security. recommend that. On your security podcast, I'm sure you've talked about patching, updating is important, so you don't have to say, "I'm doing this because I'm worried about someone's device." If you keep your iPhone up to date, then you have no reason to worry about stalkerware. They may still have access to your Apple account or your Google account, et cetera, because that's still a possible concern but that's much harder to stop. But you can do

[00:16:43] Cyril Noel-Tagoe: Yeah.

[00:16:44] Martijn Grooten: there.

[00:16:59] Cyril Noel-Tagoe: You mentioned earlier around GPS and location tracking. Is that something that you, because I know at least on my Android, right? You can, change which apps have access to the location or kind of switch location off?

[00:17:12] Martijn Grooten: That is actually a very good point. So just to follow up to the previous answer on Android, you don't need to jailbreak or rooted a phone. Someone can install stalkerware on an Android phone. It kind of depends on how new the phone is, but on most phones, someone can install it if they're prepared within a minute or so. And you don't need to do any routine for most functionality anyway. yeah, GPS is, location is a concern now. Let's just focus on Android because that's where we see most stalkerware. Android has a nice feature called a permissions manager, which is in the settings. For example, you can see which apps have access to the location, and you can just go through all these apps. most of these apps are legitimate apps. You may notice like Google Maps, which you may have access to location. We can say a little bit more about Google Maps in a bit, but okay, it's a legitimate app that's not something somebody else installed. You may find Uber or Lyft or something like that, which for reasons need extra location. But you may find a weird app. Now, Stalkerware doesn't, if it's installed, probably doesn't itself by that name, but it may say that it's a calculator app. Now, there's no reason why a calculator app would need access to location, and that's something you find something like that then you can start asking questions, especially if the location access. And you'll see that if you do the go through the permissions and if the location is provided all the time and not just when the app is being in active use.

[00:18:43] Cyril Noel-Tagoe: You mentioned you'll come back to Google Maps.

[00:18:45] Martijn Grooten: Yeah, so, Google Maps, I think by default if you just set it up, asks access for your location and if you set it up, Google knows your location all the time. Now we can discuss whether that's a concern, whether you trust Google, but Google is not gonna share this publicly, like Google uses it data to improve its products, probably to deliver you more targeted ads because it knows about you. But from a someone who's worried about stalking, what is relevant here is that if say your ex-partner has access to your Google account because you haven't changed your password and they still. They can see your location. They can see not in real time, but they can see where you've been. And for some people that's a real concern. And therefore is important to know what apps have your location because you may not care about Google as a company. You may think they might trust them or you just may not be worried about that. But if someone else has access to the location, then they can see where you are. The same for an app like Uber. If someone has access to your Uber, they can see which trips you've taken.

[00:19:47] Cyril Noel-Tagoe: Yeah.

[00:19:47] Martijn Grooten: So if your ex-partner is attached to your Uber account, they can see which trips have they have taken. And sometimes that can be used to intimidate, "Oh, I know where you went", or "Why did you visit this person? I thought you weren't seeing them anymore".

[00:19:58] Cyril Noel-Tagoe: It goes back to that kind of, that first step of checking your, the apps you have and the access to those accounts.

[00:20:05] Martijn Grooten: Yes, yes, exactly.

[00:20:06] Cyril Noel-Tagoe: So if I suspect someone else has installed stalkerware on my device, what can I do about it? Is there a risk involved in removing the app at all?

[00:20:13] Martijn Grooten: Okay, so first I would still, I would again recommend going through your accounts and checking these. In practice based on my own experience, that is far more likely to have happened. I would also do a mental checkup because there's also what we call a social league. Like sometimes people have friends in common. Even if they're broken up, they have friends in common. And this is how information leaks. So this is how they may know a lot about your life, even though you don't share anything with them. Or maybe you're sharing without realizing a lot of things publicly on social media while they're still following you or it's public. So go through all these things. If you've excluded all these possibilities and you still have a good reason to assume they're stalking you. Yes, you can go through the apps. You can go through the permissions manager. That's probably the best way. Like, look at permissions that you think are being exploited like location and check if there's a dubious app, if you find something, you can remove the permission. You can also uninstall the app. That would remove the stalkerware. But one thing, and that's why I like your question. One thing to keep in mind is that, if someone is indeed stalking you this way, they will stop being able to do so. That may be what you want. But I know of cases where people were still in a relationship or still living together at least, and the abuse escalated. It became from monitoring, it became physical because this is, it's about control. So yeah. And actually the same applies if you remove them from your Google account, from your Facebook account, you removed his access, you change your password. Keep this in mind, like if someone is monitoring you and really someone can only decide for themselves, is it safe to remove this access? Is this person going to become more violent, more abusive? not something I can answer for someone, but always ask yourself this question.

[00:21:59] Cyril Noel-Tagoe: And is there anywhere people can go to get advice in those kinds of situations? Cause that feels like quite a big decision to be making.

[00:22:05] Martijn Grooten: It is a big decision. So, are many, many places have like local abuse shelters, some of whom are somewhat set up to some extent to support with what we call tech abuse, which is the use of technology in abuse of relationships. There are also helplines in many countries. In the UK, there's a national domestic abuse helpline at 0808 2000 247. In the US it's 1-807-997-233. That's the domestic abuse hotline. call that if you suspect any kind of domestic abuse, including technology abuse. People can help You can also do that if you, and I said if you suspect someone else, a friend, a relative has some kind of these issues, and I'm saying this because the listeners of this podcast, they're more technical people. They may be asked questions by a relative, like, "Hey, I suspect I have this." And as I always say, stalkerware and any kind of tech abuse is first and foremost, a domestic abuse problem. you may be very confident with technology, you may not be confident with supporting someone. And you can call these helplines if you want help helping someone. And finally, and I think this is an important point to make. Someone may listen to this podcast and they may realize that actually what I'm doing to my partner, ex-partner is not okay. Like, or, "Yeah, I have installed something" or "I'm considering doing that and I need help with that." And these help helplines can also support you in that either directly or they know where you can get help. And that's a really big step too. But I know at least in of one case where a talk I gave led to someone calling such a helpline, or seeking help themselves and deciding not to use technology abuse. And I think that is, that is really, really awesome if this happened. So, yeah, use this if you have any kind of questions about domestic abuse or technology.

[00:24:05] Cyril Noel-Tagoe: Great. That's really useful. And I think we'll make sure those numbers are included in the description for this podcast, so people can take them from there as well. So we've talked about what to do if you suspect stalkerware being on your device, but are there any preventative measures to stop it from being in installed in the first place? You mentioned that you need to have physical access.

[00:24:27] Martijn Grooten: Yeah, so, because it requires physical access to an unlocked device, because someone needs to do something on the device. You can either remove that access if you can somehow keep your phone with you all the time when you are in the same room as your abusive ex-partner or so, you have a passcode on it or a fingerprint or facial recognition. Something that means that someone else cannot unlock your phone. That means that they cannot install stalkerware. Now that's easier said than done, like, can set up obviously or something like that. But it's not always safe for someone to do so, and I think I want to acknowledge that it's very commonly used as an argument, like if relationship is still going on. Like "why do you have a secret passcode on your phone?"

[00:25:08] Cyril Noel-Tagoe: "What are you hiding from me?"

[00:25:09] Martijn Grooten: Exactly. And I understand that it's very hard to do. So I also don't want to shame people who for pragmatic reasons share passcodes with partners because people sometimes do that because, only one phone has the banking app that they both need to use or they wanna check things. People do that, people make their own choices. But if you are able to set up a passcode or a fingerprint or a face facial recognition, so that the person of concern doesn't get access to your phone, that's a great way to work on it.

[00:25:43] Cyril Noel-Tagoe: Well, thank you so much for highlighting such a serious problem and some advice for dealing with it Martijn. Before we close out, do you have any closing advice or comments for our listeners?

[00:25:54] Martijn Grooten: I want to repeat again what I said earlier, that if you are listening to this as a technology expert or security expert that keep in mind that this is first and foremost, a domestic abuse problem. And you may not be an expert on that case. And I say this as someone who initially came to the subject from a technical angle and I've learned a lot. I've done some trainings. I've spoken to a lot of people, gradually feeling more confident in the domestic abuse space to understand that side of the problem. So this is first and foremost, that problem. And don't dive in first. Don't just grab the phone and then try to remove whatever, because we talked about it earlier, before removing first ask the person who's phone it is, is it safe to do so? Secondly, there's no shame in having this happen to you. I mean, it's really bad. It can be really bad. not your fault. And also I really hope that this won't stop you from using technology because technology is great. I've seen how technology can be great support for abused partners, because it helps them connect to relatives. Even when they don't feel safe leaving the house, they can still talk to relatives on social media. I hope people will still keep doing that. And again, pretty much all social media, and other big tech companies, let you do a security checkup, let you check your account for access. Facebook has a, I think Facebook is the best, but is also really good. But really all of them, even TikTok has a way for you to check the security of your account, do like a security checkup and make use of that. Get in habit of doing it regularly, even if you feel that your past it, it just gives you some idea of what's happening to your account.

[00:27:36] Cyril Noel-Tagoe: Thank you so much for your time. I think it's been really interesting in a really useful episode.

[00:27:42] Martijn Grooten: Thanks for having me.

[00:27:43] Cyril Noel-Tagoe: And thank you to all our listeners for tuning into this episode of Cybersecurity Sessions. If you enjoyed this podcast, please be sure to subscribe and like, or leave a review on your podcast platform of choice. We'd love to get your feedback. You can also get in touch with us via our Twitter @CyberSecPod or by email to podcast@netacea.com. Thanks again for listening, and we'll see you again next month.