Software named MonitorMinor enables stalkers to covertly access any data and track activity on devices they are surveying, as well as the most popular messaging services and social networks.
The very essence of stalkerware discourages user privacy, putting many people’s personal information and personal lives at risk. If people’s data is being monitored and controlled, the result is often non-cyber related consequences for the victims involved. However, the creators of MonitorMinor even go through obfuscation of the application, demonstrating that they are well aware of the existence of anti-stalkerware tools and try to counter them.
While primitive stalkerware uses geofencing technology, enabling the operator to track the victim’s location, and in most cases intercept SMS and call data, MonitorMinor goes a few steps further. This software aims to get access to data from all the most popular modern communication tools upon recognising the importance of messengers as a means of data collection.
While, in a ‘clean’ Android operating system, direct communication between apps is prevented by the sandbox, the situation can be changed if a superuser-type app (SU utility) is installed, which grants root access to the system. Security mechanisms of the device no longer exist once this SU utility is installed. Using this utility, the creators of MonitorMinor enable full access to data on a variety of popular social media and messaging applications such as Hangouts, Instagram, Skype, Snapchat and others.
By using root privileges, the stalkerware is able to access screen unlock patterns, enabling the stalkerware operator to unlock the device when it is nearby or when they next have physical access to the device. Kaspersky has previously not identified this unique feature in any mobile platform threats.
The stalkerware can still operate effectively even without root access by abusing the Accessibility Service API, which is designed to make devices friendly for users with disabilities. Using this API, the stalkerware is able to intercept any events in the applications and broadcast live audio.
Other features available in this stalkerware gives operators the ability to:
Control devices using SMS commands
View real-time video from device cameras
Record sound from the device microphones
View browsing history in Google Chrome
View usage statistics for certain apps
View the contents of a device’s internal storage
View contacts lists
View system logs
“MonitorMinor is superior to other stalkerware in many aspects and implements all kinds of tracking features, some of which are unique, and is almost impossible to detect on the victim’s device. This particular application is incredibly invasive – it completely strips the victim of any privacy in using their devices, and even enables the attacker to retrospectively look into what the victims has been doing before,” comments Victor Chebyshev, Kaspersky research development team lead.
“Existence of such applications underlines the importance of protection from stalkerware and the need for joint effort in the fight for privacy. This is why it is important to highlight this application to our users which, in the hands of the abusers, could become the ultimate instrument for control. We have also pre-emptively shared information about this software with the Coalition Against Stalkerware partners, to protect as many users as possible, as soon as we can.”
Erica Olsen, Director of the Safety Net Project at the National Network to End Domestic Violence, a member-organization of the Coalition Against Stalkerware, added:
“Our issue with stalkerware apps is not just their marketing, but their core functionality. Rampant stealth access, with no notifications to the user creates an app that is truly designed to illegally stalk or monitor another person. We should not minimize how invasive and abusive these apps can be. Regulations are needed to address the basic design features.”
According to Kaspersky telemetry, India currently has the largest share of installations of this stalkerware (14.71%). Mexico (11.76%) is next, followed by Germany, Saudi Arabia, and the UK (5.88% in each country), as other countries that have seen the most use of this new type of stalkerware.