The state of stalkerware in 2020( PDF )

Main findings

Kaspersky’s data shows that the scale of the stalkerware issue had not been able to improved much in 2020 compared to the last year 😛 TAGEND

The number of people affected is still high. In total, 53,870 of our mobile customers has an effect globally by stalkerware in 2020. Keeping in intellect the big picture, these numbers simply include Kaspersky customers, and the total global numbers will be higher. Some affected customers may use another cybersecurity answer on their machines, while some do not use any solution at all. With more than 8,100 consumers affected globally, Nidb is the most used stalkerware sample, according to our 2020 stats. This sample is used to sell a number of different stalkerware products such as iSpyoo, TheTruthSpy and Copy9 among others. In terms of geographic spread, we determine a largely consistent trend emerging: Russia, Brazil, and the United Nation of America( USA) remain the most affected countries globally, and they are the three resulting countries in 2020. In Europe, Germany, Italy and the United Kingdom( UK) are the top three most-affected countries respectively.

Introduction and methodology

Technology has enabled people to connect more than ever before. We is able to digitally share our lives with our partner, family, and friends regardless of how far we are physically. Yet, we are also seeing a rise in software that enables users to remotely spy on another person’s life via their digital machine, without the affected consumer making their permission or being notified.

The software, known as stalkerware, is commercially available to everyone with access to the internet. The hazards of stalkerware can go beyond the online realm and enter the physical world. The Coalition Against Stalkerware warns that stalkerware” may facilitate intimate partner surveillance, harassment, mistreat, stalking, and/ or violence .” Stalkerware can also operate in stealth mode, meaning that there is no icon displayed on the device to indicate its presence and it is not visible to the affected consumer. The majority of affected users do not even know this type of software exists. This means they cannot protect themselves, online or offline, especially as the perpetrator applying stalkerware usually knows their victim personally.

In recent years, Kaspersky has been actively working with partners to objective the use of stalkerware. In 2019, we created a special alert that advises consumers if stalkerware is installed on their telephones. Following that we became one of ten founding members of the Coalition Against Stalkerware. We also published our first full report on the nation of stalkerware in the same year to understand the scale of the problem.

This report continues to examine the issue of stalkerware and presents new statistics from 2020, in comparison to our previous data. The data in this report has been taken from aggregated threat statistics obtain access to the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of voluntary participates around the world. All received data is anonymized. To calculate our statistics, we review the consumer line of Kaspersky’s mobile security solutions.

The issue of, and the narrative behind, stalkerware

Stalkerware is software that is commercially available to everyone with access to the internet. It is used to spy remotely on another person via their device, without the affected consumer devoting their consent or being notified. Stalkerware operates in stealth mode, meaning that there is no icon displayed on the device indicating its existence, and it is not visible to the affected consumer. Therefore, the Coalition Against Stalkerware defines stalkerware as software which” may facilitate intimate partner surveillance, harassment, mistreat, stalking, and/ or violence “.

The dimension of cyberviolence

According to a report by the European Institute for Gender Equality,” seven in ten women in Europe who have experienced cyberstalking have also experience at least one kind of physical and/ or sexual violence from an intimate collaborator “. Echoing these findings, experts from non-profit organizations( NPOs) that assistance domestic mistreat survivors and victims emphasize that cyberstalking is also a sort of violence. Only as with physical, psychological, and economic violence, an abuser can use surveillance to obtain complete control of their victim/ survivor[ 1 ] and stay in charge of the situation.

Using stalkerware, the extent of control held by the abuser can be immense. Depending on the type installed, stalkerware may have a variety of parts to intrude into the victim’s privacy. With the software’s help, an abuser can 😛 TAGEND

Read anything the surveilled person types- logging each keystroke on the machine, including credentials to any kind of services such as banking applications, online shops and social networks, etc. Know where then there- by tracking a person’s movements with GPS, in real period Hear “what theyre saying”- eavesdrop on calls, or even record them Read messages on any messenger, regardless of whether encryption is used Monitor social network activity See photos and videos Switch on the camera

All of this private information can be collected, typically from a mobile machine, such as a tablet or a smartphone.

Non-profit organisations from the Coalition Against Stalkerware are experiencing a growing number of survivors attempting assist with their own problems 😛 TAGEND

Findings from the Second National Survey on technology abuse and domestic violence in Australia, launched by WESNET with the assistance of Dr. Delanie Woodlock and researchers from Curtin University, state that 99.3% of family violence practitioners have clients experiencing technology-facilitated abuse and that the use of video cameras increased by 183.2% between 2015 and 2020. According to a study on cyberviolence in intimate relationships, conducted by the Centre Hubertine Auclert in France, 21% of victims have experienced stalkerware at the hands of their abusive spouse, and 69% of victims have the feeling that the personal information on their smartphone has been accessed by their partner in a concealed lane. In Germany, for several years, Women’s Counselling Centers and Rape Crisis Centers( bff) have noticed an increasing use of stalkerware in conjunction with partner relationships. In the USA, stalking impacts an estimated 6-7. 5 million people over a one-year period, and one-in-four victims report being stalked through some form of technology, according to the Stalking Prevention Awareness& Resource Center( SPARC ).

Physical access is the key

Unfortunately, it is not too difficult to secretly install stalkerware on a victim’s phone. The main obstacle that exists is that stalkerware ought to have configured on an affected machine. Due to the distribution vector of such applications which are very different from common malware distribution schemes, it is impossible to get infected with a stalkerware through a spam message including a link to stalkerware or a trap via normal web surfing.

This means that the abuser will need to have physical access to the target device in order to install stalkerware. This is possible if the machine either has no pin, pattern, or password to protect it or alternatively, the abuser knows the victim/ survivor personally. Installation on the target device can be completed within a few minutes.

Prior to accessing the survivor’s device, the abuser has to collect a link to the installation package from the stalkerware developer’s webpage. In most cases, the software is not downloaded from an official application store. For Android devices, Google banned applications that are clearly stalkerware from its Google Play application store in 2020. This signifies the abuser will not be able to install such an application from the general app store. Instead, the abuser must follow several steps before being able to install stalkerware. As a outcome, the abuser may leave traces in the machine specifies that a user can check if they are concerned they may be being spied on.

Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this restriction on jailbroken iPhones. They still need physical access to the phone to jailbreak it, so iPhone users who panic surveillance should ever keep an eye on their device. Alternatively, an abuser is available with their victim an iPhone- or any other device- with pre-installed stalkerware as a gift. There are many companies who make their services available online to install such tools on a new phone and deliver it to an unwitting addressee in factory package to celebrate a special occasion.

The risk of privacy leaks

The information monitored via stalkerware will be available to at least one person- the abuser who installed stalkerware on the survivor’s phone. However, sometimes it is possible that all the private data may become publically available. Time on time, stalkerware servers are either hacked or left openly unprotected so that info can be accessed and leaked online. For example, in 2020, such a data breach passed due to a product provided by ClevGuard. In previous years, we have seen similar incidents with Mobiispy in 2019 and with MSpy in 2018 and 2015.

These are just a few examples of a long list in which databases from companies developing stalkerware have been uncovered, affecting millions of user reports. With the possibility to track a person’s location, it means that not only their cyberprivacy is lost but likewise their security in the physical world may be at risk.

The legal status

Stalkerware applications are sold and provided by companies under various facades, such as child monitoring or employee tracking solutions. While laws vary from one country and state to another, they are catching up. Generally speaking, it is only illegal to use such tools and apps that record customer activity without their permission or that of legal authority. Slowly we are seeing some shifts in legislation. For instance, in 2020, France reinforced sanctions on secret surveillance: geolocating someone without their permission is now punishable with one year imprisonment and a fine of 45, 000 euros. If this is done within a pair, the sanctions are potentially higher, including two years’ incarceration and a fine of 60,000 euros.

Stalkerware tools often transgres laws and expose the stalker to legal liability for any recordings built without the victim’s knowledge. Stalkers must realize that they are breaking the law. If the use of stalkerware is reported, the penalty is applied to the private perpetrator who installed the software- not its vendor. In the USA, simply two stalking app developers have been fined in recent history. One had to pay a record 500,000 US dollar fine, which put an end to the app development process, while the other get off with an order to alter the app’s functionality for future sales.

The scale of the issue Global detection figures- affected customers

In this section, we look at the world numbers of unique consumers whose mobile device was found to have stalkerware detected.

The 2020 data shows that the stalkerware situation had not been able to improved much: the number of affected people is still high. A total of 53, 870 unique consumers were affected globally by stalkerware in 2020. Whereas in 2019, 67,500 unique customers were affected globally. However, the fact must be taken into account that 2020 was an unprecedented time in which lives have changed in a dramatic way across the globe.

To fight the COVID-1 9 pandemic, all countries in the world have faced massive limiteds such as self-isolation measures or lockdowns in order to be allowed to to attain people stay at home. Considering that stalkerware is used as another tool to control an intimate spouse who the abuser lives with as they go about their day-to-day life, this can explain the somewhat lower numbers in comparison with the previous year.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, n, o.src= “https :// js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Unique customers affected by stalkerware globally from 2018 until 2020- total per year( download)

When looking at the figures of the total number of unique users affected by stalkerware in 2020 worldwide per month, this trend becomes even more noticeable. The first 2 month of its first year were stable with many cases of affected devices starting, depicting stalkerware was quite popular. The situation changed in March when many countries decided to announce quarantine measures. The curve indicates current trends that the numbers began to stabilize as of June 2020 when many countries around the world eased restrictions.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, n, o.src= “https :// js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Unique customers affected by stalkerware in 2020 worldwide- total by month( download)

That said, the 2020 numbers are still on a high, stable degree. In comparison, in 2018, there were 40,173 detectings of unique customers being affected globally by stalkerware. This brings into perspective the total numbers from 2020, as we have seen a growing integration of technology into our lives. Sadly, this also entails the software used for stalking is becoming more common as another form of intimate collaborator violence.

World detection figures- stalkerware samples

In this section, we analyze which stalkerware samples are actually the most used to control mobile machines on a global level. In 2020 “the worlds largest” saw samples can be seen in the following results.

Top 10 most detected stalkerware samples globally

Samples Affected customers

1 Monitor.AndroidOS.Nidb.a 8147

2 Monitor.AndroidOS.Cerberus.a 5429

3 2727

4 Monitor.AndroidOS.Anlost.a 2234

5 Monitor.AndroidOS.MobileTracker.c 2161

6 Monitor.AndroidOS.PhoneSpy.b 1774

7 Monitor.AndroidOS.Agent.hb 1463

8 Monitor.AndroidOS.Cerberus.b 1310

9 Monitor.AndroidOS.Reptilic.a 1302

10 Monitor.AndroidOS.SecretCam.a 1124

With more than 8,100 users having been affected by it, Nidb was the most used stalkerware sample in 2020. The Nidb creator sells their product as Stalkerware as a Service. This means that anyone could rent their control server software and mobile application, rename it to any suitable marketing name and sell it separately–examples of this include iSpyoo, TheTruthSpy, Copy9, and others. Both second and eighth place are occupied by Cerberus. These are two separate samples under the same family. Variant Cerberus.a affected more than 5,400 users. comes in third place, with more than 2,700 consumers having been affected. This is marketed as Track My Phone and has typical features such as reading messages from any messenger, logging a person’s call history, and tracking geolocation. Anlost.a is another example of stalkerware in disguise. It is advertised as an antitheft application, and its icon is still in the home screen( not usual behaviour for stealthy stalkerware apps ). Therefore, it is available on the Google Play Store. That said, it is possible to deliberately conceal the icon from the home screen. One of its most important functionalities of the application is to intercept SMS messages and read the call log. More than 2,200 consumers having been affected by this sample. MobileTracker.c has two or more functionalities such as intercepting messages from popular social networks and taking remote control of the affected device. More than 2,100 customers having been affected by this sample. PhoneSpy is also known as Spy Phone app or Spapp Monitoring. This application consists of many snoop features, covering all popular instant messengers and social networks. Agent.hb is another version of MobileTracker. Like the original version, it offers many functionalities. Cerberus.b, a different sample from the same family as Cerberus.a. Reptilic.a is stalkerware that includes many features such as social media monitoring, call recordings, and browser history monitoring. SecretCam.a is camera stalking software, entailing it is able to secretly record video from the front or back camera of the affected device.

Geography of affected customers

Stalkerware is a world phenomenon that affects countries irrespective of size, culture, or culture. When looking at the top 10 affected countries worldwide in 2020, Kaspersky’s findings show that largely the same countries remain the most affected, with Russia in the number one spot. Yet, we ascertain an increase in stalkerware activity in Brazil and the USA in 2020 compared to 2019. However, we saw fewer incidents in India, which has fallen in the rankings. We have been previously detected a higher number of incidents in Mexico, which has risen in the ranking two places.

Top 10 most affected countries by stalkerware- globally

Country Affected users

1 Russian Federation 12389 2 Brazil 6523

3 United States of America 4745 4 India 4627

5 Mexico 1570

6 Germany 1547

7 Iran 1345

8 Italy 1144

9 United Kingdom 1009

10 Saudi Arabia 968

When considering Europe, Germany, Italy and the UK are the three most severely affected countries, in that order. They are followed by France in fourth place and Spain in fifth place.

Top 10 most severely affected countries by stalkerware- Europe

Country Affected consumers

1 Germany 1547

2 Italy 1144

3 United Kingdom 1009

4 France 904

5 Spain 873

6 Poland 444

7 Netherlands 321

8 Romania 222

9 Belgium 180

10 Austria 153

How to check if a mobile device has stalkerware installed

It’s hard for everyday consumers to know if stalkerware is installed on their machines. Generally, this type of software remains concealed which includes hiding the icon of the stalkerware app on the home screen and in the phone menu and even cleaning any traces that have been constructed. However, it may commit itself away and there are some warning signs. Among the most important are 😛 TAGEND

Keep an eye out for a fast drain battery, constant overheating and mobile data traffic growing. Do regular antivirus scanning on your Android device: If the cybersecurity answer detected stalkerware, do not rush to remove it as the abuser may notice. Have a safety programme in place and are to achieve a local help organisation. Check browser history: To download stalkerware, the abuser will have to visit some web pages, the affected user does not know about. Alternatively, there could be no history at all if mistreat wiped it out. Check” unknown sources” fixes: If” unknown sources” are enabled on your device, it might be a sign that unwanted software were installed from third-party source. Check permissions of installed apps: Stalkerware application may be disguised under a wrong epithet with suspicious be made available to messages, call logs, place, and other personal activity.

However, it’s also important to understand that warning signs or symptoms are not necessarily proof that stalkerware is installed on a device.

How to minimize the risk

There are a few parts of advice that can help to increase your digital safety 😛 TAGEND

Never lend your telephone to anyone without seeing what happens with the phone and not leave it unlocked .* Use a complex lock screen password and change passwords on a regular basis. Do not disclose your password to anyone- not even your intimate partner or own family members or close friends .* Do regular checks of your phone — delete apps you don’t use and review the authorisation granted to each app. Incapacitate the option of third-party application installation on Android devices. Protect your Android devices with a cyber-security solution, such as Kaspersky Internet Security for Android( for free ), which detects stalkerware and issues warns.

* In the context of domestic violence and abusive relationships it may be difficult or even impossible to deny the abusive partner access to the phone.

Kaspersky’s activities and contribution to end cyberviolence

Kaspersky is actively working to end the use of cyberviolence and stalkerware, as a company, and together with many other partners. In 2019, we created a special alert that apprises consumers when stalkerware is installed on their phones. In the same year, with nine other founding members we created the Coalition Against Stalkerware. In 2020, we created TinyCheck, a free tool to see stalkerware on mobile devices- specifically for service organizations working with victims of domestic violence. TinyCheck can be found on https :// KasperskyLab/ TinyCheck. Since 2021, we are one of five partners in an EU-wide project aimed at tackling gender-based cyberviolence and stalkerware called DeStalk, which the European Commission chose to support with its Rights, Equality and Citizenship Program.

About the Coalition Against Stalkerware

The Coalition Against Stalkerware (” CAS” or “Coalition”) is a group dedicated to addressing abuse, stalking, and harassment via the creation and use of stalkerware. Launched in November 2019, the Coalition Against Stalkerware gained 26 spouses in its first year. These include founding spouses- Avira, Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Kaspersky, Malwarebytes, The National Network to End Family violence, NortonLifeLock, Operation Safe Escape, and WEISSER RING. The Coalition seems to bring together a diverse array of organizations to actively address the criminal behavior perpetrated through stalkerware and increase public awareness about this important matter. Due to the high societal relevance for users all over the globe and new variants of stalkerware emerging sporadically, the Coalition Against Stalkerware is open to new spouses and calls for cooperation. To understand better the Coalition Against Stalkerware please visit the official website

[ 1 ] Experts refer in their nomenclature more and more to the empowering term survivor instead of victim. Hence, in this report, we will use both terms.

Read more: