Cybersecurity companies are pledging to help customers scrub “stalkerware” apps hidden in their phones after a digital activist raised an alarm about the tools some people use to spy on partners and exes.
Symantec and McAfee both told me Wednesday that they’re trying to alert customers about these apps — also known as “commercial spyware” or “surveillanceware.”
And Russian anti-virus company Kaspersky Lab also pledged last week to start sending users special alerts when stalkerware apps are detected on their customers’ Android smartphones, and the U.S. company Lookout explained Tuesday how it offers similar protections.
The responses come after Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, drew attention to the issue in a speech at Kaspersky’s Security Analyst Summit in Singapore.
“Full access to someone’s phone is essentially full access to someone’s mind,” Galperin told Wired before her speech. “The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge.”
Galperin also wants Apple, which doesn't allow external anti-virus companies to operate in its iPhones, to include better protections against stalkerware — and state and federal officials to crack down on companies that sell stalkerware, per Wired.
The responses from the cybersecurity companies that they're working on the issue shows they're taking the problem seriously — but also demonstrate how difficult it is to combat stalkerware apps, which are often tough to distinguish from apps with legitimate purposes.
There are legitimate apps, for example, that help parents monitor their children’s smartphone activity or let employers ensure their workers aren’t using company smartphones inappropriately, Kristy Edwards, Lookout’s security intelligence director, told me.
But those apps can also be used inappropriately by people spying on spouses or exes, Edwards said. And some apps that market themselves as being for legitimate purposes are used for nefarious purposes more often than not, she said.
“A false positive is not a good thing here,” Edwards told me. “You don’t want to falsely accuse an app of being surveillanceware, but, on the other hand, you don’t want to miss it. It takes money and research and a focus on the problem for the industry to get this right.”
In Lookout’s case, the company typically uses artificial intelligence algorithms to find apps that might have been marketed as legitimate but are acting like malware — for example, running when the user hasn’t opened them or hiding their icon.
The algorithm then sends information about those apps to researchers who investigate further and, ultimately, have to make a judgment call, Edwards said.
“There’s a nuance to this that makes it really hard to fight,” she said.
Many security companies have been alerting users about possible stalkerware for the past several years but lumping them into the same category as adware — software that automatically displays advertisements — and other software that is questionable or undesirable but not necessarily malicious, Kaspersky Lab security researcher Alexey Firsh told me.
Kaspersky labeled that category “not-a-virus,” but now believes that term wasn’t sufficient to draw people’s attention, he said. The company is replacing it with a broader privacy alert that explains the app could be used to “compromise your personal data” including by eavesdropping on calls and reading emails and text messages.
“We are confident that being more vocal and more proactive about this type of threat can make a big change,” Firsh told me. “We hope it rings a bell for an average user, so he or she will be informed about a potential threat.”
Yet to effectively combat stalkerware, companies will also have to go beyond simply alerting about it — and customers will have to be proactive about defending themselves, McAfee’s mobile security research team told me in a statement.
That includes restricting all apps from accessing information they don’t need and encrypting sensitive personal information such as photos, the team said.
“As is the case with so many of the threats we see, detecting and removing the known threats is just one capability,” McAfee said. “You need to protect access to a device, and the data on the device. Then you need to proactively help the user by proactively crippling suspicious threats. Given the seriousness of the cyberstalker threat, you need more than one solution to address it.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: WikiLeaks founder Julian Assange was arrested this morning, ending his 7-year stay in London’s Ecuadorian embassy.
Ecuadorian officials said they were rescinding Assange’s asylum because of his “discourteous and aggressive behavior” and for violating the terms of his stay, my colleagues James McAuley, Karla Adam and Ellen Nakashima reported.
Assange, who is wanted in the U.S. for his role in leaking government secrets, took refuge in the embassy when he was facing a Swedish rape charge. U.S. officials want to question Assange about WikiLeaks’ role in a Russian hacking and disinformation campaign that upended the 2016 election. “Ahead of the U.S. election in 2016, WikiLeaks released tens of thousands of emails that had been stolen from the Democratic National Committee and from Hillary Clinton’s campaign chairman, John Podesta, in cyber-hacks that U.S. intelligence officials concluded were orchestrated by the Russian government,” my colleagues reported.
Assange’s ouster from the embassy was long expected. Ecuadorian officials said last week they would eject Assange at a time of their choosing. “Ecuador has sovereignly decided to terminate the diplomatic asylum granted to Mr. Assange in 2012,” President Lenín Moreno said in a video statement. “The asylum of Mr. Assange is unsustainable and no longer viable.” Moreno specifically cited WikiLeaks leaking of documents from the Vatican in January. WikiLeaks has said the move is retaliation for its reporting on corruption in Moreno’s administration.
PATCHED: A cascade of resignations at the top of the Department of Homeland Security won’t damage DHS’s cybersecurity mission, Jeanette Manfra, assistant director of the department’s Cybersecurity and Infrastructure Security Agency, said Wednesday.
“It’s unfortunate to lose Secretary [Kirstjen] Nielsen and [Undersecretary for Management] Claire Grady, who were such great advocates for our mission,” Manfra told reporters on the sidelines of a cybersecurity discussion hosted by the Atlantic. “But I think one of the most important things that Secretary Nielsen believed in was resilience and so we’re going to continue the mission.”
Manfra also praised DHS’s new acting chief Kevin McAleenan, who she said worked extensively with technology as commissioner of U.S. Customs and Border Protection and understands the importance of DHS’s cybersecurity mission. “I don’t see any kind of change to our approach or our ability to do our job,” Manfra said.
PWNED: Kremlin-linked hackers likely conducted reconnaissance against election networks in all 50 states before the 2016 contest, according to a Joint Intelligence Bulletin from the FBI and Department of Homeland Security obtained by Ars Technica’s Sean Gallagher.
That’s the first official report from the agencies that Russian hackers probably probed more state election networks than the 21 identified in 2016. But it’s basically in line with what DHS officials have long said: The Russian reconnaissance mission probably was larger than what the government detected because the federal government’s network of sensors on state election systems was not well developed at the time. That network covered more than 90 percent of state election systems by the 2018 midterms, officials have said.
The new bulletin does not alter DHS and FBI’s primary conclusion: that there’s no evidence Russian hackers changed any votes in the 2016 election.
Here’s more from Sean, who credited the paywalled intelligence newsletter Ooda Loop for first reporting on the bulletin, which “stated that, while the FBI and DHS ‘previously observed suspicious or malicious cyber activity against government networks in 21 states that we assessed was a Russian campaign seeking vulnerabilities and access to election infrastructure,’ new information obtained by the agencies ‘indicates that Russian government cyber actors engaged in research on — as well as direct visits to — election websites and networks in the majority of US states.’ ”
“While not providing specific details, the bulletin continued, ‘The FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections.’ "
How much does it cost to steal a tax refund? Very little, according to research by the cybersecurity firm Carbon Black, which scoured dark Web marketplaces frequented by scammers who steal enough of a person’s information to file a phony tax return and collect the refund.
“W-2s and 1040s are available on the dark web at relatively low cost, ranging from $1.04 to $52,” Carbon Black reported. “Names, Social Security Numbers (SSNs) and birthdates can be obtained for a price ranging from $0.19 to $62.”
The company also found how-to guides for filing false tax returns for about $5.
Carbon Black recommends the standard slate of security measures for consumers to protect themselves against scammers filing phony returns on their behalf, such as being cautious about sharing their information and using multi-factor authentication tools to access email and social media accounts that might contain that information.
Another common piece of advice is for taxpayers to file early before a scammer does it for them. Unfortunately, the report — timed with the April 15 filing deadline — is coming a bit late for that advice.
More cybersecurity news from the public sector:
Cybersecurity news from the private sector: