Hacker Eva Galperin Has a Plan to Eradicate Stalkerware

changing passwords, setting up two-factor authentication—seem to help.

The reason those fixes don’t work, in these cases, is because the abuser has deeply compromised the victim’s phone itself. The stalker doesn’t have to be a skilled hacker; they just need easily accessible consumer spyware and an opportunity to install it on their target’s device. An entire industry of that so-called spouseware, or stalkerware, has grown in recent years, one that Galperin argues represents a deeply underestimated scourge of digital privacy.

“Full access to someone’s phone is essentially full access to someone’s mind,” says Galperin, a security researcher who leads the Threat Lab of the digital civil liberties group the Electronic Frontier Foundation. “The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge.”

Now Galperin has a plan to end that scourge for good—or at least take a serious bite out of the industry. In a talk she is scheduled to give next week at the Kaspersky Security Analyst Summit in Singapore, Galperin will lay out a list of demands: First, she’s calling on the antivirus industry to finally take the threat of stalkerware seriously, after years of negligence and inaction. She’ll also ask Apple to take measures to protect iPhone users from stalkerware, given that the company doesn’t allow antivirus apps into its App Store. Finally, and perhaps most drastically, she says she’ll call on state and federal officials to use their prosecutorial powers to indict executives of stalkerware-selling companies on hacking charges. “It would be nice to see some of these companies shut down,” she says. “It would be nice to see some people go to jail.”

Ahead of her talk, Galperin has notched her first win: Russian security firm Kaspersky announced today that it will make a significant change to how its antivirus software treats stalkerware on Android phones, where it’s far more common than on iPhones. Rather than merely flag those spy apps as suspect but label them with a confusing “not a virus” message, as it has for most breeds of stalkerware in the past, Kaspersky’s software will now show its users an unmistakeable “privacy alert” for any of dozens of blacklisted apps, and then offer options to delete or quarantine them to cut off their access to sensitive information.

Galperin, who has been working directly with stalkerware victims, sees the Moscow-based firm’s move as raising the bar for the entire security industry. Once one company begins to call out consumer spyware as a full-fledged security threat, she argues, competition will drive the other antivirus firms to meet that standard. The result, she hopes, will be a broader remedy to a security industry that has long underestimated stalkerware—often because security researchers don’t count spy tools that require full access to a device as “real” hacking, despite domestic abusers in controlling relationships having exactly that so

Read More