Image: Mitchell Luo
Google has updated its Play Store rules to impose a “formal” ban on stalkerware apps, but the company has left a pretty huge loophole in place for stalkerware to be uploaded on the official store as child-tracking applications.
Stalkerware is a term used to describe apps that track a user’s movements, snoop on calls and messages, and record other apps’ activity.
Stalkerware, also known as spouseware, is usually advertised to users as a way to discover cheating partners, track children while outside their homes, and as a way to keep an eye on employees at work.
The primary feature of all stalkerware apps, regardless if they’re intended to be used on smartphones or laptops, is that these apps can be installed and run without the device owner’s knowledge, operating in the operating system’s background.
Over the past decade, the Play Store has hosted hundreds of applications that fit into the stalkerware category.
Google, which has intervened to take down stalkerware apps when they’ve been pointed out by security researchers, has usually avoided making public statements on the topic.
Google imposes stalkerware ban… sort of
But in an update to its Developer Program Policy today, Google said that all apps that track users and send their data to another device must include an “adequate notice or consent” and show a “persistent notification” that the user’s actions are being tracked by the app.
The new rules, set to enter into effect next month, on October 1, are a ban on stalkerware apps, by negating their ability to be installed and operate undetected when installed on victim devices. If user-tracking apps don’t add these UI changes, they won’t pass the approval process to be listed on the Play Store.
But while the new rules seem a step in the right direction, Google has also left a loophole that could be abused by shady stalkerware devs.
According to Google, apps that track children can continue to operate without requesting consent or showing a persistent notification on screen. Apps that track adults must include these two items, Google said.
In other words, there’s nothing stopping a stalkerware dev from rebranding their app and continue operating unimpeded. In fact, today’s announcement looks more like a heads-up for all the shady app devs, rather than an actual ban on stalkerware, with app developers having almost two weeks to comply with the rules.
This exception for child-tracking apps is the same loophole that Google also left in a similar ban it imposed on stalkerware ads in July. A subsequent TechCrunch investigation found that the ban on stalkerware ads was never enforced, which raises the question if this one will, or if it’s more of a PR stunt.