Detections rates for stalkerware applications on Android and Windows devices are slowly improving, according to the findings of a seven-month research project carried out by independent antivirus testing lab AV-Comparatives and the Electronic Frontier Foundation.
The study [PDF], published earlier this week, took place in two phases, with the first in November 2019, and the second in May 2020.
Researchers looked at how 10 Android mobile antivirus apps and 10 Windows antivirus products detected some of today’s most prevalent stalkerware strains.
The stalkerware strains, 20 on Android and 10 on Windows, were chosen by AV-Comparatives together with the Electronic Frontier Foundation (EFF), based on their popularity in the US.
Image: AV-Comparatives
The study discovered that many antivirus companies have improved their detection rates between the November 2019 scan and May 2020.
Image: AV-Comparatives
Image: AV-Comparatives
“The detection rates for the Android products in November ranged from 30% to 95%, with two products detecting less than 50% of the testcases,” AV-Comparatives said.
“On Windows, the overall detection rates in November were poor relative to Android; the highest detection rate was only 70%, and only two products reached this level.
“Six months later in May, most products – for both Android and Windows – had improved their detection rates,” the testing lab said.
“On Android, 9 out of 10 products detected between 75% and 95% of the testcases. On Windows, all products had improved their detection rates to at least 70%, with four programs reaching 100%.”
Stalkerware finally seen as actual malware
The study’s findings are encouraging, as it shows that the cyber-security industry is finally catching up with a type of malware threat that has often been ignored.
Stalkerware is a category of spyware, which is a type of malware that — as it name implies — can be used to spy on people.
The difference between stalkerware and spyware is that stalkerware is often advertised online as legitimate software and is easily accessible, rather than being sold on hacker forums and shadowy online chats.
Stalkerware is often disguised as parental control software, employee tracking software, and even remote access tools meant for the enterprise sector.
However, the difference between legitimate apps and stalkerware is that stalkerware includes features to disguise its presence on the computer/smartphone it is installed.
While legitimate apps like parental control software and remote access tools are clearly visible when installed on a device, stalkerware often uses misleading generic process names or hides its shortcuts and app icons — in an attempt to track the user unnoticed.
As a result of these features, stalkerware is often used by abusive partners to spy on their significant others, from where stalkerware has received its alternative name of “spouseware.”
In recent years, domestic abuse organizations have warned about the increasing number of domestic violence cases where stalkerware has been involved.
Starting with mid-2018, the Electronic Frontier Foundation has been pushing the cyber-security industry to detect these tools as malicious and warn users accordingly.
Since 2018, more and more antivirus companies have begun adding stalkerware detection rules, and a few have even joined the Coalition Against Stalkerware, a non-profit group aimed at raising awareness towards this threat.
The study published this week can be considered as a step in the right direction, with the antivirus industry now clearly seeing stalkerware as malicious — rather than seeig it as “dual-use software” that previously didn’t trigger any type of warnings or detections.
According to a Kaspersky report, the number of stalkerware infections grew by 40% in 2019, compared to the previous year.