Stalkerware is malware used in abusive relationships to spy on someone's partner. I've talked about it quite a bit, see minepreviously blog entriesfor more background information on stalkerware.
There are several ways to check if a stalkerware is installed on a phone. atScarf, we wrote a guideto search for configuration settingson an Android phone (in French). We think it's the easiest way for non-techies and pretty reliable. ThatClinic to End Tech Abusehas developed a tool calledISDito scan for stalkerware based on package names on Android and iOS. Felix Aimé recently released a tool calledTinyCheckto analyze network traffic from a smartphone, which can be used to identify stalkerware traffic.
In this blog post, I propose another method to detect stalkerware application on Android phones based onIndicators of stalkerwareI have aggregated. It is intended for a technical audience, primarily technicians supporting organizations working with survivors, as some technical knowledge is required to use the various command line tools. (I've only tested these tools on Linux, it should work on Mac OS, but no guarantee).
Note: as I wrotebefore, I think we should make sure that we consider all technology-related intimate partner abuse threats and not just stalkerware. Both because it makes no sense to arbitrarily delimit stalkerware as an important topic, as well as because theCETAseems to show that in many cases survivors think they have stalkerware installed when it is another form of digital surveillance.
Here is the methodology I propose:
- Enable USB debugging on the Android device
- Extract APKs from phone withsnoop
- Review APKs based onpublic stalkerware indicators
- More in APKs dig withsdanalyzer
Enable USB debugging#
You must first enable USB debugging on the phone. For this you can follow theofficial android documentation, here's the interesting part of it:
On Android 4.1 and below, thedeveloper optionsScreen is available by default. On Android 4.2 and above, you must enable this screen. To enable developer options, tapBuild number option 7 times. You can find this option in one of the following locations, depending on your Android version:
- Android 9 (API level 28) and higher:Settings > About phone > Software information > Build number
- Android 8.0.0 (API-Level 26) und Android 8.1.0 (API-Level 26):Settings > System > About phone > Build number
- Android 7.1 (API level 25) and below:Settings > About phone > Build number
At the top of the developer options screen you can toggle options on and off (Figure 1). You probably want to keep this. When this option is disabled, most options are disabled except those that do not require communication between the device and your development computer.
Before you can use the debugger and other tools, you must enable USB debugging, which allows Android Studio and other SDK tools to detect your device when connected via USB. To enable USB debugging, toggle the USB debugging option in the Developer options menu. You can find this option in one of the following locations, depending on your Android version:
- Android 9 (API level 28) and higher:Settings > System > Advanced > Developer Options > USB Debugging
- Android 8.0.0 (API-Level 26) und Android 8.1.0 (API-Level 26):Settings > System > Developer Options > USB Debugging
- Android 7.1 (API level 25) and below:Settings > Developer Options > USB Debugging
Once that is done, connect the Android phone to your computer using a USB cable. make sure thatadb is installedand check if the device is available with the command
> adb devicesList of attached devicesRF2F722NU0C device
You can use the command to test whether access to the device works
ADB Shell. Once you have confirmed that the adb connection is working, stop the adb server with
Extract APKs with Snoopdroid#
Follow the installation instructionssnoop.
Then start the extraction:
$ snoopdroid --storage apks _ _ _ | | (_) | | ___ _ __ ___ ___ _ __ __| |_ __ ___ _ __| | /__| '_ \ / _ \ / _ \| '_ \ / _' | '__/ _ \| |/ _` | \__ \ | | | (_) | (_) | |_) | (_| | | (_) | | (_| | |___/_| |_|\___/ \___/| .__/ \__,_|_| \___/|_|\__,_ | || |_| v2.3*** Getting package names...*** There are 285 packages installed on the device, I selected 208 to check.*** Start capturing in folder apks/2021-01- 12T210901 *** Downloading packages from device. This may take some time...[1/208] Package: com.samsung.android.provider.filterproviderDownloading /system/app/FilterProvider/FilterProvider.apk ...100%| £ ° £LENCHENCENTIONS ██ ██|381k/381k [00:00<00:00, 2.91MB/s][2/208] Package: com.sec.android.app.DataCreateDownloading /system/app/AutomationTest_FB/AutomationTest_FB.apk . ..100%|███████████████████████████████████████∖∖∖∖∖∖ ████| 348k/348k [00:00<00:00, 3.16MB/s][3/208] Package: com.sec.android.widgetapp.samsungappsDownloading /system/priv-app/GalaxyAppsWidget_Phone_Dream/GalaxyAppsWidget_Phone_Dream . apk ...100%|██████████████████████████████████████████ ████████████| 797k/797k [00:00<00:00, 3.48MB/s][...]
This process will extract all the APKs installed on the phone into a folder, it should take a while.
Checking the APKs#
I maintain a list ofIndicators of stalkerwareThis includes packet IDs, certificates, hashes, network domains and IPs, and more recently Yara rules. i have developeda Python scriptwhich checks an APK or a folder of APKs against its indicators.
First download the repository, either via git (
Git-Clone https://github.com/Te-k/stalkerware-indicators.git) or by downloading theZIP archive. Then you must also install the required libraries
pip install -r requirements.txt. Finally, launch the script in the folder containing the APKs:
$ python check_apk.py apks/2021-01-12T210901/apks/Loaded 76 App IDs, 55 Certificates, 221 Network Indicators and 1881 Hashescom.sec.android.mimage.photoretouching.apk : OKcom.samsung.android.net.wifi. wifiguider.apk : OKcom.sec.android.CarrierCodeChanger.apk : OKcom.samsung.android.themestore.apk : OKcom.samsung.android.themecenter.apk : OKcom.sec.android.easyMover.Agent.apk : OKcom.google. android.gms.policy_sidecar_aps.apk : OKcom.samsung.safetyinformation.apk : OKcom.samsung.android.setting.multisound.apk : OKcom.sec.usbsettings.apk : OKcom.android.dreams.phototable.apk : OK[.. .]com.google.android.apps.tachyon_split_config.en.apk : OKcom.android.traceur.apk : OK1 suspicious applications identified:- com.android.core.mngp_base.apk : Known stalkerware package ID: Snoopza
Here a stalkerware from the Snoopza family was identified.
Analysis of other APKs with SDAnalyzer#
This first check is only as good as the indicators, and there are definitely stalkerware products that are not yet on the indicators list. So it's worth analyzing the APKs manually to see if we find anything suspicious. I have developed a tool calledSDAlyzerspecifically for this purpose. It extracts the most useful information from all APKs and offers you a nice interface to analyze them.
You simply install sdanalyzer
pip install sdanalyzer.
Then you need to import the APKs into a device. First create a device with SDanalyzer:
$ sdanalyzer phones --create "Germain's Phone"1Germain's PhoneNone
Then import all APKs in the folder in the device with the corresponding ID (1 here above):
$ sdanalyzer import --phone 1 .Importing ./com.sec.android.mimage.photoretouching.apkAPK ./com.sec.android.mimage.photoretouching.apk added to phoneImporting ./com.samsung.android.net.wifi . wifiguider.apkAPK ./com.samsung.android.net.wifi.wifiguider.apk added to phone import ./com.sec.android.CarrierCodeChanger.apkAPK ./com.sec.android.CarrierCodeChanger.apk added to phone import . /com.samsung.android.themestore.apkAPK ./com.samsung.android.themestore.apk added to phoneImporting ./com.samsung.android.themecenter.apkAPK ./com.samsung.android.themecenter.apk added to phoneImporting . /com.sec.android.easyMover.Agent.apkAPK ./com.sec.android.easyMover.Agent.apk added to phoneImporting ./com.google.android.gms.policy_sidecar_aps.apkIt looks like no app Name is set for main activity!APK ./com.google.android.gms.policy_sidecar_aps.apk added to phone[...]
The import takes 5 to 10 minutes depending on the number of APKs. You have to wait until the end of the import before doing the analysis (due to the impossibility of accessing the SQLite database at the same time).
You can then start the web interface with
sdanalyzer serve. The user interface will open directly in your browser:
Select the phone you just created to view the list of APKs:
In this table you can see some useful information:
- The Package ID
- The app name
- The certificate, including a green tick if I trust this certificate
- The number of sensitive permissions the app needs (malicious apps like stalkerware always require many permissions)
- A marker (called icing) if the app was downloaded from the Google Play Store
- Virus Total analysis result (currently working due to bug inVirus Total platform)
- A threat level assessed based on all the information (take it as an indication only and not something very reliable)
You can click on each application and get a more detailed view of it:
On this page you have various information and links:
- information on the package
- Links to search for the appVirusTotal,KoodousandAPKLab
- The certificate that signed the app
- The full list of required permissions (with the sensitive one in bold)
- The full manifesto
- A list of URLs extracted from the DEX files
- A list of strings extracted from the .dex files
It can be a lot of information at the beginning and very time consuming to process everything. Here are some pointers to prioritize:
- Check the VirusTotal result (if it is fixed by VT). Any app with more than 5 detections is clearly suspicious. Between 1 and 5 it can be a false alarm, you should check the app carefully. If it is unknown, it is unusual (but it happens with some system packages), you should check the app in detail
- You can safely discard the apps marked with a legitimate certificate (check the VT results of those just in case).
- Check the number of permissions, stalkerware apps usually require more than 15 including the most sensitive ones (texting, calling, etc.).
- Most stalkerware apps are installed outside of the market, so there shouldn't be any frosting (but since it can be added manually without changing the signature, it's not completely reliable).
When you've reviewed an application, you can mark it as suspicious or legitimate in the web interface and hide the apps you've already reviewed from the main list, so you only see what still needs analysis. When in doubt about an application, it can help to look for other applications signed with the same certificate on VT, Koodous, or APKLab and see if they look legitimate or suspicious.
This process is more time consuming and less reliable than using indicators. Take some time to understand what each field means, the first phone will be a little tricky with so much data, but you'll quickly get used to the process and quickly identify suspicious apps.
When you have finished the analysis, you can delete the extracted data with
I've used this method several times to scan for malware and it's quite reliable and fast after some practice. The challenge here is to build a solid stalkerware database in order not to spend too much time in SDAnalyzer, so don't hesitate to contributethe stalkerware ads.
If you have any comments, feedback or thoughts about this process or work with organizations that support victims of domestic violence, please feel free to contact usper Emailor fromTwitter-DM.
This blog post was mostly created while listeningGROWTH
To find out whether an app has access to the operating system that it shouldn't, or some other data, go to Settings > Smart Assistance > Accessibility and scroll down to reveal Downloaded Services if you see any services installed here that you do not recognize, feel free to remove them as they might be stalkerware.How can I tell if I have stalkerware on my phone? ›
Check apps to uninstall
You may not see a home screen icon for any of these stalkerware apps, but they may still appear in your Android device's app list. Go to your Android settings, then view your apps. Look for an innocuously named app like “Device Health” or “System Service,” with generic-looking icons.
High Data Usage
If someone is spying on you, that means they are recording your calls, text messages, GPS Data, and even pictures you click. Your data subscription will end quickly in uploading all these information. So, if you are experiencing sudden high data usage, then it could be a sign of spyware.
- Unusual sounds during calls. ...
- Decreased battery capacity. ...
- Phone shows activity when not in use. ...
- Phone takes a long time to shut down. ...
- Battery temperature feels warm. ...
- Receiving unusual texts. ...
- Increased data usage. ...
|Tool Name||Best For|
|mSpy||Monitoring chats, photos, videos, and location of Android and iOS devices.|
|XNSPY||View photos, videos, and social media chats on your kids' android smartphone.|
|eyeZy||Feature-heavy cell phone spying app for Parents and Employers.|
Search for any suspicious or unexpected apps: Look out for any unexpected parental control apps, such as mSpy, Find my Friends and Family, and Spy Phone Phone Tracker. You can also tap on an app to see how much space it occupies.Is my phone being tapped or monitored? ›
If you hear pulsating static, high-pitched humming, or other strange background noises when on voice calls, it may be a sign that your phone is being tapped. If you hear unusual sounds like beeping, clicking, or static when you're not on a call, that's another sign that your phone is tapped.How do I remove spy apps from my Android phone? ›
To do this:
- Go to Settings.
- Tap Apps.
- Tap Uninstall if you've found an app that looks unfamiliar to you — it might be spyware.
- Go to your Android smartphone settings.
- Click on “Apps” (or “Applications)
- Click the three vertical dots on the top right.
- Click “show system apps” to view all of your smartphone's applications.
- See if there are any apps you're unaware of.
The anti-stalkerware TinyCheck tool
This is crucially important for the victim's safety, as if the abuser detects any interference, they could escalate their abuse. Also, since TinyCheck doesn't need to run on the device itself, it can identify stalkerware presence on any mobile OS, including Android and iOS.
Run a malware scan: There are mobile antivirus solutions available that can detect and remove spyware. This is the easiest solution available, but it may not be effective in every case. Cybersecurity vendors, including Malwarebytes, Avast, and Bitdefender, all offer mobile spyware-scanning tools.Is there an app to check for spyware? ›
The antivirus app for Android scans for viruses and other kinds of malware, including Trojans and Spyware. Apart from that, it also has a Web Shield feature which blocks malware-infected and spyware links. So, Avast Antivirus is another best anti-spyware app that you can use today.
When you dial *#21#, it will display the various sorts of diversion status which is happening with the number. This will display the information and you will come to know if your calls or messages are tapped.What is the 3 digit number to see if your phone is tapped? ›
You can immediately check if your phone has been compromised, or if your calls, messages etc have been forwarded without your knowledge. All you need to do is dial a few USSD codes - ##002#, *#21#, and *#62# from your phone's dialer.How do I block my phone from being monitored? ›
The best way to block phone tracking is to use a VPN. But you can also change a few settings on your phone or switch to a different browser to stop tracking. You can hide your location via settings, block ad tracking with a dedicated private browser, and encrypt all of your internet traffic with a VPN.What apps should not be on my Android phone? ›
- 117. Document Manager.
- 217. Coin track Loan - Online loan.
- 317. Cool Caller Screen.
- 417. PSD Auth Protector.
- 517. RGB Emoji Keyboard.
- 617. Camera Translator Pro.
- 717. Fast PDF Scanner.
- 817. Air Balloon Wallpaper.
Some of the most obvious signs you are being spied on include: Someone seems to always be “bumping into you” in public. As if they always know when and where to find you. During divorce or separation, your ex-partner knows more details than they should about your activities, finances, or other details.How do I detect and remove spyware from my Android? ›
- Download and install Avast One. INSTALL FREE AVAST ONE. ...
- Run an antivirus scan (Smart Scan) to detect spyware or any other forms of malware and viruses.
- Follow the instructions from the app to remove the spyware and any other threats that may be lurking.
- Swipe down from the top of the screen and tap the gear icon to open the Settings menu.
- Tap Apps or Applications.
- Tap the icon with three dots (⋮) in the upper-right corner.
- Tap Permission manager.
- Tap a feature or service to view apps that have been granted permission.
Find Hidden Apps Through Your Settings
First, tap on your Settings icon and choose Apps & notifications from the menu. If things look different on your device, just go for the tab that deals with your phone's apps. From there, you should have access to a See all apps option.
- Increase in data usage. Spy apps typically upload the info to a web server so the person who is doing the spying can log in and see your info. ...
- Battery Drain. ...
- Hot Phone. ...
- Screen Activity. ...
- Screenshots and Recordings.
A factory reset is easy to perform but it deletes all of your apps and data. Although it will get rid of the stalkerware completely, it will also erase the evidence that the stalkerware was ever there.What code can I use to check if my phone is tapped? ›
Use the code *#21# to see if hackers track your phone with malicious intent. You can also use this code to verify if your calls, messages, or other data are being diverted.What are 4 symptoms of spyware? ›
- Difficulty logging into secure web sites like ICON and MyUI.
- Random advertisements that pop up on your computer.
- Unusual slowness of your system.
- Unusual instability in your system (computer crashes more than usual)
The best way to remove spyware is to use an anti-spyware scanner. Download and install a reliable free antivirus solution, and it will detect and remove the spyware from your device. Then, keep your device clean by removing junkware, PUPs, and other unnecessary software that can slow down your computer.What software that blocks or remove spyware? ›
#1) TotalAV Antivirus
It is capable of detecting and eliminating threats like malware, ransomware, Trojans, phishing scams, etc. in real-time. Besides anti-virus protection, the software also serves as a powerful system tune-up tool and an ad-blocker.
General Test Mode: *#0*# Display your IMEI: *#06# Check Your Call Forwarding: *#67#What does ## 002 do to your phone? ›
Lastly, with the *#002# settings interrogation short code, you can see all forms of call forwarding on your line. If everything says "Disabled," you have nothing to worry about. If there are numbers listed, they could be put there by someone else, or they could be the number for your voicemail box.What does *# 06 do? ›
Android & iPhone code: *#06#
Entering this into your keypad shows your display IMEI number, which is your phone's identification number, and it's unique to each smartphone.
Code * # 21 # ~ To know whether message or call has been diverted or not. Code * # * # 4636 # * # * ~ To know Wifi connection test, Phone battery. Code * ## 62 # ~ To know whether phone redirects to any number. Security of Android Smartphone codes : Code ## 002 # ~ Deactivates all forwarding.
Dial *#61# and tap Call to show the number for voice call forwarding when a call is unanswered. Also show the options for data, fax, sms, sync, async, packet access and pad access. Dial *#62# and tap Call is the same as above except for no-service rather than no-answer scenario.How do I block my Android phone from being tracked? ›
- On your Android device, open the Chrome app .
- To the right of the address bar, tap More. Settings.
- Tap Privacy and security.
- Tap Do Not Track.
- Turn the setting on or off.
- Open the “App Drawer.”
- Go to “Settings.”
- Select “Location.”
- Enter “Google Location Settings.”
- Turn off “Location Reporting” and “Location History.”
- You can also select “Delete Location History” to remove all previous tracking data.
- Increased data usage. Spyware apps regularly eat up your data. ...
- Charged battery drains rapidly. ...
- New, unknown apps on your device. ...
- Phone works slower than usual. ...
- Phone freezes or abruptly turns off. ...
- Background noises in calls. ...
- Battery runs hot. ...
- Coded text messages.
- Visit your app drawer section.
- Tap on the three dots that are present at the upper-right of the device screen.
- Click on the home screen settings. It will navigate you to the Hide apps menu; tap on it.
- Here, you will see the hidden apps that are not showing in the app list.
Yes, Certo AntiSpy can remove most threats from your device with a click of a button. Some threats may require manual removal and you'll get easy to follow removal instructions directly in the app.What's the difference between stalkerware and spyware? ›
Of course, spyware and stalkerware are both types of malware that are used to track a person's activity on a device. However, stalkerware is considered a more personal way of invading someone's privacy.How to detect spyware? ›
Option 1: Finding Spyware Through Android Phone Settings
Click on the burger menu or the three vertical dots at the top right corner of your screen. Click on Show System Processes or Show System Apps. Conduct a thorough review of the list of applications displayed and look for anything suspicious or unfamiliar.