Stalkerware is the digital equivalent of following someone 24/7 and eaves dropping on their conversations.
Stalkerware’s usage has been on the rise in situations of domestic abuse, one report by the BBC cites an individual (Amy) who’s husband had been tracking her every move. It gives the perpetrator (one controlling the Stalkerware) complete visibility of the victims mobile device and all of its data.
In this research article we demonstrate the stalkerware app Mobile Tracker Free and it’s capabilities, and even expose a technical security risk in it’s code. The security hole discovered in Mobile Tracker Free could even lead to your contacts and social media messages from the likes of WhatsApp, Telegram and Instagram being completely exposed to all other apps and processes on your device.
The Stalkerware application Mobile Tracker free is an application which boasts of it’s ability to “track employees to increase their productivity” and “monitor child’s whatsapp without them knowing”. It has the capacity to constantly monitor the following:
- Location
- Stream live video
- Stream live audio
- Read SMS, MMS
- Monitor calls
- Read social media messages (Instagram, Facebook, Whatsapp, Telegram, Snapchat, Youtube, Tinder, Gmail and more)
- Track clipboard
- Screen record at any time
- Track web history
Infection
In order to infect a victim’s device with Mobile Tracker free, an account must be created on the mobile tracker free website. This helps create the SAAS Command and Control (aka C2) platform for the stalkerware. Once signed up through this portal, a sophisticated dashboard is provided asking for installation of the mobile tracker apk and providing detailed instructions to do so.
There are even professional looking videos which have been released by Mobile Tracker free on Youtube to help individuals with nefarious intentions infect their victim’s phones. At the time of writing this, one video tutorial has over 1.4 million views and 3200 likes.
Once downloaded, the application app-download.apk is installed onto the device using com.google.android.packageinstaller, which is the default installer for any app installed via your web browser. This installs on Android as an application titled “Download Mobile Tracker Free”. As an application, it has the capability of communicating with it’s servers in plaintext (i.e. not encrypted).
This app’s intention isn’t to do the tracking or communicate with the C2 server, instead this is the dropper. It’s aim is to disable the default anti-virus installed on Android (Google Play Protect Services), allow itself to install apps from unknown sources and download the app which performs the stalking.
Once this prep work is complete, this dropper then installs m.secu.children the intended Stalkerware payload.
Although the dropper app com.mtf.d is capable of performing plain text communication because of the following configuration in the Android Manifest android:usesCleartextTraffic="true". It performs the download of m.secu.children over a TLS encrypted link.
After m.secu.children is installed, it then requests that the dropper is uninstalled to remove any trace of the infection from the device. Within Trustd, we store these install events for later analysis.
Tracking Capability
Although the device infection is sneaky, it all gets rather scary once m.secu.children is installed on the device.
First off m.secu.children performs an extensive permission grab, to make sure it’s as hidden as it can be whilst having access to all of the permissions it requires to function.
Once this permission grab is through, we see our victim (my OnePlus 3T test device) now calling back into the Mobile Tracker free command and control SAAS platform. On the dashboard displayed is my location accurate to the last minute, battery and online status.
Once we drill down further into the console, we start to see every aspect of my life displayed through my mobile device. Luckily for me, this is simply a test device.
The Stalkerware provides the capability for the attacker to live stream the victims camera, audio and screen at any time!
The app is also capable of accessing a large array of social media messaging on the device.
You might find yourself having questions about the end-to-end encryption which these messaging apps are using and how that isn’t protecting your private messages from the tyranny of your stalker. WhatsApp and other messaging apps do indeed encrypt your data whilst in-transit, however on your device, it’s sat in plain text. This means that once the device is compromised, it’s left open to the attacker.
We see below the code used by Mobile Tracker to grab the WhatsApp msgstore.db which contains all of the messages sent and received on the device. It also includes code used by the app to obtain the whatsapp contacts wa.db. The Mobile Tracker app uses dataOutputStream, a Java method which provides the app full access to the android shell. It uses this to print the contents of the WhatsApp databases to a local file which the app then has direct access to.
Ignoring it’s sinister potential for a moment, the capabilities of this Stalkerware are impressive and as a fellow programmer, it has to be admired. That being said, whilst traversing the code we discovered a misguided use of a recursive chmod 777, providing far too much access to the whatsapp databases created in a directory more accessible to m.secu.children. This means that these files which Mobile Tracker has backed up locally for later sync, are now accessible by everyone on this device (any process or user).
Looking further into this, we notice that the app is performing this same action on the following databases:
- Facebook Messages
- Viber
- Kik
- Skype
- Telegram
If the victims device is offline, Mobile Tracker Free has also taken into account a method of remotely controlling the device using SMS.
Protection
Make sure that you’re as best protected as you can be from Stalkerware. It can often be very hard to tell whether stalkerware has been surreptitiously installed on your device. By its very nature it is designed to be evasive, but there are some signs that could indicate that your device is infected.
- Is your battery running out more quickly than normal?
- Does your device feel warm even when you’ve not been using it?
- Is your screentime manager reporting more time on your device than you have used?
- Has your phone recently gone missing and reappeared?
- Does a person seem to know things about you that you haven’t shared with them?
Removal of stalkerware
If you find yourself in a situation where you think stalkerware is lurking on your device, tread carefully, especially if you are in a vulnerable situation – remember that actions you take on your device will be seen by the perpetrator.
The legislation surrounding stalkerware is a little murky, however, there are laws in place that could protect you. You may wish to gather evidence by taking photos of anything suspicious – but use a separate camera, rather than one on your device. There are ways that you can detect and remove stalkerware, these include:
- Search through the list of installed apps in settings and, if you feel it is safe to do so, attempt to uninstall any which appear malicious. The user of the stalkerware may be informed of this action, and removing stalkerware could also remove evidence.
- If you own an iPhone or iPad rebooting it will remove a jailbreak and stop stalkerware working – but this doesn’t prevent a possible reapplication of the jailbreak.
- A factory reset will remove will nearly always remove stalkerware, with iOS a factory reset via iTunes may be necessary. However, you will potentially also lose a huge amount of other data.
- Get a new phone
- Or download and install the free Trust app and look for malicious behaviour and see your highest risk installed apps.
Read our guide on how to remove stalkerware for step-by-step details. If you believe that stalkerware is being used on your device and you wish to better understand your rights, a lawyer will be able to advise you and explain what type of evidence would be useful in a court case.
