Artificial truth

archives | latest | homepage

The more you see, the less you believe.

Hunting stalkerware, one year later
Sun 02 April 2023 — download

In April 2022, I started to look at the world of stalkerware. One year later, here is what I've accomplished so far to make the life of everyone involved in this despicable industry hopefully harder.


I contributed to Tek's stalkerware-indicators repository, adding domains, c2, certificates, families, …… The number of tracked stalkerware went from a dozen to around 150, and it keeps growing.

To paraphrase Utah Phillips, the people who are writing stalkerware have names and addresses. So I spent some time documenting them: what company is writing/selling what, who is behind those, where are they based, …… Some of them have already been reported to the police, resulting in ongoing legal procedures.


I wrote some tooling to share the ~3k (and counting) triaged and labelled samples I've been sitting on, with as many platforms as possible: Pithus, Malshare, Virustotal, Malware Bazaar, Hybrid Analysis, Recorded Future Triage, the Coalition Against Stalkerware, a private mwdb instance, … if you're interested in having such a feed land into your own malware zoo, please do let me know, I'm happy to make this happen.


Since mwdb doesn't natively support apk files, I wrote a module for it, surfacing package names, certificates, permissions, activities, names, ……

I also contributed to my friend kpcyrd's spytrap-adb project, providing a command-line interface to perform stalkerware-oriented forensic analysis of android phones.

Joining forces

I joined Echap, a French non-profit fighting against tech-abuses against women. They're providing guides and trainings. I initially joined them because it was the easiest way to be part of the Coalition Against Stalkerware, but have since enjoyed being part of it and helped on various topics there.

Reaching out

I gave a talk about stalkerware at the internal "Safer with Google Summit", leading to interesting conversations with various stakeholders: there are good reasons why every single stalkerware vendor is asking perpetrators to disable Play Protect before installing their junk. Moreover, improvements to current mitigations are to be expected.

I reached out to as many interested parties as possible, to suggest that they make use of the stalkerware-indicators. Current users include AdGuard, quad9, oisd, MVT, hypatia … along with others who prefer to not be named. If you have friends in Cyber threat intelligence who'd like a free feed, I'm happy to provide.