Title: Hunting stalkerware, one year later
Date: 2023-04-02 23:45

In April 2022, I started to look at the world of
[stalkerware](https://en.wikipedia.org/wiki/Stalkerware). One year later, here
is what I've accomplished so far to make the life of everyone involved in this
despicable industry hopefully harder.

## Documenting

I contributed to [Tek](https://randhome.io)'s
[stalkerware-indicators](https://github.com/AssoEchap/stalkerware-indicators/graphs/contributors)
repository, adding domains,
[c2](https://en.wikipedia.org/wiki/Botnet#Command_and_control),
[certificates](https://developer.android.com/studio/publish/app-signing),
families, …… The number of tracked stalkerware went from a dozen to
around 150, and it keeps growing.

To paraphrase [Utah Phillips](https://en.wikipedia.org/wiki/Utah_Phillips),
the people who are writing stalkerware have names and addresses. So I spent
some time [documenting]( https://github.com/AssoEchap/stalkerware-indicators/tree/master/vendors)
them: what company is writing/selling what, who is behind those, where are they
based, …… Some of them have already been reported to the police, resulting
in ongoing legal procedures.

## Sharing

I wrote some tooling to share the ~3k (and counting) triaged and labelled
samples I've been sitting on, with as many platforms as possible:
[Pithus](https://beta.pithus.org), [Malshare](https://malshare.com),
[Virustotal](https://www.virustotal.com/gui/collection/943e8fa22a5851401cf00a1b3b17d3a2b2d595701134c3f1fc945ce974a5d585),
[Malware Bazaar](https://bazaar.abuse.ch/user/728001071419887616/),
[Hybrid Analysis](https://hybrid-analysis.com),
[Recorded Future Triage](https://tria.ge),
the [Coalition Against Stalkerware](https://backend.stalkerware.org),
a private [mwdb](https://github.com/CERT-Polska/mwdb-core) instance,
…  if you're interested in having such a feed land into your own malware zoo,
please do let me know, I'm happy to make this happen.

## Tooling

Since [mwdb](https://github.com/CERT-Polska/mwdb-core) doesn't natively support
[apk](https://en.wikipedia.org/wiki/Apk_(file_format)) files, 
I wrote a [module](https://github.com/jvoisin/karton-android) for it, surfacing
package names, certificates, permissions, activities, names, ……

I also [contributed](https://github.com/spytrap-org/spytrap-adb/commits?author=jvoisin)
to my friend [kpcyrd](https://github.com/kpcyrd/)'s
[spytrap-adb](https://github.com/spytrap-org/spytrap-adb) project,
providing a command-line interface to perform stalkerware-oriented forensic
analysis of android phones. 

## Joining forces

I joined [Echap](https://echap.eu.org), a French non-profit fighting against
tech-abuses against women. They're providing [guides](https://echap.eu.org/ressources/)
and [trainings](https://echap.eu.org/formations/). I initially joined them
because it was the easiest way to be part of the [Coalition Against
Stalkerware](https://stopstalkerware.org), but have since enjoyed being part of
it and helped on various topics there.

## Reaching out

I gave a talk about stalkerware at the internal "Safer with Google Summit",
leading to interesting conversations with various stakeholders: there are good
reasons why every single stalkerware vendor is asking perpetrators to disable
[Play Protect](https://developers.google.com/android/play-protect/) before
installing their junk. Moreover, improvements to current mitigations are to be expected.

I [reached out](https://github.com/AssoEchap/stalkerware-indicators/issues/67)
to as many interested parties as possible, to suggest that they make use of
the [stalkerware-indicators](https://github.com/AssoEchap/stalkerware-indicators).
Current users include [AdGuard](https://adguard.com), [quad9](https://quad9.net),
[oisd](https://oisd.nl/), [MVT](https://github.com/mvt-project/mvt),
[hypatia](https://gitlab.com/divested-mobile/hypatia)
… along with others who prefer to not be named. If you have friends in [Cyber
threat intelligence](https://en.wikipedia.org/wiki/Cyber_threat_intelligence)
who'd like a free feed, I'm happy to provide.