Stalkerware-type app developers fined by NY Attorney General

Stalkerware is a huge problem when it comes to intrusion into people’s personal lives. “Friends”, strangers, family members, abusive spouses and many more can potentially dabble in this malignant pastime and cause all manner of trouble for their target.

Thanks to the New York Attorney General’s office, some folks will shortly be made aware of a little extra something lurking on their devices, after it landed a developer with a $410,000 fine and a requirement to notify people that their devices are running monitoring software. 

A wealth of personal information

As far as the apps in question go, the release [PDF] explains what they can get up to without the device owner’s knowledge. This is a long extract, but it’s important to get a feel for just how much the device owner gives up privacy without knowing about it:

“Once installed on a Target Device, the Spyware App will copy information from the Target Device and transmit it to Respondents’ servers, where the information is made available for viewing by the purchaser of the Spyware App. Information copied and transmitted by Respondents’ Spyware Apps includes: call logs (including phone number, date, and call duration); text messages (including message content, date, and recipient); camera images and videos (including the image or video itself and date taken); location (including current latitude and longitude of the device); Gmail data (including an excerpt/snippet of the email message content, email subject, sender and recipient email address, and date); WhatsApp messages (including message text, sender, and date); Skype data (including message content, sender, and date); Facebook, Instagram, and Twitter data (including direct message content, date, and sender); and Google Chrome data (including browser history with URL and dates visited). “

Up until October 2021, which brought changes to both iOS and Android, these apps could have their icon hidden by whoever was in control of the app. All data grabbed by the app could be viewed by the controller via a web dashboard. This data was organised in a way which made it easy for the spyware controller to browse at leisure.

Of ads and reviews

On top of all of this, the respondents “misrepresented the legal risks of using the spyware products for covert spying”. In other words: Websites and adverts promoted use of these tools in a positive light, with no clear references to how you could land yourself in legal hot water by using them. It’s all “catching your cheating partner in the act” and “relationship advice”, and not “covert spying on people without their permission could well be illegal in your region”.

Last but not least, there was no indication of affiliation with supposedly independent third-party review websites covering the spying tools in question. If this all sounds like a recipe for disaster for the app developers, you’d be right. The real shame is that some of these tools have been available since “at least” 2011. Better late than never?

All’s well that ends well?

This isn’t a one and done issue. Correct and proper notification on devices where these installations reside in the future must take place:

“In addition, Hinchy’s companies must modify the apps and software so that the owner of the device being monitored is notified and informed of the types of information collected by the app or software and made available for viewing by the user of the product. The agreement further requires Hinchy and his companies to make accurate disclosures regarding endorsements, rooting and jailbreaking requirements, refund policies, and data security.”

With no real way to dodge proper notification, this is a serious blow to software which is heavily reliant on being as invisible as possible. We can only hope that this gives some more app developers pause for thought. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.