AV-TEST Stopped in its Tracks: Stalkerware for Spying Under Android

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,898
More and more dubious apps offer their services for spying and stalking, in order to secretly surveil unwitting persons, acquaintances or (ex-)partners. With a good security app for Android, it's also possible to unmask these deceitful attackers.

The market for Android apps with which devices can be secretly monitored, tracked and spied on, is steadily growing. There is brisk demand for so-called spying stalker apps, as they can be used to monitor Android devices such as smartphones or tablets. The devious part: once installed, the monitoring software hides on the device or sometimes disguises itself as a harmless service or game app. The capabilities of these apps on the device are vast, as they often operate in admin mode, thus having the highest permissions on a given device. Those who are uncertain and feel monitored can help themselves. A good security app detects the monitoring app for spying or stalking. The lab at AV-TEST examined what these security apps are capable of.

Unmasked in the lab: stalkerware for spying

A total of 18 security apps for Android demonstrated in the lab how well they can detect spying stalkerware. Included in the test were the apps from AhnLab, Antiy, Avast, AVG, Avira, Bitdefender, ESET, F-Secure, G DATA, Google, Ikarus, Kaspersky, LINE, McAfee, NortonLifeLock, Protected.Net, securiON and Trend Micro.

In the test, the candidates had to detect stalkerware 29 times. Most of the apps did a good job at it. All 29 or 28 intrusive apps were revealed by the security apps from Antiy, Bitdefender, Trend Micro, as well as ESET and Kaspersky. Following close behind with a 93.1% detection rate were F-Secure and G Data.

The remaining field detected 89.7 to 58.6 percent of the stalkerware and spy apps. Android's internal Google Play Protect security app only reports 31 percent of these tools, which are actually forbidden.

FYI: The security tools also often detect the stalkerware under other categories, such as PUAs (potentially unwanted applications), riskware, malware or simply infection.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,898
From the same source: Technical tips on examining an Android device for stalkerware
Anyone somewhat well versed in the technical features their smartphone can run their own check to see whether spyware may be lurking on their device.

The commands tend to vary among devices, but most of them are quite similar. Many smartphones also offer a search function in the settings menu that will lead to the proper setting.

Enabled: System / Developer (options)
  • Observation: Developer options are surprisingly available as a submenu item or have been activated.
  • Consequence: Makes it possible to remotely control the device and install apps on the device.
Enabled: Apps or Security / Install unknown apps
  • Observation: On an app (e.g. Chrome Browser), Install unknown apps or Allow from this source is enabled.
  • Consequence: Allows the installation of apps from unofficial sources or download from a website.
Security / Device admin apps
  • Observation: Unknown apps have admin rights.
  • Consequence: Apps with admin rights can only be removed if the rights have been revoked. This prevents removal of an app via the Android Package Manager, as it has a higher permission level.
Input assistance / Service apps
  • Observation: Unknown apps are entered as a service.
  • Consequence: Allows the reading out and interaction with the Android interface, as well as from running apps.
Google or Security / Play Store or Play Protect
  • Observation: Play Protect has been disabled.
  • Consequence: Scans and warnings through Play Protect are prevented
Connection or Mobile Network / Data usage
  • Observation: An unknown app is generating lots of network traffic.
  • Consequence: A contractual data volume is quickly used up and the battery of the smartphone is depleted more quickly.
In an installed security app
  • Observation: The installed mobile security app reveals deactivated scan options, "ignored" objects or apps defined as "safe".
  • Consequence: "Ignored" objects or apps defined as "safe" are normally excluded from scans and no further warning is displayed for them.
 
Top