Researchers from Cornell Tech, NYU, Technion, Cornell University, and Hunter College conducted what was described as the first large-scale study of apps used by stalkers to track their intimate partners.
“Survivors of intimate partner violence increasingly report that abusers install spyware on devices to track their location, monitor communications, and cause emotional and physical harm,” researchers said in “The Spyware Used in Intimate Partner Violence” report.
Researchers first tried to simulate the activities of someone looking to carry out abusive behaviors and found an abundance of resources including easy to find spyware or simply misusing legitimate apps to stalk victims.
To run this test the researchers ran several Google queries on a small set of terms such as “track my girlfriend's phone without them knowing” and collected information from Google's suggestions from similar searchers to seed further searchers. These searchers returned more than 27,000 URLs revealing a wide variety of resources including blogs reviewing different apps, how-to guides, and news articles about spyware aimed at helping people engage in some form of intimate partner surveillance.
Researchers found 65 percent of these linked to blogs, videos, or question-and-answer forums discussing how to engage in intimate partner surveillance (IPS).
“The blogs describe how to use one or more tools to spy on someone,” the report said. “Example blog post topics include “Read your wife's messages without touching her phone” on a blog linking to mSpy and “These apps can help you catch a cheating spouse” appearing on the NY Post news site.”
These queries also returned 23 functional apps not available on any official app store, several links to apps available on official app stores, and hundreds of spyware apps.
The findings helped highlight that while there are several explicit spyware apps, there are also several dual-use apps which have a legitimate purpose (e.g., child safety or anti-theft) which are easily and effectively repurposed for spying on a partner. Some of the app developers were found to advertise their products' malicious alternative uses in advertisements, blogs, and customer support services.
“Some apps are overtly branded for surreptitious monitoring, like FlexiSpy  and mSpy ,” researchers said in the report. “But survivors and professionals report that other seemingly benign apps, such as family tracking or “Find My Friends” apps [8, 29, 58], are being actively exploited by abusers to perform IPS.”
The researchers said there is an acute need for the security community to help mitigate the threat caused by the misuse of these apps. In response to the report, Google improved safety for their users by taking action against apps that violated Play Store policies and have also increased restrictions on advertisement serving for IPV-related queries.