Sophos Cloud Optix
In what US officials say is the first-ever case of its kind, the maker of a mobile spyware app marketed at people who want to stalk their partners has been indicted in the state of Virginia, the Department of Justice (DOJ) said on Monday.
The feds arrested Hammad Akbar, 31, of Lahore, Pakistan, in Los Angeles on Saturday.
Akbar is the CEO of the company that advertises and sells the spyware – called StealthGenie – online.
Akbar and his employees – the DOJ calls them “co-conspirators” – have been charged with allegedly creating and distributing a known interception device.
StealthGenie is used to intercept email, images, video, phone calls, texts and other communications on mobile phones, and to turn a mobile device into a bug that can pick up sound in a 15-foot radius around a target, while being undetectable by the average user.
Typically, spying on people is legal only for law enforcement, with the exceptions of targeting kids or employees.
To adhere to the legal side of the line, monitoring apps have to be marketed at employers who want to keep an eye on their workers, or guardians who want to watch over their kids.
StealthGenie, however, made no bones about its target audience being jealous people.
According to the DOJ, StealthGenie’s business plan stated that the primary population to target marketing at are people who want to stalk their partners:
This business plan ... stated that the first target population for the marketing of the app was "[s]pousal cheat: Husband/Wife of boyfriend/girlfriend suspecting their other half of cheating or any other suspicious behaviour or if they just want to monitor them.
The so-called “spousal cheat” market would constitute 65% of buyers, according to the business plan:
According to our market research[,] the majority chunk of the sales will come from people suspecting their partners to be cheating on them or just wanting to keep an eye on then [sic].
Assistant Attorney General Leslie Caldwell said in the DOJ’s statement that this type of spyware isn’t just illegal; it’s also specifically designed to empower stalkers and domestic abusers:
Selling spyware is not just reprehensible, it’s a crime. Apps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim’s personal life - all without the victim’s knowledge.
In fact, those who work with domestic violence victims have urged the government to crack down on the technically savvy abusers who use monitoring tools to better control their victims.
Cindy Southworth of the National Network to End Domestic Violence told the Washington Post that StealthGenie’s particularly dangerous, given that surveillance targets typically can’t tell it’s been installed:
The fact that it’s running in surreptitious mode is what makes it so foul. They work really hard to make it totally secretive.
StealthGenie runs on mobile phones including iPhone, Android, and Blackberry.
One of the features its makers were evidently most proud of – to the extent that they devoted a YouTube video to it – is the so-called “Mobile GeoFencing” feature.
GeoFencing allows purchasers to treat their targets like so many cattle roaming in and out of “red” and “green” user-delineated geo-specific zones.
The feature can be set to send alerts to indicate when a phone user enters a red zone, or even if they get close to the boundary of a green zone.
Court filings suggest that Akbar has contended that any legal issues were limited to SmartGenie’s clients and weren’t his company’s problem.
The Washington Post quotes him in a 2011 email:
When the customer buys the product, they assume all responsibility. We do not need to describe the legal issues.
On Friday, 26 September, a federal judge in the Eastern District of Virginia issued a temporary restraining order authorizing the FBI to temporarily disable the website hosting StealthGenie.
This comes as good news for victims of stalking and domestic violence.
Let’s hope it starts a trend.
I’d love to see the Feds examine other monitoring software vendors, including mSpy, which back in March had the brainstorm of selling phones pre-loaded with spyware.
That obviated the need for stalkers to get their mitts on the phones for even the few minutes it takes to install spyware, and it set forth the prospect of spies gifting their loved ones with boobytrapped phones.
Can stalkers install this spyware on your phone without ever having physical access to the phone?
No. Stalkers need access to the phone, if just for a few minutes, to install either StealthGenie or mSpy.
Having said that, there are ads out there—very fishy-looking ads—for spyware that installs remotely. I can’t vouch for whether they’re legitimate or not, but an app that installs remotely without a user’s permission would hopefully be blocked by security software.
How can an average user tell if somebody’s installed spyware on their phone?
Unfortunately, it’s hard to do. Increased battery drain, storage or data usage might indicate something’s up, but how many of us average people have the time, or the know-how, to check such things?
As far as security software goes, these apps often get classified as “Potentially Unwanted Apps” (PUAs) rather than as malware, given that, typically, they’re manually installed, and somebody’s agreed to their terms.
And again, these apps can be legally used for parental tracking of children, employee monitoring (preferably with informed consent), or tracking down a lost or stolen phone.
All of that means that they can’t really be defined as malware, regardless of how dangerous they can be in the wrong hands or how easy it is to use the apps for illegal purposes.
And just FWIW, spyware sometimes also comes tucked away in other programs—for example, apps from websites that look useful or attractive, but could be harboring hidden tracking functionality that gathers marketing statistics.
An example is a Trojan that Sony embedded into CDs that silently installed and concealed itself on buyers’ computers with the intention of preventing illicit copying. It also reported on users’ listening habits, and created vulnerabilities that were exploited by unrelated malware, according to Mark Russinovich. (http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx)
I’m going to quote my friend, security guy Peter Bance, here:
Best answer? Don’t let anyone near your gadget.
And if you have, wipe it and start again.
So, it is illegal to install an app to stalk your partner, however: is it illegal as well to hire a detective (or get the help of a friend, etc.) to stalk your partner?
I mean, the app here is just the means, the objective is stalking. When is stalking legal/illegal, licit/illicit?
In most places, watching or following someone is allowed within reason, even maybe taking photos, which is what a PI would do; you can’t intercept their mail though, or rummage around in their house without permission, and meddling with their phone, emails etc are rightly treated the same.
The only problem I see with this application is that he marketed it as a means to “spy” on someone. The are so many applications sold and used everyday for the very purpose of (yes) spying, Net Nanny… Safe Driver… DadGuard… TextGuard… My Mobile Watchdog … and the list goes on.
How and where do phone stalkers put the device? I just found out my phone is hacked by my partner. It has turned out to be a very dangerous and traumatic experience. How do you stop this nonsense especially when the relationship is over? How do I report this to the police or court? Please advise. Thank you.