Stalkerware - ein Thema, welches uns alle betreffen könnte, aber das allgemeine Bewusstsein darüber momentan noch im Schatten steht. Hacker*in maia arson crimew stellte in der eigenen Blogserie "#FuckStalkerware" die Gefahren, Sicherheitslücken und Motive dar, die mit solchen Softwares daherkommen.
Über diese Themen sprechen wir auch im Interview mit maia arson crimew:
Stalkerware wird von einer anderen Person auf deinem Handy installiert - entweder persönlich, oder durch einen Link, welchen du antippst. Dadurch bekommt diejenige Person Zugriff auf sämtliche Daten, die du auf deinem Gerät hast - seien es Bilder, Nachrichten, oder deine Location.
In vielen Fällen werde Stalkerware von Eltern eingesetzt, damit sie ihre eigenen Kinder überwachen können, erklärt maia arson crimew im Interview. Ein weiteres Beispiel sei auch, Beziehungspartner*innen beim Betrügen zu ertappen. Einen grossen gemeinsamen Nenner gibt es hier: Stalkerware sei in keinem Fall angebracht. Jede Person - ob Erwachsene, Jugendliche, oder Kinder - verdienen Privatsphäre.
Nur schon, dass Stalkerware existiert, ist eine Gefahr. Es kommt noch dazu, dass jene Firmen, die sie verkaufen und anbieten, schnell und oftmals gehackt werden. Auch das hat maia arson crimew in der eigenen Blogserie aufgezeigt - alle der vier untersuchten Firmen hatten erhebliche Sicherheitslücken.
Wenn diese Sicherheitslücken dann ausgenutzt werden, dann geschieht es schnell, dass all die persönlichen und sensiblen Daten geleakt sind. Plötzlich habe man Zugang zu Daten, die gar nicht existieren sollten - aber leider doch einen wichtigen Zweck erfüllen:
"Praktisch alles, was wir über Stalkerware wissen, kommt von gehackten Daten"
maia arson crimew | Hacktivist*in
maias Ziel sei es hierbei, wenigstens sicherzustellen, dass diese persönlichen Daten sicher sind und nicht für andere böswillige Zwecke verwendet werden.
Hinter Stalkerware stecken zahlreiche Firmen, die sie anbieten. Im vierten und momentan neusten Blogbeitrag nahm sich maia arson crimew die Firma "TheTruthSpy" vor und fand schnell die ersten Sicherheitslücken - seit 2022 wurde diese Firma vier Mal auf die gleiche Art gehackt, von wessen der letzte Fall von maia selbst war.
maia arson crimew meldete sich auch immer bei den untersuchten Firmen und bat um Rückmeldung und machte auf die erheblichen Sicherheitslücken aufmerksam. So wirklich schien das aber insbesondere den CEO von "TheTruthSpy" nicht zu interessieren - maia solle mit den Daten machen, was es will. Die Firma habe keine Zeit und Ressourcen, um dem nachzugehen.
"Die meisten dieser Stalkerwares sind einfach ein schneller cash-grab"
maia arson crimew | Hacktivist*in
Warum die eigene Sicherheit verbessern, wenn man einfach weiterhin Geld mit lückenhafter Stalkerware machen kann? Das scheint das Sentiment vieler dieser Firmen zu sein. Einige Stalkerware Apps bieten ihre Dienste beispielsweise für 40-50 Franken pro Monat und pro Gerät an.
Ein baldiges Ende der Stalkerware-Problematik könne sich maia arson crimew nicht vorstellen. Viel habe sich selbst in den letzten 15 Jahren nicht geändert - das Konzept von Stalkerware scheint noch immer sehr bizarr und wird kaum eingegrenzt. Es sei noch immer schlimm und funktioniere auch noch immer. Eine komplette Verbannung von solchen Funktionen sei auch fast unmöglich - Stalkerware würde auch dann im Untergrund weiterleben.
Wichtig ist für maia momentan insbesondere, auf die Gefahren von Stalkerware aufmerksam zu machen - die Aufklärung rund um Stalkerware sei ausschlaggebend, dass sie weniger Erfolg erlebt und eingedämmt werden kann.
If you want to read the transcribed version of the entire interview in English, then this is the place for you:
Trojaner: You released a series about stalkerware, called #FuckStalkerware. You looked into the security gaps and discovered the people and companies that are behind it. However - do you think that there are also good ways in which stalkerware can be used?
maia arson crimew: I think the only use is if someone says: Hey, I often have dissociative moments where I just don't want to go out, and I think it helps me a lot when people around me know where I am, and can see what I'm doing.
I also have friends who have GPS tracking devices, so that their friends can know that they're safe. I think that's totally okay. It's just something you can't consent to if someone asks you [to use a stalkerware software]. Because usually it's someone who has power over you.
What most people still use as a valid-use case, is, to use it only for child surveillance. Which I still think is fucked up, because, in the end, all people deserve privacy. And especially with children, who are being watched by their parents, it's just as bad as having any other kind of controlling parents. The effect it can especially have on queer children is crazy. Because usually it's not only about bullying, but also about finding out what my children don't tell me. But usually it's more about them not trusting you, and having no reason to trust you as a parent. It's like an attempt with technology, to solve interpersonal problems.
I keep bringing it up, but a lot of these stalkerware-websites have testimonials on their website. In the sense of: "We installed this on our son's phone, and found out he was depressed. We now spend more time with him, and he seems more happy." ...Did he really need an app to find out that he was having such a bad time? It's like, you can find out things your children don't tell you, but usually it's a problem of trust, that you created, by not giving them a certain security, or a space, or not giving them enough time. And you don't solve that with an app.
Usually you get more problems because of that. You just have some proof. And what do you do? It makes the situation even more difficult. You'd have to say: "I've been spying on you for the last few months, and I know you're having a bad time." I don't see how that is helpful. It doesn't keep anyone safe. And when you confront your children with that, I feel like it hurts their trust even more. You're doing something without a conversation.
That's why we find it bad for adults - because it's a breach of trust. I think it's important with a lot of parental control software, where we often put words in their mouths that they're supposedly okay with things like Life360 where you can see that you're being watched. But I think it's equally problematic.
Also because of the power dynamic you have with your parents or with a partner, whether it's financial or explicit. As a child, you're both financially and legally dependent on your parents. And that's a moment where you can't say no. I think it's crazy that we look at it like it's consensual. And then it's like, oh, I get it. I find it very interesting how we suddenly think differently. Because the belief in our society is that children are the property of their parents. And I think that's a very important point.
Trojaner: The existence of stalkerware in itself is already a problem. But another problem is that it gets hacked again and again. The companies are absolutely insecure. When they're hacked, all the data would be leaked... which could be a double-edged sword.
maia arson crimew: Exactly. In the end, it's this stupid problem that we have a lot with hacktivism. We suddenly have access to data that shouldn't even exist. And in this case, I always think that if these facts exist, I at least want them to be safe. That's why whenever we write something or do journalistic work about stalkerware, we always go to these companies and point out the security gaps. Because ideally, they will actually be protected. In the end, it's about the victims of stalkerware being safe, at least.
Deleting server data is unfortunately also stupid, because it can lead to escalations of situations. That's why it's difficult. In the end, it's the same as with almost all the data that shouldn't exist. We also have the problem that it's exactly the data that is very valuable for journalism and research. Almost everything we know about the stalkerware industry comes from hacked data. Very little of it is insider info from people who eventually talked about it, even if that's unfortunately way too rare.
In the end, it's difficult, just like with any other shady business. Most people who work in it are not... I don't want to say involuntarily, but it's like you don't have a lot of choices for which employer you work for.
Trojaner: I always find it difficult to think about how to protect myself from stalkerware, except to not click any random links that someone sends me or that I find on the internet.
maia arson crimew: Exactly. One way to protect yourself is to not give your partner your phone passwort. It's so stupid. Even if you can trust someone a lot, it's still a trust that can be broken. And in this context it can have quite serious consequences. Especially if you're not with that person anymore.
There are a few apps that have remote installation. It's basically about getting tricked into downloading a ringtone creator and activating it with its activation code, which of course activates the stalkerware and links it to the account of the person watching you. But basically most of it is recognized by antivirus software. It's basically something that antivirus companies fight against. But protecting yourself against it is difficult. It's an interpersonal problem. It's a problem of abuse and controlling behavior. It's a much bigger and broader problem.
Trojaner: In your #FuckStalkerware series you also released individual data that you found in these different companies. How did you decide on which data to release?
maia arson crimew: Basically I release a lot of data directly to the journalists or researchers. [...] The only things I released here are lists of the domains of email addresses so that you can get a very basic overview of who and where the people behind it are, and what kind of software is used. It's mostly about Gmail addresses. But sometimes you find interesting things there like government email addresses and so on.
Trojaner: You looked at four different companies that offer stalkerware. One that stood out to me the most was TheTruthSpy. But in general you always wrote to the people who were behind it and said, hey, you have a huge security gap, you should fix it. But this rarely resulted in anything and the involved people didn't really react to it. Why does it seem as if these companies don't take their own stalkerware seriously?
maia arson crimew: I think a lot of it is because there is no big answer to the question. Most of these companies at least considered that it might be bad for the image. If not, they just lie and talk shit and you find out that they were involved. In other cases it's like with TruthSpy where the CEO gets so angry that he gives me all the information and says that they don't give a shit about security issues.
They haven't fixed any of it so far. The crazy thing about the TruthSpy article is that it's about security issues that were reported in 2022, in February or even before that. There was even a US government advisory that these apps were unsafe. Not even the original security gap was fixed.
Most of these stalkerware apps are just a quick cash grab - like a side business of a web design company. That's shit. But then it's usually that they still make too little money and then they're like, what would be the easiest and fastest thing to do? Stalkerware is something that you can easily promote online. You just have to post enough patriarchal shit on Reddit and feed into the anxiety that especially men have. [...]
A lot of the apps that I'm currently looking at are like 40-50 bucks per month per device that you want to monitor. It's pretty crazy and usually they're just shit but it's the best you can find. [...] It's just a quick cash grab.
Trojaner: You mentioned the CEO of TruthSpy and that he said that he wasn't interested in what you were doing with the data. Did you get any other updates or reactions from the other companies you looked into?
maia arson crimew: At SpyHide, which I also looked at, they recently announced that they're changing their name to OOSpy. Everyone is so stupid with names..
Trojaner: They just rebranded themselves.
maia arson crimew: Yeah, they just rebrand themselves. It's a pretty normal practice as soon as you get bad press, you just use a different name and keep doing the same thnngs. It didn't work for them for long, because we already had some other information at this point. For example when their server was shut down in Germany because it's not allowed on their server.
On the other hand, we found a PayPal account where they need money for payments. It was the same name as the guy I sent an email to when we found out that he was in the business. He said he was only part of it 7 years ago. It's always 7 years and it's always for a short time and we don't do it anymore because we know it's bad. I think that's the funniest thing.
They always admit that they know it's not moral. But it's just a part of their lie. It's quite interesting. It was the same family name on the PayPal account. Then another journalist wrote to him again and within an hour the whole page was offline. And then he didn't answer again because he "wasn't involved". And I was like, bro... Who else reads your emails? It's just...
Trojaner: You always get cheap excuses.
maia arson crimew: Yes, super cheap excuses. But they still react really quickly to what you're saying to them. It's just... I don't know what they're thinking. That we're not capable to check if they changed their infrastructure?
Trojaner: If we go back to the motive of companies that offer stalkerware - you said it's just a cash grab. Do you have any other ideas why stalkerware is so popular?
maia arson crimew: There are always weird connections between these companies. You can see that they bought each other and copy each other. But I think it's mostly a money making thing. Because you can see that they're all aware that they're doing something shady. Most of them try to hide that they're involved, and not only for legal reasons. Most of the time these countries don't consider it illegal. That's another cool disclaimer that these companies use: You can only use it if it's legal. So... Wow. Cool. But... It's very difficult to go against the law in these cases, except they're active in the EU or in the USA.
Trojaner: So they're all very connected, and as long as they're online, the problem of stalkerware is still there. What's the reason why there is so little done against stalkerware?
maia arson crimew: [...] The will is not there. There's also the difficulty that most of these companies advertise themselves only as tools for child surveillance. That's something that a government would never consider illegal. The only governments that could do anything are all the western governments. And we have the cool western image of Family.
Yeah... It's difficult, because you can't do much more than go against all of the stalkerware companies individally. Which is difficult because most of them are in random countries all over the world. That's why I think the grassroots activism work is important and also the hacking.
You can tell that there's a bit more pressure with how many companies have been hacked over the last two years. Many of them don't even try to rebrand and just give up immediately. Or they give up after one try because they notice that we're quite persistent. And because it's only about money making it's not worth it.
I think the best attack point is to make stalkerware something that isnt financially beneficial. But I think it will always exist in the underground. That's what would happen if we tried to regulate it. That it would move further underground.
What's also very important is the awareness: The media work I'm doing here as well, because many people don't even know that this exists. Stalkerware is a weird concept. It doesn't seem very real. And I think that's why it's important to do this work. And to show the awareness that you can defend yourself against it.
Trojaner: You mentioned that stalkware will always exist as an underground business. What do you further see as the future of stalkware?
maia arson crimew: It's difficult. I don't think much will change. It's a software that's been the same for 15 years. It's just as bad and still works. I think it's because it's a simple money-making strategy. It's very difficult to say, but it's important. I think I can't say anything much more specific.
Trojaner: That's all from my side. Do you have anything to say about stalkware in general or about your series?
maia arson crimew: No, not much else. Shoutout to Zach Whittaker from TechCrunch, who always works with me on this topic. He's the journalist who's been and still is talking about stalkerware the longest. There are far too few journalists who work on this.
If you're interested in tech journalism or want to get involved, then take up this topic. It's really cool. No, it's not really cool, but it's a big, interesting topic. It's a niche of journalism that hasn't been worked on enough. It's a cool topic to take up.
