Authors: Philippe Mangeard, Bhaskar Tejaswi, Mohammad Mannan, Amr Youssef



Intimate partner violence (IPV) is a form of abuse in romantic relationships, more frequently, against the female partner. IPV can vary in severity and frequency, ranging from emotional abuse or stalking to recurring and severe violent episodes over a long period. Easy access to stalkerware apps helps foster such behaviors by allowing non-tech-savvy individuals to spy on their victims. These apps offer features for discreetly monitoring and remotely controlling compromised mobile devices, thereby infringing the victim’s privacy and the security of their data. In this work, we investigate methods for gathering evidence about an abuser and the stalkerware they employ on a victim’s device. We develop a semi-automated tool intended for use by investigators, helping them to analyze Android phones for potential threats in cases of IPV stalkerware. As a first step towards this goal, we perform an experimental privacy and security study to investigate currently available stalkerware apps. We specifically study the vectors through which vulnerabilities found in stalkerware apps could be exploited by investigators, allowing them to gather information about the IPV services, IPV abusers, and the victims’ stolen data. We then design and implement a tool called WARNE, leveraging the identified flaws to facilitate the information and evidence collection process. In our experiments, we identified 50 unique stalkerware apps and their corresponding download websites that are still reachable, including one available on the Google Play Store. Among these apps, we found 30 that were free or offered a free trial. We enumerated and experimentally verified several invasive capabilities offered by these apps to clearly identify the severe privacy risks posed by them. We also found that most stalkerware apps store private information locally on the compromised device, potentially giving away information about the abuser. Our evidencegathering tool found data related to the abuser and/or the stalkerware company, such as account credentials, dashboard URLs, and API tokens in 20 apps out of 30 tested apps. We hope our tool will help IPV victims and investigators against the growing threat of stalkerware abuse.