The Spyware Used in Intimate Partner Violence

Survivors of intimate partner violence increasingly report that abusers install spyware on devices to track their location, monitor communications, and cause emotional and physical harm. To date there has been only cursory investigation into the spyware used in such intimate partner surveillance (IPS). We provide the first in-depth study of the IPS spyware ecosystem. We design, implement, and evaluate a measurement pipeline that combines web and app store crawling with machine learning to find and label apps that are potentially dangerous in IPS contexts. Ultimately we identify several hundred such IPS-relevant apps. While we find dozens of overt spyware tools, the majority are "dual-use" apps -they have a legitimate purpose (e.g., child safety or anti-theft), but are easily and effectively repurposed for spying on a partner. We document that a wealth of online resources are available to educate abusers about exploiting apps for IPS. We also show how some dual-use app developers are encouraging their use in IPS via advertisements, blogs, and customer support services. We analyze existing anti-virus and anti-spyware tools, which universally fail to identify dual-use apps as a threat. provide, and observing how they are marketed. We uncover three broad categories of apps: personal tracking (e.g., findmy-phone apps), mutual tracking (e.g., family tracking apps), and subordinate tracking (e.g., child monitoring apps). The three types of apps have differing capabilities, though all can be dangerous in an IPS context. The worst allow covert monitoring of all communications, remote activation of cameras and microphones, location tracking, and more. Two of the on-store apps we analyzed, Cerberus and TrackView, violate Play Store policy by hiding their app icon and showing no notifications, making them as covert as off-store spyware. (We reported these apps to Google for review, see discussion about our disclosures below.) All 70 apps are straightforward to install and configure, making them easy to use by abusers. Some off-store apps overtly advertised themselves for use in IPS. An example is HelloSpy, whose website depicts a man physically assaulting a woman with surrounding text discussing the importance of tracking one's partner, see Figure 1 . Others, including those on the Play Store, most often do not have descriptions or webpages promoting IPS. However, further investigation revealed that a number of these apps advertised or condoned IPS as a use case. We document that vendors advertise on IPS-related search terms such as "how to catch cheating girlfriend" on both Google and Play Store. We also uncover networks of IPS-focused websites that link exclusively to a specific app's webpage and directly advertise IPS use cases for the app. For a subset of 11 apps (6 on-store and 5 off-store), we contacted customer service representatives posing as a potential abuser. 1 In response to the question "If I use your app to track my husband will he know that I am tracking him?", 8 out of 11 responded with affirmative explanations implicitly condoning IPS. Only one (an off-store app) replied with an admonishment against use for IPS. Two apps did not respond. Performance of anti-spyware tools. The existence of so many easy-to-use, powerful apps usable for IPS demonstrates that victims need detection and cleanup tools. A variety of tools advertise their ability to deal with spyware. These include tools from major anti-virus vendors, such as Symantec, Kaspersky, and Avast, as well as some lesser-known tools. As far as we are aware, no one has evaluated any of these tools for the particular task of detecting IPS spyware or dual-use apps. We evaluate anti-spyware tools against a corpus of 280 on-store apps detected by our crawl of Google Play (that we manually verified to be usable for IPS) and all 23 off-store spyware apps we identified. No anti-spyware tool effectively detects IPS-relevant apps. The best performing (Anti Spy Mobile) flagged 95% of offstore spyware, but only 47% of on-store IPS-relevant apps. The tool also has a prohibitively high false positive rate of 12%, labeling applications such as Google Chrome and Play Store as spyware. The major anti-virus systems were some of the worst performers for dual-use apps (flagging at most 13% of on-