Viry a Červi

 The state of stalkerware in 2022 (PDF)

Main findings of 2022

The State of Stalkerware is an annual report by Kaspersky which contributes to a better understanding of how many people in the world are affected by digital stalking. Stalkerware is a commercially available software that can be discretely installed on smartphone devices, enabling perpetrators to monitor an individual’s private life without their knowledge.

Stalkerware can be downloaded and easily installed by anyone with an Internet connection and physical access to a smartphone. A perpetrator violates the victim’s privacy as they can then use the software to monitor huge volumes of personal data. Depending on the type of software, it is usually possible to check device location, text messages, social media chats, photos, browser history and more. Stalkerware works in the background, meaning that most victims will unaware that their every step and action is being monitored.

In most countries around the world, the use of stalkerware software is currently not prohibited but installing such an application on another individual’s smartphone without their consent is illegal and punishable. However, it is the perpetrator who will be held responsible, not the developer of the application.

Along with other related technologies, stalkerware is part of tech-enabled abuse and often used in abusive relationships. As this is part of a wider problem, Kaspersky is working with relevant experts and organizations in the field of domestic violence, ranging from victim support services and perpetrator programs through to research and government agencies, to share knowledge and support professionals and victims alike.

2022 data highlights

• In 2022, Kaspersky data shows that 29,312 unique individuals around the world were affected by stalkerware. Compared to the downwards trend that has been recorded in previous years, this is similar to the total number of affected users in 2021. Taking into account the developments in digital stalking software over the past few years, the data suggests there is a trend towards stabilization. More broadly, it is important to note that the data covers the affected number of Kaspersky users, with the global number of affected individuals likely to be much higher. Some affected users may use another cybersecurity solution on their devices, while some do not use any solution at all.
• In addition, the data reveals a stable proliferation of stalkerware over the 12 months of 2022. On average, 3333 users each month were newly affected by stalkerware. The stable detection rate indicates that digital stalking has become a persistent problem that warrants wider societal attention. Members from the Coalition Against Stalkerware estimate that there could be close to one million victims globally affected by stalkerware every year.
• According to the Kaspersky Security Network, stalkerware is most commonly used in Russia, Brazil, and India, but continues to be a global phenomenon affecting all countries. Regionally, the data reveals that the largest number of affected users can be found in the following countries:
  • Germany, Italy, and France (Europe);
  • Iran, Turkey, and Saudi Arabia (Middle East and Africa);
  • India, Indonesia, and Australia (Asia-Pacific);
  • Brazil, Mexico, and Ecuador (Latin America);
  • United States (North America);
  • Russian Federation, Kazakhstan and Belarus (Eastern Europe (except European Union countries), Russia and Central Asia).
• Globally, the most commonly used stalkerware app is Reptilicus with 4,065 affected users.

2022 trends observed by Kaspersky Methodology

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of volunteer participants around the world. All received data is anonymized. To calculate the statistics, the consumer line of Kaspersky’s mobile security solutions has been reviewed according to the Coalition Against Stalkerware’s detection criteria on stalkerware. This means that the affected number of users have been targeted by stalkerware only. Other types of monitoring or spyware apps that fall outside of the Coalition’s definition are not included in the report statistics.

The statistics reflect unique mobile users affected by stalkerware, which is different from the total number of detections. The number of detections can be higher as stalkerware may have been detected several times on the same device of the same unique user if they decided not to remove the app upon receiving a notification.

Finally, the statistics reflect only mobile users using Kaspersky’s IT security solutions. Some users may use another cybersecurity solution on their devices, while some do not use any solution at all.

Global detection figures: affected users

This section compares the global and regional statistics collected by Kaspersky in 2022 with statistics from previous years. In 2022, a total number of 29,312 unique users were affected by stalkerware. Graphic 1, below, shows how this number has varied from year to year since 2018.

Graphic 1 – Evolution of affected users year-on-year since 2018

Graphic 2, below, shows the number of unique affected users per month from 2021 to 2022. In 2022, the situation is almost identical to 2021, indicating that the rate of stalkerware proliferation has stabilized. On average, 3333 users were newly affected by stalkerware every month.

Graphic 2 – Unique affected users per month over the 2021-2022 period

Global and regional detection figures: geography of affected users

Stalkerware continues to be a global problem. In 2022, Kaspersky detected affected users in 176 countries.

Countries most affected by stalkerware in 2022

In 2022, Russia (8,281), Brazil (4,969), and India (1,807) were the top 3 countries with the most affected users. Those three countries remain in leading positions according to Kaspersky statistics since 2019. Compared to previous years, it is noteworthy that the number of affected users in the U.S. has dropped down the ranking and now features in fifth place with 1,295 affected users. Conversely, there has been an increase noted in Iran which has moved up to fourth place with 1,754 affected users.

Compared to 2021, however, only Iran features as a new entrant in the top 5 most affected countries. The other four countries – Russia, Brazil, India, and the U.S. – have traditionally featured at the top of the list. Looking at the other half of the top 10 most affected countries, Turkey, Germany, and Mexico have remained among the countries most affected compared to last year. New entrants into the top 10 most affected countries in 2022 are Saudi Arabia and Yemen.

Country Affected users 1 Russian Federation 8,281 2 Brazil 4,969 3 India 1,807 4 Iran 1,754 5 United States of America 1,295 6 Turkey 755 7 Germany 736 8 Saudi Arabia 612 9 Yemen 527 10 Mexico 474

Table 1 – Top 10 countries most affected by stalkerware in the world in 2022

In Europe, the total number of unique affected users in 2022 was 3,158. The three most affected countries in Europe were Germany (737), Italy (405) and France (365). Compared to 2021, all countries up to including seventh place in the list (the Netherlands) continue to feature as the most affected countries in Europe. New entrants in the list are Switzerland, Austria, and Greece.

Country Affected users 1 Germany 736 2 Italy 405 3 France 365 4 United Kingdom 313 5 Spain 296 6 Poland 220 7 Netherlands 154 8 Switzerland 123 9 Austria 71 10 Greece 70

Table 2 – Top 10 countries most affected by stalkerware in Europe in 2022

In Eastern Europe (excluding European Union countries), Russia, and Central Asia, the total number of unique affected users in 2022 was 9,406. The top three countries were Russia, Kazakhstan, and Belarus.

Country Affected users 1 Russian Federation 8,281 2 Kazakhstan 296 3 Belarus 267 4 Ukraine 258 5 Azerbaijan 130 6 Uzbekistan 76 7 Moldova 34 8 Tajikistan 32 9 Kyrgyzstan 31 10 Armenia 27

Table 3 – Top 10 countries most affected by stalkerware in Eastern Europe (excluding EU countries), Russia and Central Asia in 2022

In the Middle East and Africa region, the total number of affected users was 6,330, slightly higher than in 2021. While Iran with 1,754 affected users features at the top of this list in 2022, Turkey’s 755 affected users has seen the country move up to second in the region, followed closely by Saudi Arabia with 612 affected users.

Country Affected users 1 Iran 1,754 2 Turkey 755 3 Saudi Arabia 612 4 Yemen 527 5 Egypt 469 6 Algeria 407 7 Morocco 168 8 United Arab Emirates 155 9 South Africa 145 10 Kenya 123

Table 4 – Top 10 countries most affected by stalkerware in Middle East & Africa in 2022

In the Asia-Pacific region, the total number of affected users was 3,187. India remains far ahead of the other countries in the region, with 1,807 affected users. Indonesia occupies second place with 269 affected users, while Australia is third with 190 affected users.

Country Affected users 1 India 1,807 2 Indonesia 269 3 Australia 190 4 Philippines 134 5 Malaysia 129 6 Vietnam 109 7 Bangladesh 105 8 Japan 95 9 Thailand 52 10 Pakistan 48

Table 5 – Top 10 countries most affected by stalkerware in Asia-Pacific region in 2022

The Latin America and the Caribbean region is dominated by Brazil with 4,969 affected users. This accounts for approximately 32% of the region’s total number of affected users. Brazil is followed by Mexico and Ecuador in the list, while Colombia has moved into fourth place. A total number of 6,170 affected users were recorded in the region.

Country Affected users 1 Brazil 4,969 2 Mexico 474 3 Ecuador 146 4 Colombia 120 5 Peru 111 6 Argentina 85 7 Chile 49 8 Bolivia 32 9 Venezuela 30 10 Dominican Republic 24

Table 6 – Top 10 countries most affected by stalkerware in Latin America in 2022

Finally, in North America, 87% of all affected users in the region are found in the United States. This is to be expected given the relative size of the population in the United Sates compared to Canada. Across the North America region, 1,585 users were affected in total.

Country Affected users 1 United States of America 1,295 2 Canada 299

Table 7 – Number of users affected by stalkerware in North America in 2022

Global detection figures – stalkerware applications

This section lists the stalkerware applications most commonly used to control smartphones around the world. In 2022, the most popular app was Reptilicus (4,065 affected users). This year, Kaspersky detected 182 different stalkerware apps.

Application name Affected users 1 Reptilicus (aka Vkurse) 4,065 2 Cerberus 2,407 3 KeyLog 1,721 4 MobileTracker 1,633 5 wSpy 1,342 6 SpyPhone 1,211 7 Anlost 1,189 8 Track My Phones 1,137 9 MonitorMinor 864 10 Hovermon 827

Table 8 – Top 10 list of stalkerware applications in 2022

Stalkerware provides a means to gain control over a victim’s life. Their capabilities vary depending on the type of application and whether it has been paid for or obtained freely. Typically, stalkerware masquerades as legitimate anti-theft or parental control apps, when in reality they are very different – most notably due to their installation without consent and notification of the person being tracked, and their operation in stealth mode on smartphone devices,

Below are some of the most common functions that may be present in stalkerware applications:

• Hiding app icon
• Reading SMS, MMS and call logs
• Getting lists of contacts
• Tracking GPS location
• Tracking calendar events
• Reading messages from popular messenger services and social networks, such as Facebook, WhatsApp, Signal, Telegram, Viber, Instagram, Skype, Hangouts, Line, Kik, WeChat, Tinder, IMO, Gmail, Tango, SnapChat, Hike, TikTok, Kwai, Badoo, BBM, TextMe, Tumblr, Weico, Reddit etc.
• Viewing photos and pictures from phones’ image galleries
• Taking screenshots
• Taking front (selfie-mode) camera photos

Are Android OS and iOS devices equally affected by stalkerware?

Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on ‘jailbroken’ iPhones, but they still require direct physical access to the phone to jailbreak it. iPhone users fearing surveillance should always keep an eye on their device.

Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware. There are many companies that make these services available online, allowing abusers to have these tools installed on new phones, which can then be delivered in factory packaging under the guise of a gift to the intended victim.

Together keeping up the fight against stalkerware

Stalkerware is foremost not a technical problem, but an expression of a problem within society which therefore requires action from all areas of society. Kaspersky is not only actively committed to protecting users from this threat but also maintaining a multilevel dialogue with non-profit organizations, and industry, research and public agencies around the world to work together on solutions that tackle the issue.

In 2019, Kaspersky was the first cybersecurity company in the industry to develop a new attention-grabbing alert that clearly notifies users if stalkerware is found on their device. While Kaspersky’s solutions have been flagging potentially harmful apps that are not malware – including stalkerware – for many years, the new notification alerts the user to the fact that an app has been found on their device that may be able to spy on them.

In 2022, as part of Kaspersky’s launch of a new consumer product portfolio, the Privacy Alert was expanded and now not only informs the user about the presence of stalkerware on the device, but also warns the user that if stalkerware is removed the person who installed the app will be alerted. This may lead to an escalation of the situation. Moreover, the user risks erasing important data or evidence that could be used in a prosecution. Figure 2, below, shows the new warning in the blue box. Kaspersky’s Privacy Alert is included in all of the company’s consumer security solutions to protect against stalkerware.

In 2019, Kaspersky also co-founded the Coalition Against Stalkerware, an international working group against stalkerware and domestic violence that brings together private IT companies, NGOs, research institutions, and law enforcement agencies working to combat cyberstalking and help victims of online abuse. Through a consortium of more than 40 organizations, stakeholders can share expertise and work together to solve the problem of online violence. In addition, the Coalition’s website, which is available in 7 different languages, provides victims with help and guidance in case they may suspect stalkerware is present on their devices.

From 2021-2023, Kaspersky was a consortium partner of the EU project DeStalk, co-funded by the Rights, Equality, and Citizenship Program of the European Union. The five project partners that formed the consortium combined the expertise of the IT Security Community, Research, and Civil Society Organizations, and Public Authorities. As a result, the DeStalk project trained a total of 375 professionals directly working in women’s support services and perpetrator programs, and officials from public authorities on how to effectively tackle stalkerware and other digital forms of gender-based violence, as well as raising public awareness on digital violence and stalkerware.

As part of the project, Kaspersky developed an e-learning course on cyberviolence and stalkerware within its Kaspersky Automated Security Awareness Platform, a freely available online micro learning training platform which can be accessed in five different languages. To date, more than 130 professionals have completed the e-learning course with a further 80 currently participating. Although the DeStalk project has ended, the e-learning course is still available on the DeStalk project website.

In June 2022, Kaspersky launched a website dedicated to TinyCheck to disseminate further information about the tool. TinyCheck is a free, safe and open-source tool that can be used by non-profit organizations and police units to help support victims of digital stalking. In 2020, the tool was created to check devices for stalkerware and monitoring apps without making the perpetrator aware of the check. It does not require installation on a user’s device because it works independently to avoid detection by a stalker. TinyCheck scans a device’s outgoing traffic using a regular Wi-Fi connection and identifies interactions with known sources such as stalkerware-related servers. TinyCheck can also be used to check any device on any platform, including iOS, Android, or any other OS’.

Think you are a victim of stalkerware? Here are a few tips…

Whether or not you are a victim of stalkerware, here are a few tips to better protect yourself:

• Protect your phone with a strong password that you never share with your partner, friends, or colleagues.
• Change passwords for all of your accounts periodically and don’t share them with anyone.
• Only download apps from official sources, such as Google Play or the Apple App Store.
• Install a reliable IT security solution like Kaspersky for Android on devices and scan them regularly. However, in the case of potentially already installed stalkerware, this should only be done after the risk to the victim has been assessed, as the abuser may notice the use of a cybersecurity solution.

Victims of stalkerware may be victims of a larger cycle of abuse, including physical.

In some cases, the perpetrator is notified if their victim performs a device scan or removes a stalkerware app. If this happens, it can lead to an escalation of the situation and further aggression. This is why it is important to proceed with caution if you think you are being targeted by stalkerware.

• Reach out to a local support organization: to find one close to you, check the Coalition Against Stalkerware website.
• Keep an eye out for the following warning signs: these can include a fast-draining battery due to unknown or suspicious apps using up its charge, and newly installed applications with suspicious access to use and track your location, send or receive text messages and other personal activities. Also check if your “unknown sources” setting is enabled, it may be a sign that unwanted software has been installed from a third-party source. However, the above indicators are circumstantial and do not indicate the unequivocal presence of stalkerware on the device.
• Do not try to erase the stalkerware, change any settings or tamper with your phone: this may alert your potential perpetrator and lead to an escalation of the situation. You also risk erasing important data or evidence that could be used in a prosecution.

For more information about our activities on stalkerware or any other request, please write to us at: ExtR@kaspersky.com.

Keeper protects your team’s credentials without slowing down business

Sponsored Feature  When the first computer system passwords were set in 1961, few people needed to carry personal credentials to get through daily life. Nowadays, login credentials are ubiquitous across nearly every application, software and web service.…

China and Russia won't be jammin' US sats no more

Boeing said on Tuesday its anti-jam ground-based satellite communications system had passed the necessary tests to validate its design for use in the U.S. Space Force’s Pathfinder program.…

Contractors left hanging while principals splurged on luxury goods

Three of the principals of an Australian scheme that offered free payroll services to tech contractors have been found guilty of conspiring to defraud the Commonwealth and conspiring to deal with the proceeds of crime.…

Customer info safe, or so we're told

Acer has confirmed someone broke into one of its servers after a miscreant put up for sale a 160GB database of what's claimed to be the Taiwanese PC maker's confidential information.…

Workaround: Throw away kit? Hope there's a patch?

If you're still using post-support DrayTek Vigor routers it may be time to junk them, see if they can be patched, or come up with some other workaround, as a malware variant is setting up shop in the kit.…

Security bugs in the very code you've been told you must have to improve the security of your computer...

Who needs deepfakes when you've got makeup and 'element of surprise'?

Pro-Russian scammers using social engineering and impersonation to trick prominent western commentators into conducting recorded video calls have kicked these campaigns "into high gear" over the past 12 months, according to security researchers.…

Don’t let miscreants poison the wells

The US government is requiring states to assess the cyber security capabilities of their drinking water systems, part of the White House's broader efforts to protect the nation's critical infrastructure from attacks by nation-states and other cyber threats.…

Millions extorted from victims, one attack left hospital patient dead

German and Ukrainian cops have arrested suspected members of the DoppelPaymer ransomware crew and issued warrants for three other "masterminds" behind the global operation that extorted tens of millions of dollars and may have led to the death of a hospital patient.…

Devices seized, suspects interrogated and arrested, allegedly connected to devastating cyberattack on University Hospital in Düsseldorf.

Year 2022 in numbers Parameter H1 2022 H2 2022 2022 Percentage of attacked ICS computers globally 31.8% 34.3% 40.6% Main threat sources Internet 16.5% 19.9% 24.0% Email clients 7.0% 6.4% 7.9% Removable devices 3.5% 3.8% 5.2% Network folders 0.6% 0.6% 0.8% Percentage of ICS computers on which malicious objects from different categories were blocked Malicious scripts and phishing pages (JS and HTML) 12.9% 13.5% 17.3% Denylisted internet resources 9.5% 10.1% 13.2% Spy Trojans, backdoors and keyloggers 8.6% 7.1% 9.2% Malicious documents (MSOffice+PDF) 5.5% 4.5% 6.2% Worms 2.8% 2.5% 3.5% Viruses 2.4% 2.4% 3.2% Miners – executable files for Windows 2.3% 1.5% 2.7% Web miners running in browsers 1.8% 1.8% 2.5% Malware for AutoCAD 0.6% 0.6% 0.8% Ransomware 0.6% 0.4% 0.7% Global threat statistics

In H2 2022, the percentage of ICS computers on which malicious objects were blocked increased by 3.5 percentage points compared to the previous six-month period, reaching 34.3%. This was higher than the percentages for 2021 and even 2020.

Percentage of ICS computers on which malicious objects were blocked, 2020 – 2022

In H2 2022 the percentage of ICS computers on which malicious objects were blocked increased in the automotive industry (+4.6 p.p.) and in the energy sector (+1 p.p.). In other industries tracked, the percentage decreased.

Percentage of ICS computers on which malicious objects were blocked in some industries, H2 2022

Geography

In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions.

Regions of the world ranked by percentage of ICS computers on which malicious objects were blocked, H2 2022

African and Central Asian countries were prevalent among the 15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked in H2 2022.

15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H2 2022

In the Top 10 ranking of countries with the lowest percentage of ICS computers on which malicious objects were blocked, all countries, with the exception of Israel, were European.

10 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H2 2022

In H2 2022, the most significant increase among all countries in the percentage of ICS computers on which malicious objects were blocked was observed in Russia, where that percentage increased by 9 p.p.

Russia. Percentage of ICS computers on which malicious objects were blocked, 2020 – 2022

Variety of the malware detected

In H2 2022, Kaspersky security solutions blocked malware from 7,684 different families on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects from different categories was prevented, H2 2022

Main threat sources

The internet, removable devices and email clients remained the main sources of threats for computers in the operational technology infrastructure of organizations.

Percentage of ICS computers on which malicious objects from different sources were blocked, 2021 – 2022

In H2 2022, a very significant growth in the percentage of ICS computers on which internet threats were blocked – 12 p.p. and 7.8 p.p., respectively – was recorded in the regions of Russia and Central Asia.

Regions ranked by percentage of ICS computers on which internet threats were blocked, H2 2022

As per tradition, Africa topped the ranking of regions based on the percentage of ICS computers on which malware was blocked when removable devices were connected.

Regions ranked by percentage of ICS computers on which malware was blocked when removable devices were connected, H2 2022

Southern Europe topped the ranking of regions based on the percentage of ICS computers on which malicious email attachments and phishing links were blocked. Northern Europe was the only region in which the percentage increased (+0.3 p.p.) in H2 2022.

Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H2 2022

 

The full report has been published on the Kaspersky ICS CERT website.

Also, Royal ransomware metastasizes to other critical sectors, and this week's critical vulnerabilities

In Brief  If you can't join them, then you may as well try to beat them – at least if you're a talented security engineer looking for a job and you happen to be a woman. …

Investigations 'at risk' from sloppy surveillance uncovered by audit probe

The US Secret Service and Immigration and Customs Enforcement (ICE) agencies have failed to follow the law and official policy regarding the use of cell-site simulators, according to a government audit.…

'Understanding your inventory is absolutely No. 1' he tells The Reg

SCSW  On a scale of 1 to 10, 10 being the highest risk, Snap Chief Information Security Officer Jim Higgins rates software supply chain risk "about 9.9."…

Feds propose $7.8M payment and ban on revealing 'sensitive' data to settle complaint

Even if you don't know anyone who has used BetterHelp's services, podcast fans will recognize it from its annoying adverts for its online therapists. American regulators, however, allege the company's relationship with the advertising industry is more perverse than a mere irritating jingle, claiming it betrayed loyalties that should lie with customers by passing on their mental health info to Facebook, Snapchat and others.…

Wondering which cybercrime tools, techniques and procedures to focus on? How about any and all of them?

Crime-as-a-service vendors mix and match components as needed by client

A malicious package discovered in the Python Package Index (PyPI) is the latest example of what threat hunters from Kroll called the continued "democratization of cybercrime," with the bad guys creating malware variants from the code of others.…

Industry hasn't 'improved much at all' Mandiant's Eric Scales tells us

SCSW  Back in 2020, Eric Scales led the incident response team investigating a state-backed software supply-chain attack that compromised application build servers and led to infections at government agencies and tech giants including Microsoft and Intel.…

Proposal to break encryption to scan messages for abuse material challenged as illegal and unworkable

Europe's proposed "Chat Control" legislation to automatically scan chat, email, and instant message communications for child sexual exploitation material (CSEM) ran up against broad resistance at a meeting of the German Parliament's (Bundestag) Digital Affairs Committee on Wednesday.…