Google Purged Almost 1,000 Abusive ‘Creeperware’ Apps. Now Some Are Coming Back.
In June 2019, a group of cybersecurity researchers notified Google of more than 1,000 potentially malicious apps on the company’s Play Store that can be used to surveil, monitor, and harass users. Their findings, which have not previously been reported, eventually led to one of the largest ever mass removals of Android apps.
Less than a year later, there are signs that the “creeperware,” as the researchers called it, is returning. The label comprises a broad category of abusable apps, including tools for spying, spoofing phone numbers, and secretly recording video and audio. Some of those programs banned by Google have now rebranded or added disclaimers and returned to the Play Store. Meanwhile, new programs with overtly abusive purposes have slipped through the company’s automated monitoring systems.
The initial 1,095 apps flagged by researchers came in a variety of forms. Catch Cheating Spouse and its ilk offered stalkerware packages: Once installed on a victim’s phone, the user could track the device’s location, read messages, listen to calls, remotely record through the microphone, or log passwords.
Many of the programs had innocuous names but hostile purposes. Spoof Text Message, for example, advertised itself with a video using the tagline “Don’t like your buddy’s girlfriend? Well, break them up!” Others, like GirlFriend Cell Tracker, were more explicit in their motivation.
“When we reported these apps to Google initially, it felt like they didn’t really know what to do with them,” said Kevin Roundy, the technical director of NortonLifeLock’s research group, and one of the lead members of the team that uncovered the malicious apps last June.
Once installed on a victim’s phone, the user could track the device’s location, read messages, listen to calls, remotely record through the microphone, or log passwords.
At first, Roundy said, Google determined that many of the apps didn’t violate the Play Store guidelines, and declined to remove them. Then researchers sent follow-up emails quoting the guidelines’ rules against these sorts of apps. These rules explicitly state, for example, that advertising an app as a pranking tool, as many of the spoof number apps did, does not excuse deceiving users.
In the end, Google removed 813 apps from the Play Store, according to the researchers’ paper, which is scheduled to be presented at a virtual IEEE symposium on May 19. The purge is one more example of Google’s years-long struggle against apps that enable spying, harassment, and, in some cases, domestic violence.
Compared to the tightly controlled Apple iOS ecosystem, Android’s open nature has made it ground zero for the problem. Apple tightly restricts the capabilities of any third-party apps available on its App Store, and anyone wishing to install a program not directly from the App Store must first jailbreak an Apple device, which has become increasingly difficult in recent years.
Google allows developers much more leeway on its operating system, leading to questions that could affect its bottom line: How strictly should the company police the Play Store, and how does the company balance creative freedom for developers against the risk of those same developers making surveillance tools that can be used for domestic abuse?
OneZero requested an interview with Google and sent the company a list of specific questions regarding creeperware on its platforms. Through a spokesman, Google declined to answer the questions. The spokesman instead provided links to the company’s policies and a series of previously issued talking points. He highlighted Google’s donations to domestic violence prevention organizations like Refuge, a British nonprofit, and sent a link to an employee-authored 2017 paper on best technology and privacy practices for abuse survivors.
Google automatically scans all apps submitted to the Play Store for “potentially malicious code as well as spammy developer accounts,” the spokesman told OneZero. “If users come across any apps that are in violation of our developer policies, we encourage them to report it to our support team.”
Google may scan for malicious code, but its current system is missing other obvious indicators of creeperware.
Take two apps that are currently available on the Play Store: Device Tracker, which was last updated January 6 and has more than 5,000 downloads, and Catch a Cheating Spouse, which was last updated April 9 and has more than 10,000 downloads. Catch a Cheating Spouse does not appear to be related to Catch Cheating Spouse, an app Google removed from the Play Store.
Both apps are offered by the developer Spy Tracking Apps, and the reviews — many of which display the hallmarks of fake, developer-placed content — are filled with customers raving about using the apps to remotely monitor intimate partners.
The presence of such apps on the Play Store raises questions about what the company is willing to tolerate on its platform.
“They’re thinking, certainly, about a series of trade-offs: If they adjust their policies one direction, then it could begin to implicate a large number of other applications in their store,” says Adam Molnar, a University of Waterloo professor and co-author of a 2019 Citizen Lab study on stalkerware. “I suspect that Google is thinking about this: What types of other apps would get caught up in a policy change designed to catch more consumer spyware?”
Your Speech, Their Rules: Meet the People Who Guard the Internet
Tech platform trust and safety employees are charged with policing the impossible. They open up to Medium’s head of…
The team that uncovered the 1,095 creeperware apps last year — which included NortonLifeLock analysts and researchers from Cornell Tech and New York University — used CreepRank, a custom-built algorithm that analyzed an anonymized database of apps installed on 50 million Android devices to identify apps commonly installed alongside known stalkerware.
Among the most prominent categories of creeperware, they discovered, were child-tracking apps and phone number spoofers. Some apps openly advertised the ability to keep tabs on intimate partners or harass them. Others did not, but the data suggested they were being applied for those purposes.
The tools can have devastating effects when misused. Rachel Gibson, a senior technology safety specialist with the National Network to End Domestic Violence, points to an example of one survivor she worked with in Florida, who missed multiple custody hearings because her abuser was spoofing a state court number to send text messages rescheduling the hearings.
When apps that advertise themselves for malicious purposes are caught, they frequently rebrand, add a disclaimer to the bottom of their description, and return to the Play Store, researchers say.
This is a popular strategy among GPS trackers. One such app currently on the Play Store, Family Locator (Safe Zone), used to go by a different name: Girlfriend Cell Tracker. The CreepRank study found it to be among the apps commonly installed alongside overtly abusive programs.
“In an ideal world, [Google] would have known about these issues already, but it’s an immense challenge even for the platform operators,” says Tom Ristenpart, an associate professor and researcher with Cornell Tech’s and New York University’s joint intimate partner violence and technology research group. “This confusion really touches on some of the inherent ambiguity in terms of setting up clear policy guidelines for apps.”
Apple’s App Store also offers family trackers, but some of the most nefarious stalkerware capabilities possible on Android — running secretly in the background, keylogging, reading messages without permission — have been impossible to incorporate into an app for an Apple device that isn’t jailbroken.
“Android OS offers many API functions to [remotely] access private information such as location access, camera access and microphone access,” Victor Chebyshev, the research development team lead at Kaspersky, wrote in an email to OneZero. “Additionally, on Android, there is the ability to easily install applications from third parties [without using the official Google Play store], while on iOS, it’s a complicated process for user and for developer.”
That distinction is important. Unlike on iOS, users are able to download Android APK files from the open web, thereby installing apps that are unavailable on the Play Store — sometimes putting themselves at significant risk inadvertently.
From January to August 2019, Kaspersky’s antivirus software detected stalkerware on 518,223 Android devices — a 373% increase over the same period in 2018. The vast majority of stalkerware comes from sources outside the Play Store, such as alternative app stores or independent websites, according to Kaspersky.
Google’s position as the dominant search engine further entangles it in the problem — its algorithms are very good at finding what a searcher wants, even if that means tools for abusive partners.
For a time, the Google search engine even elevated paid advertisements for tools that weren’t permitted in its own Play Store when someone searched suggestive phrases like “spy on my spouse” or “monitor girlfriend,” said Periwinkle Doerfler, a doctoral candidate who tracked the advertisements as part of Cornell Tech’s and New York University’s joint intimate partner violence and technology research group.
Google attempted to end that practice after the research group brought it to the company’s attention and altered the search function on the Play Store so that certain terms no longer return results. But on the main search engine, phrases such as “app to remotely spy android,” still deliver paid advertisements for apps that violate Play Store policies. And the engine elevates featured snippets, which are essentially unpaid advertisements, about stalkerware to the top of results pages even though it’s against the company’s policies for featured snippets to promote dangerous goods or services
“The main point of disagreement between myself and Google on this is that their policies on the Play Store say you can’t put apps on the Play Store that do x, y, z,” Doerfler said. “From a technological perspective, there’s no reason why the Android operating system itself could not just make it impossible for the apps to do these things.”
Google’s attempts to curtail stalkerware capabilities from within Android have had limited success.
It tried to crack down on apps that abuse certain accessibility features of Android’s permission system, but Roundy said, the efforts “have not reduced use of the accessibility feature by stalking apps that market directly to consumers or that have been banned from Google Play but live on in third-party app stores.”
With the release of Android 10, which is not yet available on all devices and carriers, Google eliminated a mechanism some creeperware used to hide their icons, and therefore their presence, on phones. Other methods, such as camouflaging an app with a misleading icon, remain possible, although they are against the Play Store rules.
And Google also introduced Play Protect, which scans and prevents the installation of malicious apps downloaded from outside the Play Store, but it can be disabled by someone with access to the phone. Many stalkerware sites’ instructions include the steps for disabling Play Protect.
“[Google has] taken this surface-level action in response,” Doerfler said. “And I appreciate that they did that, but I think to have some structural, long-lasting impact, it’s pretty important that they change the operating system.”