FacebookTwitterLinkedIn

Google Removes Creepware Apps from Play Store

Recently several publications began reporting on Google’s successful removal of 813 creepware apps from its app store. Creepware is often seen as a stalker-like application generally seen installed on smartphones and other mobile devices, a better definition will be presented below. Creepware in the past has been marketed as an anti-theft application to track stolen phones but in reality, the application can be used to track and trace victims, fundamentally allowing someone to stalk someone else. When compared to spyware, they are not as fully featured as their cousins such as LightSpy. Well, not as fully featured they still allow damage and trauma to be carried out by perpetrators.

Google was able to remove that many apps based on an algorithm developed by a group of academics which was later published in a research paper. The paper titled “The Many Kinds of Creepware Used for Interpersonal Attacks” was published in 2019 with Google managing to implement their algorithm last year as well to clamp done on the nefarious activity. Those behind the paper, academics from New York University, Cornell Tech, and NortonLifeLock, developed the algorithm with the specific purpose of detecting creep-like behaviors within apps and then ranking them.

The ranking system has been termed CreepRank which is capable of identifying apps with features that can be abused to extract SMS messages from a device, spoof another user's identity in IM/SMS chats, launch denial-of-service attacks, hide other apps, control access to other apps, track location. Apps implementing these features may not be inherently creepware, sometimes also referred to as spouseware, but can still be used to conduct abusive acts. Further, they could be combined with other apps with far more intrusive features for the sole purpose of meeting the needs of the perpetrator, continuing a cycle of abuse.

google removes creepware apps

After developing the algorithm, the research team used it to detect real-world apps that are used and may be used, for stalker-like purposes. Data was provided by NortonLifeLock which in turn came from devices running the Norton Mobile Security mobile antivirus. The process for scanning and ranking apps found on these devices described as,

“We designed CreepRank for anonymized data about billions of app installations on 50 million mobile devices over years of data. We quickly discovered that people who install one abusive app are likely to install many others as well. Latching onto this observation, we designed CreepRank around the insight expressed in the old Spanish proverb, “Tell me who your friends are and I’ll tell you who you are.” Accordingly, we applied CreepRank to millions of apps installed on 50 million phones, ranking each app according to its propensity to be installed alongside known abusive apps. The higher the CreepRank, the more likely the app is to be used for abusive purposes. A manual examination of the apps with the highest CreepRanks revealed well over 1000 apps used for a variety of malicious purposes.”

Types of Surveillance

Of the 50 million devices scanned a Top 1000 list was generated that pointed researchers in the direction of apps they should be paying particular attention to. Of those 1000 it was discovered 857 of those qualified as creepware with stalker-like functions appearing within the app and sometimes in the app's marketing material. From these 857 creepware apps a wealth of information was gathered as to how these apps operate as well as their features. The most common form of creepware can be described as surveillance apps able to track their locations, phone use, texts, and more. While these are certainly an unwarranted invasion of privacy the sad truth is that apps like this are used to stalk victims and can lead to intimate partner violence. Of the 857 apps, 114 enabled spoofing and 63 apps had hacking tutorials to further encourage stalker behavior. Other common features found were,

“…apps [that] can spy on another person's texts by uploading them to the cloud, and then reading them. Some track people’s precise locations or use geofencing to alert a stalker that the victim has left the house. Some can read people’s call logs or record people’s calls and forward them to the harasser. Others can remotely turn on the microphone on a victim’s phone, record whatever is happening, and forward that to the stalker.”

NortonLifeLock and other antivirus vendors founded an organization to fight the rising prevalence of creepware and other apps that further stalker-like behavior. Called Coalition against Stalkerware its members include Avira, the Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence (WWP), G DATA CyberDefense, Kaspersky, Malwarebytes, National Network to End Domestic Violence (NNEDV), NortonLifeLock (formerly Symantec), Operation Safe Escape, and the WEISSER RING. Around the time the coalition was formed Kaspersky published a report detailing the state of stalkerware for the year 2019, some of the findings were alarming and certain highlight the problem of these apps. Key findings of the report include:

  • From January to August 2019, around the world, there were more than 518,223 cases when our protection technologies either registered presence of stalkerware on users’ devices or detected an attempt to install it – a 373% increase in the same period in 2018
  • In the first eight months of 2019, 37,532 users encountered stalkerware at least once. This is a 35% increase from the same period in 2018 when 27,798 users were targeted
  • The number of users targeted by full-throttle spyware detected as Trojan-Spy reached 26,620 the first eight months of 2019, which makes it a minority compared to the number of users who encountered stalkerware
  • The Russian Federation remains the most prominent region for stalkerware globally, accounting for 25.6% of potentially affected users, in the first eight months of 2019. India is in second place with 10.6% of affected users, and Brazil is in third place (10.4%). The United States hold forth place with 7.1%
  • When it comes to Europe – Germany, Italy, and the UK hold the top three places respectively

Defining CreepWare

The data sets used in the researcher’s paper dated back to 2017, this was about the same time that security firms started taking notice of what was to become known as creepware. As a working definition for creepware researchers suggested,

“Creepware is a Remote Access Trojan (RAT) that lets people hack into your computer or mobile device and control it from a distance. The most famous examples of this are using a device’s camera and microphone to watch and listen to victims. This type of spyware allows hackers, cybercriminals or online creeps to spy on your family or use recorded material for illegal purposes.”

Creepware can be further split into subcategories including spouseware and stalkerware. These sub-variants are seen as apps that abusive spouses or partners install on their partner's phone without their knowledge or consent. They contain features that allow the abuser to track their significant other's geographical location, web browsing habits, social media activity, log keystrokes inside instant messaging apps, retrieve photos, or even record audio and video without the owner's knowledge. From that description, it is clear to see why they have been lumped together with creepware.

The difference seems to be who installs the malicious app rather than the outcome of the app. While apps exist for both smartphones and desktops, the problem is most prevalent in impacting smartphones. One of the reasons for this is down to the prevalence of smartphones amongst the population. It simply takes a jealous lover to install one of these malicious apps onto the partner’s device for another victim to become a statistic.

Before the coalition mentioned above was formed it is safe to say that the problem posed by these apps was not adequately addressed by security firms as for many the focus would be on financially motivated cybercrimes and the tracking of APT groups. It was not until Eva Galperin led a one women crusade to not only shine a light on the issue but actively combat it did she start receiving help from some of the sector's bigger enterprises. Both the work she tirelessly carried out and those behind the CreepRank algorithm seem to be having a positive effect. It is hoped in the future the horrid statistics mentioned above make way for statistics showing how many people were prevented from becoming victims. NortonLifeLock plans to incorporate the CreepRank algorithm into its mobile security offerings. It is hoped other security firms follow suit.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal