Google will remove stalkerware apps from its app store following a policy update to its software developer program. The alphabet-owned company notified developers that all user tracking apps must include adequate notice or consent and show persistent notifications that the user activity was under surveillance.
Stalkerware apps that fail to comply with the new requirements will be removed from Google’s Play Store.
Banned categories of user tracking and stalkerware apps
Google defined stalkerware apps as software applications that transmit personal information from the device without adequate notices or consent. Additionally, such apps do not provide persistent notifications that the user’s activity was being monitored. Such apps will no longer be allowed on the play store. Developers have until Oct 1 to comply with the new requirements.
Only user tracking apps designed and marketed for parental monitoring or enterprise management can be distributed on the Play Store with tracking and reporting features.
The tech giant warned that such apps should not be used to track adults without their consent. This exemption created an opportunity for stalkerware apps to be marketed as “family friendly” user tracking solutions. Google did not provide a solution to prevent stalkers from using apps to pry on their victims.
Stalkerware apps purporting to aid spying or provide a secret surveillance solution, such as stealth audio recording, dash cams, or nanny cameras, will also be illegal. Additionally, apps that cloak their tracking behavior or mislead users about their true intentions are also prohibited.
By Oct 21, Google will also remove apps that engage in coordinated activity with other apps, sites, developers, or accounts to conceal their identity.
User tracking apps are a threat to the safety of domestic violence victims. The cybersecurity firms, Kaspersky and Avast, reported that user tracking apps’ use rose by over 50% during the coronavirus lockdown period.
Coincidentally, incidents of domestic violence soared while most employees adopted remote work. Companies could also have relied on user tracking apps to snoop on their employees.
Similarly, jealous or abusive partners potentially used the apps to spy on their spouses, especially those working in the essential industries such as healthcare.
Risks associated with user tracking apps
The Electronic Frontier Foundation (EFF) labeled such apps as key contributors to domestic and gender-based violence.
Most stalkerware apps adopt various cryptic behaviors, such as hiding icons or masquerading as different apps to cloak their true intentions. Spouses, friends, employers, or even strangers secretly install them to access the device’s data without the user’s consent or knowledge.
Although perfectly legal, stalkerware apps are mostly used for illegal surveillance. The Federal Trade Commission (FTC) banned MobileSpy, PhoneSheriff, and TeenShield stalkerware apps developed by Retina-X.
These user tracking apps spied on their targets using calls, SMS, and GPS location data. The FTC said the apps ran “surreptitiously in the background” and were suited for illegal activities. Hackers also breached the servers used by the developer to store users’ data.
Researchers also raised the alarm over another stalkerware app called “Monitor Minor.” The app allowed the stalker to capture the unlock codes, spy on social media accounts such as Instagram, Skype, and Twitter.
The FTC said it would allow the banned apps back to the market if the developers could guarantee that they would not be used for illegal purposes. The agency noted that the developers would be held accountable for marketing dangerous products.
Christoph Hebeisen, Director, Security Intelligence Research at Lookout, lauded Google for banning the apps. He said that the use of mobile surveillance technology in domestic abuse was rampant.
“Lookout has always been alerting users about surveillanceware independent of the stated purpose of the app, i.e., the same rules apply to child tracking and device theft protection apps. We consider such apps malicious if the app doesn’t show a persistent notification, hides its icon, masquerades as something other than its true functionality, or hides a part of its functionality. We apply this logic no matter if the app has been loaded from an official app store or sideloaded onto the device.”