Skip to main content

These Android apps are spying on you — and there’s no easy way to stop them

Android’s security woes need no introduction, but another threat that hasn’t received its fair share of awareness relates to spyware and stalkerware apps. These apps can secretly be installed on a victim’s phone to monitor their activity and can be exploited to harass victims of domestic abuse and engage in online stalking. All someone needs is physical access to the victim’s phone to install these apps, which is not too difficult in cases of domestic abuse.

Call it an app-fueled version of AirTag stalking, but on steroids, because these spyware apps can steal everything including messages, call logs, emails, photos, and videos. Some can even activate the microphone and the camera, and secretly transfer these recordings to a remote server where the abuser can access it. Since Google Play’s policies don’t allow stalking apps, these apps are sold via third-party websites and need to be sideloaded.

Illustration of a person peeking through a phone
Generated using Dall-E 2 / OpenAI

As dangerous as it all sounds, the situation is even more grim due to the lack of of defense mechanisms on Android phones, especially for folks that aren’t particularly tech-savvy. A collaborative research effort led by Alex Liu from the University of California, San Diego, studied 14 stalkerware apps that are readily available from third-party online websites — and found them loaded with some extremely worrying capabilities.

An unprecedented scope of damage

In terms of their basic capabilities, these apps were able to access calendar entries, call logs, clipboard entries, contacts, information pulled from other applications installed on the victim’s phone, location details, network information, phone details, messages, and media files.

A majority of these apps were also able to secretly access the camera feed and the microphone for multimedia capture, taking screenshots via a remote command and even accessing protected data. But that’s not where the horror tale ends.

Screenshot of app library on an Android phone
The Wi-Fi icon at the top of the app library is bogus. That’s how some spyware apps hide in plain sight. UC San Diego

Eleven of the studied apps tried to obscure the process of uninstalling them, while every single one of the spyware apps came coded with a “die-hard” functionality that allowed it to automatically start after a reboot or after memory clearance by the Android system. Such apps are known to disable the “Force Stop” and “Uninstall” buttons in some cases.

One would think that a quick look at the app launcher would alert the victim about any suspicious apps installed on their phones. But that privilege is not really available to victims of these spyware apps, which can cost anywhere between $30 to $100 with a subscription model.

Hiding, manipulating, and playing the system

Illustration of a woman looking through a phone
Generated using Dall-E 2 / Digital Trends

Liu, lead author of the research paper, told Digital Trends in an interview that most of these apps try to hide or use “innocent” names and iconography to avoid suspicion. For example, 11 out of the 14 spyware apps tried to hide in plain sight under the guise of apps with names like “Wi-Fi,” “Internet Service,” and “SyncServices,” complete with believable system icons to help avoid any suspicion.

Since these are core services for a phone, a lot of users won’t want to engage with them out of fear that it would break the corresponding systems on their phone. But there’s more to the threat factor here. “We’ve also seen advanced cases where these apps are able to hide on the app screen or the app launcher,” Liu said.

Some of these apps actively tried to hide the application icon after being installed so that the victim would never guess that surveillance software was active on their phone. Moreover, most of these apps, despite running in the background and abusing Android’s permissions system, don’t appear on the recent apps screen.

“If you don’t see it, how do you know.”

Digital Trends asked Liu if these spyware apps that are secretly running in the background, collecting sensitive personal information, can pop up in the so-called cleaner apps that advise users to uninstall apps they haven’t used in a while. Liu, who is going to present the findings at a conference in Zurich this summer, says the team didn’t explore that possibility.

However, chances are slim that these storage cleaner apps would flag the spyware apps as redundant because these apps are always running in the background and won’t be flagged as inactive. But the sheer ingenuity that some of these apps employ is the stuff of privacy nightmares.

Sneaky, risky, and extremely leak-prone

Illustration of a person sprying on other person using a phone
Generated using Dall-E 2 / OpenAI

When you launch the camera in any app, you see a preview of what’s in front of the camera. Some of these apps shrink the preview size to 1×1 pixel or even make the preview transparent, which makes it impossible to detect if a stalking app is recording a video or sending the live view to a remote server.

Some of these don’t even show a preview, directly capturing the video and transmitting it secretly. One of these apps, called Spy24, uses a secret browser system to stream full-resolution camera footage. Phone call and voice recording is also a fairly common trait among these applications.

The studied stalkerware apps were also found to abuse the accessibility settings on Android. For example, users with visual or hearing impairment have the phone read out the on-screen contents. This loophole allows these apps to read content from other apps running on the screen, extract data from notifications, and even avoid the read receipt trigger.

The spyware apps further abuse the accessibility system for keystroke logging, which is a common way to steal sensitive information such as log-in credentials for wallets and banking systems. Some of the apps that were studied relied on an SMS system, which involves the bad actor sending an SMS to activate certain functionalities.

But in a few cases, not even an activation SMS was needed to do the job. One of the apps (called Spapp) is capable of remotely wiping all the data on the victim’s phone using just an SMS. A hacker can send random messages with different passcode combinations to do it, even without the abuser knowing it, which further compounds the risk factor.

Illustration of people standing on a phone's screen
Generated using Dall-E 2 / Digital Trends

While these readily available spyware apps are dangerous on their own, another aspect that raises concern is their weak security when it comes to storing stolen personal information. A healthy bunch of these apps transmitted the data over unencrypted HTTP connections, which means a bad actor can eavesdrop on the Wi-Fi network and gain access to all of it.

Six of the apps stored all the stolen media in public URLs, assigning random numbers to the data packets. A hacker could play with these random digits to steal data associated with not just one, but multiple accounts deployed across different devices for spying on random victims. In some cases, the spyware apps’ servers continue to harvest data even after the subscription license is expired.

What can you do?

So, how can a regular smartphone user avoid becoming the next victim of these spyware apps? Liu says that would require proactive action because Android doesn’t have any automated system to alert you about spyware apps. “There is no definitive way of knowing if there’s something wrong with your phone,” Liu stresses.

However, you can look for certain signs. “These apps are continuously running in the background, so you would come across abnormally high battery usage,” Liu tells me. “That’s how you know something might be wrong.” Liu also highlights Android’s sensor alert system, which now shows an icon at the top when the camera or mic is being used by an app.

Liu, who is a Ph.D. student at the university’s computer science department, says that if your mobile data usage has suddenly gone up, that’s also a sign that something is wrong because these spyware apps are constantly sending large packets of data, including media files, emails logs, etc. to a remote server.

Mic and camera access toggles on an Android phone
Android 12 added these quick toggles for mic and camera control, alongside indicators at the top when an app is using them. Image used with permission by copyright holder

Another foolproof way of finding these shady apps, especially those that hide from the app launcher, is to check the list of all apps installed on your phone from within the Settings app. If you see any apps that look suspicious, it makes sense to get rid of them. “You should go through every app and see if you recognize them or not. That’s the ultimate solution because no app can hide there,” Liu adds.

Finally, you also have the Privacy Dashboard, a feature introduced with Android 12, that lets you see all the permissions granted to each app. For privacy-conscious users, it is advisable to revoke the permissions that they think a certain app shouldn’t have in the first place. The Quick Settings panel, which can be accessed by swiping down from the top edge, lets users disable mic and camera access if any app is using those permissions in the background.

“But at the end of the day, you require some technical expertise,” Liu concludes. That’s not how the situation should ideally be for hundreds of millions of Android smartphone users. Liu, and the rest of the team behind the research paper, have a list of guidelines and suggestions for Google to ensure that Android offers a higher degree of protection to users against these spyware apps.

Editors' Recommendations

Nadeem Sarwar
Nadeem is a tech journalist who started reading about cool smartphone tech out of curiosity and soon started writing…
TikTok just launched a new way for you to make money on the app
Person's hand holding a smartphone with TikTok's logo on screen, all in front of a blurred background.

There are already a handful of ways for content creators to make money using TikTok, but now the app is adding a brand new way for creators to monetize their content with the newly introduced TikTok Series.

Announced today in a TikTok blog post, Series are the same types of videos you'd normally find on the app, but they are hidden behind a paywall that individual creators can set. This means that delivering premium content on TikTok is easier than ever before for both creators and their audiences.

Read more
Our 5 favorite iPhone and Android apps by Black developers
An iPhone with apps from Black developers downloaded on it.

As we wrap up the celebration of 2023's Black History Month, it remains important to recognize and appreciate the contributions that Black people have made in various fields, including technology and the smartphone apps we use every day. From social media platforms to productivity tools, Black developers and other people of color have worked hard to create innovative, useful, and just plain fun apps.

Here, we're focusing on five helpful apps developed by Black people that you should check out. These iPhone and Android apps range from ones that help you discover and support Black-owned businesses to ones that provide legal assistance in case of an emergency to ones that curate and highlight sources of news and entertainment by Black creators.
We Read Too

Read more
SMS 2FA is insecure and bad — use these 5 great authenticator apps instead
Twilio Authy 2FA app running on an iPhone.

You probably have what seems like a million accounts across the internet these days, right? At least, that’s what it feels like for me — with all these social media, email, and banking accounts, plus digital storefronts, and more. Regardless of where I access these from, whether it’s my iPhone 14 Pro or my Samsung Galaxy S23 Plus, or even my Mac, the first step is to make sure that I have a strong and secure (preferably randomly generated) password. But for extra peace of mind, everyone needs to look into two-factor authentication (2FA) to really keep people out.

Recently, Twitter has made the news yet again because it’s forcing everyone who uses SMS 2FA to either remove it from their account or subscribe to Twitter Blue to keep it. SMS 2FA is when you get a code sent as an SMS to your phone, and while it's convenient, this is the least secure 2FA method available. SMS 2FA is susceptible to numerous vulnerabilities, including SIM swapping (where someone takes over a mobile phone number by convincing a carrier to link that number with the SIM card), SIM duplication attacks, and more.

Read more