‘Rare’ stalkerware emerges with targets around the world

MonitorMinor “almost impossible to detect” and is capable of collecting victim phones' unlock screen passwords, new Kaspersky research finds.
(Flickr / Wiyre Media)

An app that’s marketed as a solution to keep children safe online includes such aggressive functionality that cybersecurity researchers warn it’s possible for stalkers to monitor victims in a way that is “almost impossible to detect.”

Researchers from Kaspersky on Monday explained that the “MonitorMinor” app bypasses so many controls meant to protect user information that it qualifies as stalkerware.

The term “Stalkerware” refers to a malicious class of software that quietly runs in the background on users’ phones, transmitting their location, messaging, and other data to outsiders. MonitorMinor, for instance, makes it possible for abusers to access victims’ social media information, SMS messages, and location.

MonitorMinor essentially bypasses normal controls, such as Discretionary Access Control, meant to keep outsiders from accessing messaging app data by gaining root access to a mobile system, according to Victor Chebyshev, a researcher at Kaspersky. As a result, attackers can escalate their privileges to obtain data from apps like Gmail, Instagram, Facebook, Skype and Snapchat, Chebyshev says.


Unlike previous apps, though, MonitorMinor could also be allowing stalkers to even physically unlock affected devices, by extracting a sensitive file (/data/system/gesture.key), which allows users to collect the hash sum for unlocking the screen. Stalkers can then use this to trick the phone into opening up, according to Kaspersky.

“[T]his app outstrips all existing software of its class in terms of functionality,” Chebyshev wrote in a blog post. “This is the first time we have registered such a function in all our experience of monitoring mobile platform threats.”

The app paints a nightmare scenario for victims of stalkers or abusive partners who may suspect they are being monitored but who may not know for certain. This malware works to erase its tracks in a way that could prevent stalking victims from knowing they are in unsafe situations — or if they’re aware they’re being monitored, incapable of leaving their situation safely.

In this case, the app also is capable of looking like it was never installed in the first place, concealing to stalking victims that they are being monitored.

“The conceptual difference between parental control software and stalkerware is that they function in a different manner,” Chebyshev told CyberScoop. “Parental controls or services that truly have that legitimate focus would never hide its activity, and would notify a user that his or her data has been requested by a third party. Stalkerware has mechanisms that allow the app to remain hidden on the phone, making it hard to notice. This includes hiding the icon of the stalkerware app in the phone menu and even deleting its own logs and cleaning any traces it has made.”


MonitorMinor can also capture keystrokes, view real-time video, record audio, access browsing history, and view app usage statistics. It may also view contacts lists and contents of victim devices’ internal storage.

The app can be downloaded from a MonitorMinor website, but it is not available in Google Play or the Apple Store, an indication to Chebyshev that the software may be too intrusive to meet those marketplace’s privacy standards.

Insufficient controls

NortonLifeLock, a member alongside Kaspersky in the Coalition Against Stalkerware, a group of software companies and human rights groups that joined together last year to combat stalkerware akin to MonitorMinor, says the way the app conceals itself shows it is ripe for abuse.

“While MonitorMinor does not openly encourage spying on romantic partners, its highly covert nature seems designed to encourage such behavior,” Kevin Roundy, a research director at NortonLifeLock, told CyberScoop.


The app warns users they “must notify users of the mobile phone that they are being monitored by MonitorMinor,” but that puts the onus on the user to abide by its disclaimers and notices, without any guarantee they are being followed.

“We try our best and regularly take steps to avoid any misuse of product,” MonitorMinor said in an emailed statement to CyberScoop. “[A] recent example of that is ‘asking confirmation of purpose’ along with aggressive response policy towards ‘Violation/abuse’ report[s] and many more.”

MonitorMinor said their product is “designed for Parental Monitoring only [for those] who want to keep their children safe, we have some use cases of parents who have got success [in keeping] their children away from falling in[to] drug[s].”

That, Chebyshev says, is not enough to prevent stalking.

“Even if an app is not meant to be a spying or stealth monitoring app, if it could be installed and then run without any notifications to the user, there is potential for misuse,” Chebyshev told CyberScoop.


Suggesting there are limits to how spyware can be deployed is the same kind of argument many software surveillance companies make to distance themselves from allegations their spyware has been abused. Israeli surveillance firm NSO Group, currently embroiled in a lawsuit with WhatsApp over allegations NSO Group malware was inappropriately used to target thousands of WhatsApp users last year, has consistently claimed, for instance, that its “only customers” allowed are nation-states using its spyware for legitimate law enforcement activities like combatting terrorism.

Bottom line, the controls in MonitorMinor are insufficient to deter malicious activity, Roundy says.

“[MonitorMinor] can turn an unsuspecting victim’s phone into a spying device,” said Roundy. “It goes to great lengths to ensure that the phone’s primary user is unaware of its presence.”

Worldwide abuse

The stalkerware is being installed most frequently in India and Mexico, where nearly 15% and 12% of the installations of this stalkerware have taken place, respectively.


A Gmail account associated with an Indian name is weaved into MonitorMinor, “which hints at its country of origin,” according to Chebyshev — however there are also control panels in Turkish and English, so the origins of the app remain obfuscated.

Installations are happening around the world as well, according to Kaspersky. Nearly 6% of installations occurred in Saudi Arabia, the U.K., and Germany each. Nearly 3% of installations are in each of the U.S., Canada, Argentina, Australia, Indonesia, Malaysia, Romania, Spain, Turkey, Iraq, Uzbekistan, Kenya, Cameroon, and Benin.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts