Security News > 2021 > May > Experts Reveal Over 150 Ways to Steal Control of 58 Android Stalkerware Apps
A total of 158 privacy and security issues have been identified in 58 Android stalkware apps from various vendors that could enable a malicious actor to take control of a victim's device, hijack a stalker's account, intercept data, achieve remote code execution, and even frame the victim by uploading fabricated evidence.
The new findings, which come from an analysis of 86 stalkerware apps for the Android platform undertaken by Slovak cybersecurity firm ESET, highlight the unintended consequences of a practice that's not only unethical but in the process could also expose private and intimate information of the victims and leave them at risk of cyberattacks and fraud.
Apps from nine different vendors are based on an open-source Android spyware called Droid-Watcher, with one vendor using a Metasploit payload as a monitoring app.
22 apps transmit users' personally identifiable information over an unencrypted connection to the stalkerware server, thereby permitting an adversary on the same network to stage a man-in-the-middle attack and change transmitted data.
17 apps leak client information through their servers, thus allowing a victim to retrieve information about the stalker using the device's IMEI number and creating an "Opportunity to brute-force device IDs and dump all the stalkerware clients."
13 apps have insufficient verification protections for uploaded data from a victim phone, with the apps solely relying on IMEI numbers for identifying the device during communications.