"Full access to someone’s phone is essentially full access to someone’s mind," says Galperin, a security researcher who leads the Threat Lab of the digital civil liberties group the Electronic Frontier Foundation. "The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge."
In an urgent talk, she describes the emerging danger of stalkerware -- software designed to spy on someone by gaining access to their devices without their knowledge -- and calls on antivirus companies to recognize these programs as malicious in order to discourage abusers and protect victims.
Now Galperin has a plan to end that scourge for good—or at least take a serious bite out of the industry. In a talk she is scheduled to give next week at the Kaspersky Security Analyst Summit in Singapore, Galperin will lay out a list of demands: First, she's calling on the antivirus industry to finally take the threat of stalkerware seriously, after years of negligence and inaction. She'll also ask Apple to take measures to protect iPhone users from stalkerware, given that the company doesn't allow antivirus apps into its App Store. Finally, and perhaps most drastically, she says she'll call on state and federal officials to use their prosecutorial powers to indict executives of stalkerware-selling companies on hacking charges. "It would be nice to see some of these companies shut down," she says. "It would be nice to see some people go to jail."
Ahead of her talk, Galperin has notched her first win: Russian security firm Kaspersky announced today that it will make a significant change to how its antivirus software treats stalkerware on Android phones, where it's far more common than on iPhones. Rather than merely flag those spy apps as suspect but label them with a confusing "not a virus" message, as it has for most breeds of stalkerware in the past, Kaspersky Internet Security for Android will now show its users an unmistakeable "privacy alert" for any of dozens of blacklisted apps, and then offer options to delete or quarantine them to cut off their access to sensitive information.
Galperin, who has been working directly with stalkerware victims, sees the Moscow-based firm's move as raising the bar for the entire security industry. Once one company begins to call out consumer spyware as a full-fledged security threat, she argues, competition will drive the other antivirus firms to meet that standard. The result, she hopes, will be a broader remedy to a security industry that has long underestimated stalkerware—often because security researchers don't count spy tools that require full access to a device as "real" hacking, despite domestic abusers in controlling relationships having exactly that sort of physical access to a partner's phone.
Some in the security industry might look askance at Kaspersky's new anti-stalkerware evangelism. Kaspersky has faced accusations for years that it has ties to Russian intelligence agencies, which the company denies. The US banned Kaspersky software from official federal government use last year. But Galperin points out that fighting stalkerware is one situation where Kaspersky's alleged Kremlin ties aren't relevant. The Kaspersky users who worry about domestic abuser spying are rarely the same ones concerned with Russian intelligence.
"It's really about modeling your threat. Most victims of domestic violence don’t work for the NSA or the US government," she says. But she also sees Kaspersky's move as a lever she can use to apply pressure to the company's US competitors. "I recommend American antivirus companies catch up, so I can recommend them instead. Get up and do it yourself."
Galperin admits her role is limited to a kind of strategic lobbying on behalf of stalkerware victims. But Kaspersky, at least, seems to have listened. And she hopes that may help tilt the battle against stalkerware in the right direction for other antivirus firms—and beyond. "Sometimes you get what you ask for," Galperin says. "This change means when I talk to victims of domestic abuse, I can tell them, yes, install antivirus. And it may actually do some good."