Thwart Me If You Can: An Empirical Analysis of Android Platform Armoring Against Stalkerware

TL;DR

This paper systematically analyzes recent Android stalkerware apps to evaluate how platform privacy changes have impacted their capabilities, revealing stalkerware adaptation tactics and informing potential defense strategies.

Contribution

It provides a comprehensive analysis of stalkerware evolution and platform defenses, highlighting new tactics and potential countermeasures.

Findings

Platform privacy features have partially thwarted stalkerware capabilities.

Stalkerware apps have adapted with new tactics to bypass defenses.

Insights may inspire alternative defense strategies.

Abstract

Stalkerware is a serious threat to individuals' privacy that is receiving increased attention from the security and privacy research communities. Existing works have largely focused on studying leading stalkerware apps, dual-purpose apps, monetization of stalkerware, or the experience of survivors. However, there remains a need to understand potential defenses beyond the detection-and-removal approach, which may not necessarily be effective in the context of stalkerware. In this paper, we perform a systematic analysis of a large corpus of recent Android stalkerware apps. We combine multiple analysis techniques to quantify stalkerware behaviors and capabilities and how these evolved over time. Our primary goal is understanding: how (and whether) recent Android platform changes -- largely designed to improve user privacy -- have thwarted stalkerware functionality; how stalkerware may have adapted as a result; and what we may conclude about potential defenses. Our investigation reveals new insights into tactics used by stalkerware and may inspire alternative defense strategies.