Consumer spyware is making it easier for violent abusers to stalk and harass victims, a new study has revealed.

Spyware software available for download on most smartphones potentially violates a range of Australian laws relating to harassment, stalking, identity theft and fraud, the research funded by the Australian Consumer Communications Action Network (ACCAN) found.

“There are multiple products available that allow everyday consumers the ability to place a smartphone under close surveillance,” the report authored by Deakin University criminologists Dr Diarmaid Harkin and Dr Adam Molnar said.

The level of surveillance power offered by spyware providers goes way beyond “proportionate” or “ethical” ‘monitoring’, the authors said.

What is spyware?

Spyware is the name given to invasive surveillance software that can be secretly placed on digital devices, mostly smartphones.

Spyware can capture SMS message data from smartphones as well as voice recordings of phone conversations, internet browsing data, and private videos or photos.

Some spyware also delivers ‘live’ access to the phone’s camera and/or microphone.

Such software is available for general consumption in Australia.

Kids, partners, employees, and thieves targeted

The researchers analysed commonly used spyware products from the following nine companies: mSpy, Hoverwatch, FlexiSPY, TheTruthSpy, Highster Mobile, TeenSafe, Mobistealth, Cerberus and TrackView.

They found the software was capable of capturing detailed data without a smartphone user “having any idea” their phone was leaking information including:

Spyware use potentially violates a range of laws. Photo: ACCAN report

• GPS location
• Recordings of any phone calls made by the device
• Recording of any VoIP calls made by the device (including Skype and FaceTime)
• SMS messages
• Data within other messaging systems such as Facebook Messenger and WhatsApp
• Emails
• Photos and videos
• Notes
• Calendar information
• Internet browsing activity
• Call logs
• The names and numbers of contacts in the ‘address book’.

FlexiSPY was singled out for its “considerably alarming” functions that allowed users to:

• Remotely send live pictures and video from the cameras on the target device without the smartphone user being aware the cameras were active
• ‘Call-in’ to the phone from a pre-assigned number and listen to the ambient audio, thus turning the phone into an audio ‘bug’ (the user would have no indication that this is happening)
• Request periodic screen grabs from the target device, thus getting a sense of what the user was looking at on their phone
• Impersonate the smartphone user without their knowledge by sending ‘spoof’ SMS messages.

The study showed that, without clear consent from the person being surveilled, spyware is likely to violate a slew of privacy laws.

“Spyware’s expansive data collection capabilities are sufficiently wide as to not only compromise the private data of the user of the device, but anyone who also interacts with the user via their device,” the researchers said.

An ad by TheTruthSpy promoting spying on children and partners. Photo: ACCAN report

Disturbingly, children and intimate partners were found to be most at risk of being targeted with invasive surveillance – a trend actively encouraged by many spyware companies.

“Across our sample, a clear theme emerged from the promotional materials that the main targets of spyware were children and intimate partners, as well as employees and thieves.”

Android phones less secure than iPhone

The research showed that smartphones running Google’s Android operating system were far more vulnerable to spyware than Apple’s iPhone.

“In our technical analysis, we found that the Android operating system is significantly more permissive of spyware accessing critical phone functions such as the camera and GPS, as well as other confidential data,” Dr Harkin said.

“In order for an iPhone to be compromised in the same manner, it would need to be jailbroken, or had the manufacturing restrictions removed.”

The researchers also called on Google to crack down on spyware by more strenuously enforcing its anti-spyware policy.

Tech companies should pull support for spyware

The researchers called on tech companies to boot spyware companies from their platforms.

In order to successfully run their operations, consumer spyware companies rely on cloud-network support services such as Cloudflare, Codero and Linode, the study revealed.

“If these companies withdrew their support for spyware vendors they could significantly disrupt the ability of spyware companies to operate,” Dr Harkin said.

They also argued that Parliament should amend the Privacy Act to “further protect the personal information of individuals from the use of consumer spyware – most notably for the protection of women and children”.

“The specific issue of technology-facilitated abuse and harassment through the use of spyware is inseparable from our broader culture of patriarchal and gendered discrimination that disproportionately impacts women, children, and non-binary persons,” the report said.

“While the insights generated in this report may provide useful avenues for reining in a largely unregulated and industry, we insist that any steps to transcend forms of technology facilitated abuse must also critically address broader social and ethical values.”

1800 RESPECT (1800 737 732)

Lifeline 13 11 14