US stalkerware developer fined $410,000 and ordered to modify apps so they reveal spying
Creepy developer offers evasive apps that track victims, crack their cloud storage, enable harassment and worse
A New York man who developed several stalkerware apps has been ordered to pay $410,000 in civil fines to settle a court case against him, and must modify the apps to let people know they are being monitored.
The NY Attorney General's Office this month announced the agreement with Patrick Hinchy, who sold the apps through more than a dozen companies in New York and Florida.
AG Letitia James' office said Hinchy's stalkerware let users secretly monitor the activity of other people's devices, including text messages, location, Gmail activity, messages in WhatsApp and Skype, call logs, and social media activity.
Hinchy set up at least 16 companies to promote his apps. All told buyers that the apps were legal, but the software didn't notify those whose devices were being monitored that the stalkerware was running and reporting on their activities, breaking state and federal laws, according to James.
As part of the agreement [PDF], the apps must be modified to alert people when their device is being monitored by the software.
In addition, Hinchy and the companies – which used names including Data, DDI Data Solutions, Highster Data Services, and PhoneSpector – also misrepresented their refund and data security policies, didn't tell buyers that the apps could harm the devices they were installed on, and published fake reviews on sham sites created by Hinchy.
"Snooping on a partner and tracking their cell phone without their knowledge isn't just a sign of an unhealthy relationship, it is against the law," James said in a statement. "These apps and products put New Yorkers at risk of stalking and domestic abuse."
The Coalition Against Stalkerware, which launched in 2019, said such software is part of a larger problem of people using software to track others. In the US, one in four victims of stalking said technology played a role in the harassment they experienced and 21 percent of victims in France said their harassers used stalkerware.
Between 2017 and 2020, NortonLifeLock identified more than 1,000 apps that could enable users to stalk people and that it was detecting about 1,250 infected mobile devices a month. The US Federal Trade Commission (FTC) in 2021 banned SpyFone and its CEO from the surveillance business.
"The majority of affected users do not even know this type of software exists," Kaspersky wrote in a 2020 report. "This means they cannot protect themselves, online or offline, especially as the perpetrator using stalkerware usually knows their victim personally."
Hinchy has slung stalkerware since 2011, offering software that could enable users to monitor the activity of others' iOS or Android device, according to the settlement. Once on the victim's device, the apps copy information from the device and send it to a server, where it could be viewed by the app buyer.
Some of the apps enabled the buyer to remotely activate the camera or microphone on the device, allowing them to photograph or listen to the victim. Hinchy's code also works to remove evidence of its presence by hiding the app's icon, or unlocking a device.
In addition, some apps didn't even need to be installed on an iOS device; instead they could exfiltrate data from the iCloud account linked to the device. But to get such information as social media logs, the app buyer would need to "jailbreak" iOS devices or "root" Android systems, essentially getting around built-in protections that can damage the device and void their warranties, not to mention being noticable.
Hinchy's companies promoted the apps as a tool for catching a cheating spouse that could be installed without their knowledge. Support staff helped customers hide the apps' icons, hack into iCloud accounts, and perform other nefarious actions.
Bud Broomhead, founder and CEO of IoT security vendor Viakoo, told The Register that surveillance tech of all sorts is an increasing problem because the market is there and growing.
"Smartphone apps, AirTags, breached IoT devices, social media tracking, the list goes on and on, and contains many technologies that didn't exist a few years ago," Broomhead said. "Not only have the means of illegal surveillance expanded, so have the motives to use it. Airbnb hosts checking to make sure renters don't violate their rules, parents checking on babysitters, catching porch pirates, finding luggage lost by airlines, and so on."
Unless people have total control over their devices and surrounding, there will be a danger of surveillance.
People who suspect they have stalkerware on their device can review their settings, configurations, and apps, Andrew Barratt, vice president of Coalfire, told The Register. In addition, the iOS app library feature lets users review apps that have been installed. Stalkerware may be a "transient app" that removes itself from view, so a factory reset of a device suspected of running such apps is likely a more potent defense, followed by manual re-installation of trusted apps.
Barratt urged abuse or stalking victims to conduct that sort of device purge from a safe place.
"Circumstances around this will vary and in domestic abuse situations it's more important that the person who is at risk ensures they are safe before potentially triggering a stalker," he said. ®