Skip to content

Te-k/stalkerware-indicators

master
Switch branches/tags
Code

Stalkerware Indicators of Compromise

Indicators of compromise (IOC) on Stalkerware applications for Android and iOS

Warning: these indicators are not providing a complete detection of stalkerware applications. They are based on research from a few people on their free time and many apps are likely missing. Use it carefully. No detection based on these indicators should not be understood as having no stalkerware installed.

What's a stalkerware?

We're using the definition of the Coalition Against Stalkerware:

Stalkerware refers to tools – software programs, apps and devices – that enable someone to secretly spy on another person’s private life via their mobile device. The abuser can remotely monitor the whole device including web searches, geolocation, text messages, photos, voice calls and much more. Such programs are easy to buy and install. They run hidden in the background, without the affected person knowing or giving their consent. Regardless of stalkerware’s availability, the abuser is accountable for using it as a tool and hence for committing this crime.

IOC

Main files:

  • ioc.yaml : Indicators of compromise of many Stalkerware apps. Includes
  • quad9_blocklist.txt: blocklist for Quad9 DNS resolver (include a more limited set of domains for apps clearly for stalking and only C2 domains, not app websites)
  • samples.csv: List of samples with hashes, package name, certificate and version.

Files generated automatically from previous IOC files:

  • generated/hosts: network indicators (C2 domains only) in hosts format
  • generated/indicators-for-tinycheck.json: indicators in TinyCheck compatible format
  • generated/misp_event.json: indicators in MISP compatible format
  • generated/network.csv: network indicators in a more grepable CSV format
  • generated/stalkerware.stix2: indicators in STIX2 format
  • generated/suricata.rules: Suricata rules for network indicators (C2 only)

Scripts:

  • scripts/check_apk.py: check an APK file or APKs in a folder with the indicators from this repository
  • scripts/generate.py: creates all the files in the generated folder (automatically done through github actions)
  • scripts/linter.py: linter to check the format of the different indicator files (automtaically done through github actions)

Stalkerware

This repository includes indicators for the following stalkerware :

  • 1TopSpy : www.1topspy.com
  • AirSpyer
  • AllTracker : alltracker.org (also called Russ City)
  • AndroidLost : androidlost.com
  • AntiFurto Droid : antifurtodroid.com
  • AppMia
  • AppSpy : www.appspy.com
  • Android Monitor : www.androidmonitor.com
  • Bark : www.bark.us
  • BlurSpy : www.blurspy.com
  • CallSMSTracker : callsmstracker.com
  • Catwatchful : catwatchful.com
  • Cerberus : www.cerberusapp.com
  • ClevGuard : www.clevguard.com
  • Cocospy : www.cocospy.com
  • Copy9 : copy9.com
  • DDI Utilities : ddiutilities.com
  • EasyLogger : logger.mobi
  • EasyPhoneTrack : easyphonetrack.com (also spappmonitoring.com)
  • Espiao Android: espiaoandroid.com.br
  • EyeZy : www.eyezy.com
  • FlexiSpy : www.flexispy.com
  • Free Android Spy : www.freeandroidspy.com
  • FoneTracker : fonetracker.com
  • FoneMonitor : fonemonitor.co
  • ForeverSpy : foreverspy.com
  • GPSTrackerLoki : asgardtech.ru
  • GuestSpy : guestspy.com (now replaced by TheTruthSpy)
  • HelloSpy : hellospy.com
  • Highster Mobile : highstermobile.com
  • Hoverwatch : www.hoverwatch.com
  • iKeyMonitor : ikeymonitor.com
  • iMonitorSpy : www.imonitorsoft.com
  • iSpyoo : ispyoo.com
  • LetMeSpy : www.letmespy.com
  • Maxxspy: maxxSpy.com
  • Meuspy: meuspy.com
  • MinSpy : minspy.com (also called kuuvv, cocospy, spyier, …)
  • Mobispy : www.mobispy.net
  • Mobiispy : mobiispy.com
  • MobileTrackerFree : mobile-tracker-free.com
  • MobileTool : mtoolapp.net, mobiletool.ru and mtoolapp.biz
  • Mobistealth : www.mobistealth.com
  • mSpy : www.mspy.com (also called SpyBubble)
  • MxSpy : mxspy.com
  • NeatSpy : neatspy.com
  • NetSpy : www.netspy.net
  • NeoSpy : neospy.net (an analysis here)
  • OneMonitar : onemonitar.com (also known as OneSpy)
  • OwnSpy : en.ownspy.com
  • pcTattletale : www.pctattletale.com
  • PhoneSpying : www.phonespying.com
  • PhoneSherif : phonesheriff.com
  • PanSpy : panspy.com
  • Repticulus : reptilicus.net
  • SafeSpy : safespy.com
  • SAP4Mobile : sap4mobile.com
  • ShadowSpy : www.shadow-spy.com
  • Snoopza : snoopza.com
  • Spy24 : spy24.app
  • SpyApp247 : www.spyapp247.com
  • SpyEra : spyera.com
  • SpyHide : spyhide.com
  • SpyHuman : spyhuman.com
  • Spyic : spyic.com
  • Spyier : spyier.com
  • Spyine : spyine.com
  • Spylive360 : spylive360.com
  • SpyMasterPro : spymasterpro.com
  • Spymie : www.spymie.com (analyzed by ZScaler here)
  • SpyPhoneApp : spyphoneapp.org
  • Spytoapp : spytoapp.com
  • Spyzie : www.spyzie.com spyzie.io
  • spy2mobile : spytomobile.com
  • TalkLog : talklog.tools
  • The One Spy : theonespy.com
  • TheTruthSpy : thetruthspy.com
  • TrackMyFone : trackmyfone.com
  • Track My Phones : trackmyphones.com
  • uMobix : umobix.com
  • WiseMo : www.wisemo.com
  • WtSpy : wt-spy.com
  • Xnore : xnore.com
  • XNSpy : xnspy.com

Contributions

This repository is maintained by the Echap non-profit organisation.

Contributors include:

These indicators were largely based on research and analysis using APKlab, Koodous and VirusTotal.

Please Contribute

This repository is not complete, new stalkerware apps appear and disappear all the time. Feel free to contribute to this database by opening an issue or submitting a Pull Request.

If you want to do further research on some apps and need access to the samples, feel free to send me an email.

Other stalkerware repositories

There are other repositories gathering stalkerware indicators:

References

License

The content of this repository is licensed under CC0, you're free to do whatever you want with it.

Please note that while we're doing our very best, there is no guarantee that it is accurate. If it is useful to you, consider giving money to an organisation supporting violence against women in your country.

About

Indicators of stalkerware apps

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published