The other day, our Android traps ensnared an interesting specimen of stalkerware — commercial software that is usually used to secretly monitor family members or colleagues. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. Let’s take a look one step at a time.
Modern stalkerware
What is the usual functionality of a stalkerware? The most basic thing is to transmit the victim’s current geolocation. There are many such “stalkers”, since various special web resources are used to display coordinates, and they only contain a few lines of code.
Often, their creators use geofencing technology, whereby a notification about the victim’s movements is sent only if they go beyond (or enter) a particular area. In some cases, functions to intercept SMS and call data (spyware able to log them is much less common) are added to the geolocation transmission.
But today, SMS are used mainly for receiving one-time passwords and not much else — their niche has been captured almost entirely by messengers, which these days even facilitate business negotiations. Moreover, they claim to be an alternative to “traditional” voice communication. So any software with tracking/spying functionality worth its salt must be able to intercept data from messengers. The sample we found (assigned the verdict Monitor.AndroidOS.MonitorMinor.c) is a rare piece of stalkerware that can do this.
MonitorMinor features
In a “clean” Android operating system, direct communication between apps is prevented by the monitorminor vicious stalkerware
