How a mobile spyware scan helps free abuse victims
- By Stephanie Kanowitz
- Sep 16, 2019
Recognizing that intimate-partner violence is more than physical abuse, researchers at Cornell Tech are working with New York City to scan survivors’ mobile devices for spyware that abusers use for tracking and intimidation.
The Cornell team found that standard anti-virus and anti-malware tools often fail to find and alert survivors to the presence of apps that could be used for stalking. That’s because some apps -- such as mSpy, which is designed to give parents access to private information and location tracking on their children's phones -- are obvious monitoring tools, but others are not.
“Apps like Find My Friends or apps that are used by parents to monitor their children are very frequently used by abusers to monitor their victims, both with and without their knowledge,” said Nicola Dell, a leader of the research team and assistant professor at the Jacobs Technion-Cornell Institute at Cornell Tech. “We really needed a new spyware-detection tool that is capable of surfacing both the traditional spyware, but also these what we call dual use apps.”
So, they created it. Called the Intimate Partner Violence Spyware Discovery (ISDi) application, it’s part of a weekly technology clinic that the researchers have been conducting with Mayor’s Office to End Gender-Based Violence at New York City’s five Family Justice Centers (FJCs). Between November 2018 and May 2019, the team met with 44 survivors and found potential spyware, account compromise or exploitable misconfigurations for 23 clients, according to a recently published Cornell report titled “Clinical Computer Security for Victims of Intimate Partner Violence.”
When electronic stalking is reported, an FJC case worker refers a client to a Cornell researcher for one of the weekly technology clinics the team runs. The meeting, which typically takes 30 to 90 minutes, starts with a nontechnical Technology Assessment Questionnaire to find out what devices a survivor has, how they’re used and risks for account compromise. To perform the scan with ISDi, researchers connect their laptop, which has the app on it, to the survivor’s Android or Apple iOS device via a USB cable. An interface pops up that lists the apps on the device.
ISDi uses a set of heuristics comparing the apps on the device to the researchers’ blacklist of bad or dual-use apps. It will also try to determine if the device is jailbroken, rooted or has software that was installed from a source other than an app store.
Nothing is downloaded onto the survivors’ devices, and the researchers do not look at private information such as text messages or photos, Dell said. The researchers keep their blacklist up-to-date by consulting with app-development companies on new releases and through their work with survivors, she added. Survivors who want to get a device rechecked must return to the FJC for another consultation and scan.
Once ISDi determines the existence of tracking apps, the survivor and technology consultant create a paper worksheet called a technograph -- a visual map that illustrates relationships between devices, accounts and people, similar to a schematic of a family's medical history. Finally, they discuss options for removing offending apps and improving cyber hygiene going forward.
“Prior to all of this, advocates were using their own resources and their own technology know-how … so sometimes there’d be someone who had a little expertise and could help a survivor at a certain agency, or once in a while, if there were a very serious tech crime, you could get connected to someone at NYPD,” said Alison Francis-Lord, executive director of the Staten Island FJC. “But there really isn’t much to help survivors in this area, so it was very groundbreaking for sure.”
The 44 survivors the Cornell team met with brought 105 devices to the meetings; 82 were Android or iOS, and the team scanned 75 of those with ISDi. The researchers checked all but two of the unscanned devices manually, making the total number checked manually 97.
ISDi flagged a total of 79 apps as problematic across all device scans, with 61 being dual-use apps. For all but one of those, discussions with clients confirmed that they recognized the apps and were aware of their presence, according to the report, but for one, the client had not installed the app, which was a controller for remote home surveillance systems with Wi-Fi, camera and motion-detection capabilities.
The consultations are a fundamental part of what the technologists call clinical computer security, which requires that face-to-face interaction in addition to the device scan. For that reason, Dell said, the team doesn’t think of ISDi as a technology product that should be scaled, although the tools are open source.
“A huge part of this is trying to do stuff safely,” Dell said. “If we give some client the ability to scan their phone and they find spyware and they delete it and their abuser gets mad and kills them, that’s not a good outcome.”
“We are hopeful that the clinic model, more broadly, can be replicated in other cities and other contexts in terms of being able to have tech experts meet with clients and give them advice,” she added.
Stephanie Kanowitz is a freelance writer based in northern Virginia.