Towards Stalkerware Detection with Precise Warnings

Abstract

Stalkerware enables individuals to conduct covert surveillance on a targeted person's device. Android devices are a particularly fertile ground for stalkerware, most of which spy on a single communication channel, sensor, or category of private data, though 27% of stalkerware surveil multiple of private data sources. We present Dosmelt, a system that enables stalkerware warnings that precisely characterize the types of surveillance conducted by Android stalkerware so that surveiled individuals can take appropriate mitigating action. Our methodology uses active learning in a semi-supervised learning setting to tackle this task at scale, which would otherwise require expert labeling of significant number of stalkerware apps. Dosmelt leverages the observation that stalkerware differs from other categories of spyware in its open advertising of its surveillance capabilities, which we detect on the basis of the titles and self-descriptions of stalkerware apps that are posted on Android app stores. Dosmelt achieves up to 96% AUC for stalkerware detection with a 91% Macro-F1 score of surveillance capability attribution for stalkerware apps. Dosmelt has detected hundreds of new stalkerware apps that we have added to the Stalkerware Threat List.