Google has removed last year a batch of 813 “creepware” apps from the official Android Play Store following a report from a group of academics studying stalkerware-like apps.
The research behind last year’s report has now been published online this month in a paper titled “The Many Kinds of Creepware Used for Interpersonal Attacks.”
In the paper, academics from the New York University, Cornell Tech, and NortonLifeLock (formerly Symantec) analyzed so-called “creepware” apps.
The term creepware refers to mobile apps that don’t possess the full features of a spyware or stalkerware product but they can still be used to stalk, harass, defraud, or threaten another person, directly or indirectly.
The CreepRank algorithm
The research team says it developed an algorithm named CreepRank that identifies creepware-like behavior inside mobile apps, and then assigns a creep score to each app.
For example, the CreepRank algorithm can identify apps with features that can be abused to extract SMS messages from a device, spoof another user’s identity in IM/SMS chats, launch denial-of-service attacks (SMS/IM bombs, etc.), hide other apps, control access to other apps, track location, and more.
Apps implementing these features on their own do not qualify as spyware or stalkerware (spouseware) on their own, but they still enable some form of abuse, or they could be combined with others for more intrusive behaviors.
Academics searched for creepware on 50 million devices
After developing the CreepRank algorithm, the research team used it to identify creepware apps in the real world.
The research team did this by running CreepRank on a sample of anonymized data from apps installed on more than 50 million Android smartphones. This data was provided by NortonLifeLock, and came from real-world devices running the Norton Mobile Security mobile antivirus.
For each app, the CreepRank algorithm calculated a creep score, and then researchers ranked apps to discover the ones that could be abused for tracking or harassing users.
Researchers said that an analysis of the Top 1,000 apps based on their CreepRank score found that 857 qualified as creepware, with the “creepware” functions taking a central role in the app and, sometimes, in its marketing.
This included apps that enable spoofing (114 apps), harassment (80 apps, including SMS bombers), hacking tutorials (63 apps), and others.
By applying the CreepRank algorithm on app data sets from 2017, 2018, and 2019, academics said they found 1,095 creepware apps, accounting for more than one million installs across real-world devices.
The research team said it notified Google about the 1,095 apps last summer, and the tech giant’s security teams intervened and took down 813 for violating the Play Store’s terms and conditions.
In September 2019, after Google removed the apps and validated the algorithm’s efficiency, NortonLifeLock also announced it was incorporating CreepRank in its mobile antivirus product going forward.
NortonLifeLock is also a founding member of The Coalition Against Stalkerware, a cyber-security industry group fighting against the rise and prevalence of stalkerware apps.
Additional details about the CreepRank algorithm are available in the research team’s paper, which can be downloaded from here or here.