Indicators of compromise (IOC) on Stalkerware applications for Android and iOS

Warning: these indicators are not providing a complete detection of stalkerware applications. They are based on research from a few people on their free time and many apps are likely missing. Use it carefully. No detection based on these indicators should not be understood as having no stalkerware installed.

We're using the definition of the Coalition Against Stalkerware:

Stalkerware refers to tools – software programs, apps and devices – that enable someone to secretly spy on another person’s private life via their mobile device. The abuser can remotely monitor the whole device including web searches, geolocation, text messages, photos, voice calls and much more. Such programs are easy to buy and install. They run hidden in the background, without the affected person knowing or giving their consent. Regardless of stalkerware’s availability, the abuser is accountable for using it as a tool and hence for committing this crime.

Main files:

• ioc.yaml : Indicators of compromise of many Stalkerware apps. Includes
  • Applications Package names
  • Android Application Certificates
  • List of websites
  • List of domains and IPs of C2
• quad9_blocklist.txt: blocklist for Quad9 DNS resolver (include a more limited set of domains for apps clearly for stalking and only C2 domains, not app websites)
• samples.csv: List of samples with hashes, package name, certificate and version.

Files generated automatically from previous IOC files:

• generated/hosts: network indicators (C2 domains only) in hosts format
• generated/indicators-for-tinycheck.json: indicators in TinyCheck compatible format
• generated/misp_event.json: indicators in MISP compatible format
• generated/network.csv: network indicators in a more grepable CSV format
• generated/stalkerware.stix2: indicators in STIX2 format
• generated/suricata.rules: Suricata rules for network indicators (C2 only)

Scripts:

• scripts/check_apk.py: check an APK file or APKs in a folder with the indicators from this repository
• scripts/generate.py: creates all the files in the generated folder (automatically done through github actions)
• scripts/linter.py: linter to check the format of the different indicator files (automtaically done through github actions)

This repository includes indicators for the following stalkerware :

• 1TopSpy : www.1topspy.com
• AirSpyer
• AllTracker : alltracker.org (also called Russ City)
• AndroidLost : androidlost.com
• AntiFurto Droid : antifurtodroid.com
• AppMia
• AppSpy : www.appspy.com
• Android Monitor : www.androidmonitor.com
• Bark : www.bark.us
• BlurSpy : www.blurspy.com
• CallSMSTracker : callsmstracker.com
• Catwatchful : catwatchful.com
• Cerberus : www.cerberusapp.com
• ClevGuard : www.clevguard.com
• Cocospy : www.cocospy.com
• Copy9 : copy9.com
• DDI Utilities : ddiutilities.com
• EasyLogger : logger.mobi
• EasyPhoneTrack : easyphonetrack.com (also spappmonitoring.com)
• Espiao Android: espiaoandroid.com.br
• EyeZy : www.eyezy.com
• FlexiSpy : www.flexispy.com
• Free Android Spy : www.freeandroidspy.com
• FoneTracker : fonetracker.com
• FoneMonitor : fonemonitor.co
• ForeverSpy : foreverspy.com
• GPSTrackerLoki : asgardtech.ru
• GuestSpy : guestspy.com (now replaced by TheTruthSpy)
• HelloSpy : hellospy.com
• Highster Mobile : highstermobile.com
• Hoverwatch : www.hoverwatch.com
• iKeyMonitor : ikeymonitor.com
• iMonitorSpy : www.imonitorsoft.com
• iSpyoo : ispyoo.com
• LetMeSpy : www.letmespy.com
• Maxxspy: maxxSpy.com
• Meuspy: meuspy.com
• MinSpy : minspy.com (also called kuuvv, cocospy, spyier, …)
• Mobispy : www.mobispy.net
• Mobiispy : mobiispy.com
• MobileTrackerFree : mobile-tracker-free.com
• MobileTool : mtoolapp.net, mobiletool.ru and mtoolapp.biz
• Mobistealth : www.mobistealth.com
• mSpy : www.mspy.com (also called SpyBubble)
• MxSpy : mxspy.com
• NeatSpy : neatspy.com
• NetSpy : www.netspy.net
• NeoSpy : neospy.net (an analysis here)
• OneMonitar : onemonitar.com (also known as OneSpy)
• OwnSpy : en.ownspy.com
• pcTattletale : www.pctattletale.com
• PhoneSpying : www.phonespying.com
• PhoneSherif : phonesheriff.com
• PanSpy : panspy.com
• Repticulus : reptilicus.net
• SafeSpy : safespy.com
• SAP4Mobile : sap4mobile.com
• ShadowSpy : www.shadow-spy.com
• Snoopza : snoopza.com
• Spy24 : spy24.app
• SpyApp247 : www.spyapp247.com
• SpyEra : spyera.com
• SpyHide : spyhide.com
• SpyHuman : spyhuman.com
• Spyic : spyic.com
• Spyier : spyier.com
• Spyine : spyine.com
• Spylive360 : spylive360.com
• SpyMasterPro : spymasterpro.com
• Spymie : www.spymie.com (analyzed by ZScaler here)
• SpyPhoneApp : spyphoneapp.org
• Spytoapp : spytoapp.com
• Spyzie : www.spyzie.com spyzie.io
• spy2mobile : spytomobile.com
• TalkLog : talklog.tools
• The One Spy : theonespy.com
• TheTruthSpy : thetruthspy.com
• TrackMyFone : trackmyfone.com
• Track My Phones : trackmyphones.com
• uMobix : umobix.com
• WiseMo : www.wisemo.com
• WtSpy : wt-spy.com
• Xnore : xnore.com
• XNSpy : xnspy.com

This repository is maintained by the Echap non-profit organisation.

Contributors include:

• Abir Ghattas
• Anne Roth
• Jo Coscia
• Julien Voisin
• Esther
• Jurre van Bergen
• @nscrutables

These indicators were largely based on research and analysis using APKlab, Koodous and VirusTotal.

This repository is not complete, new stalkerware apps appear and disappear all the time. Feel free to contribute to this database by opening an issue or submitting a Pull Request.

If you want to do further research on some apps and need access to the samples, feel free to send me an email.

There are other repositories gathering stalkerware indicators:

• ch33r10 stalkerware list
• astryzia
• diskurse android stalkerware
• TinyCheck IOCs

• Coalition against stalkerware
• Resources from the Clinic to End Tech Abuse
• The Predator in Your Pocket - A Multidisciplinary Assessment of the Stalkerware Application Industry by the Citizen Lab
• What you need to know about stalkerware - TED Talk by Eva Galperin

The content of this repository is licensed under CC0, you're free to do whatever you want with it.

Please note that while we're doing our very best, there is no guarantee that it is accurate. If it is useful to you, consider giving money to an organisation supporting violence against women in your country.