Indicators of compromise (IOC) on Stalkerware applications for Android and iOS
Warning: these indicators are not providing a complete detection of stalkerware applications. They are based on research from a few people on their free time and many apps are likely missing. Use it carefully. No detection based on these indicators should not be understood as having no stalkerware installed.
We're using the definition of the Coalition Against Stalkerware:
Stalkerware refers to tools – software programs, apps and devices – that enable someone to secretly spy on another person’s private life via their mobile device. The abuser can remotely monitor the whole device including web searches, geolocation, text messages, photos, voice calls and much more. Such programs are easy to buy and install. They run hidden in the background, without the affected person knowing or giving their consent. Regardless of stalkerware’s availability, the abuser is accountable for using it as a tool and hence for committing this crime.
Main files:
ioc.yaml
: Indicators of compromise of many Stalkerware apps. Includes- Applications Package names
- Android Application Certificates
- List of websites
- List of domains and IPs of C2
quad9_blocklist.txt
: blocklist for Quad9 DNS resolver (include a more limited set of domains for apps clearly for stalking and only C2 domains, not app websites)samples.csv
: List of samples with hashes, package name, certificate and version.
Files generated automatically from previous IOC files:
generated/hosts
: network indicators (C2 domains only) in hosts formatgenerated/indicators-for-tinycheck.json
: indicators in TinyCheck compatible formatgenerated/misp_event.json
: indicators in MISP compatible formatgenerated/network.csv
: network indicators in a more grepable CSV formatgenerated/stalkerware.stix2
: indicators in STIX2 formatgenerated/suricata.rules
: Suricata rules for network indicators (C2 only)
Scripts:
scripts/check_apk.py
: check an APK file or APKs in a folder with the indicators from this repositoryscripts/generate.py
: creates all the files in thegenerated
folder (automatically done through github actions)scripts/linter.py
: linter to check the format of the different indicator files (automtaically done through github actions)
This repository includes indicators for the following stalkerware :
- 1TopSpy :
www.1topspy.com
- AirSpyer
- AllTracker :
alltracker.org
(also called Russ City) - AndroidLost :
androidlost.com
- AntiFurto Droid :
antifurtodroid.com
- AppMia
- AppSpy :
www.appspy.com
- Android Monitor :
www.androidmonitor.com
- Bark :
www.bark.us
- BlurSpy :
www.blurspy.com
- CallSMSTracker :
callsmstracker.com
- Catwatchful :
catwatchful.com
- Cerberus :
www.cerberusapp.com
- ClevGuard :
www.clevguard.com
- Cocospy :
www.cocospy.com
- Copy9 :
copy9.com
- DDI Utilities :
ddiutilities.com
- EasyLogger :
logger.mobi
- EasyPhoneTrack :
easyphonetrack.com
(alsospappmonitoring.com
) - Espiao Android:
espiaoandroid.com.br
- EyeZy :
www.eyezy.com
- FlexiSpy :
www.flexispy.com
- Free Android Spy :
www.freeandroidspy.com
- FoneTracker :
fonetracker.com
- FoneMonitor :
fonemonitor.co
- ForeverSpy :
foreverspy.com
- GPSTrackerLoki :
asgardtech.ru
- GuestSpy :
guestspy.com
(now replaced by TheTruthSpy) - HelloSpy :
hellospy.com
- Highster Mobile :
highstermobile.com
- Hoverwatch :
www.hoverwatch.com
- iKeyMonitor :
ikeymonitor.com
- iMonitorSpy :
www.imonitorsoft.com
- iSpyoo :
ispyoo.com
- LetMeSpy :
www.letmespy.com
- Maxxspy:
maxxSpy.com
- Meuspy:
meuspy.com
- MinSpy :
minspy.com
(also called kuuvv, cocospy, spyier, …) - Mobispy :
www.mobispy.net
- Mobiispy :
mobiispy.com
- MobileTrackerFree :
mobile-tracker-free.com
- MobileTool :
mtoolapp.net
,mobiletool.ru
andmtoolapp.biz
- Mobistealth :
www.mobistealth.com
- mSpy :
www.mspy.com
(also called SpyBubble) - MxSpy :
mxspy.com
- NeatSpy :
neatspy.com
- NetSpy :
www.netspy.net
- NeoSpy :
neospy.net
(an analysis here) - OneMonitar :
onemonitar.com
(also known as OneSpy) - OwnSpy :
en.ownspy.com
- pcTattletale :
www.pctattletale.com
- PhoneSpying :
www.phonespying.com
- PhoneSherif :
phonesheriff.com
- PanSpy :
panspy.com
- Repticulus :
reptilicus.net
- SafeSpy :
safespy.com
- SAP4Mobile :
sap4mobile.com
- ShadowSpy :
www.shadow-spy.com
- Snoopza :
snoopza.com
- Spy24 :
spy24.app
- SpyApp247 :
www.spyapp247.com
- SpyEra :
spyera.com
- SpyHide :
spyhide.com
- SpyHuman :
spyhuman.com
- Spyic :
spyic.com
- Spyier :
spyier.com
- Spyine :
spyine.com
- Spylive360 :
spylive360.com
- SpyMasterPro :
spymasterpro.com
- Spymie :
www.spymie.com
(analyzed by ZScaler here) - SpyPhoneApp :
spyphoneapp.org
- Spytoapp :
spytoapp.com
- Spyzie :
www.spyzie.com
spyzie.io
- spy2mobile :
spytomobile.com
- TalkLog :
talklog.tools
- The One Spy :
theonespy.com
- TheTruthSpy :
thetruthspy.com
- TrackMyFone :
trackmyfone.com
- Track My Phones :
trackmyphones.com
- uMobix :
umobix.com
- WiseMo :
www.wisemo.com
- WtSpy :
wt-spy.com
- Xnore :
xnore.com
- XNSpy :
xnspy.com
This repository is maintained by the Echap non-profit organisation.
Contributors include:
These indicators were largely based on research and analysis using APKlab, Koodous and VirusTotal.
This repository is not complete, new stalkerware apps appear and disappear all the time. Feel free to contribute to this database by opening an issue or submitting a Pull Request.
If you want to do further research on some apps and need access to the samples, feel free to send me an email.
There are other repositories gathering stalkerware indicators:
- Coalition against stalkerware
- Resources from the Clinic to End Tech Abuse
- The Predator in Your Pocket - A Multidisciplinary Assessment of the Stalkerware Application Industry by the Citizen Lab
- What you need to know about stalkerware - TED Talk by Eva Galperin
The content of this repository is licensed under CC0, you're free to do whatever you want with it.
Please note that while we're doing our very best, there is no guarantee that it is accurate. If it is useful to you, consider giving money to an organisation supporting violence against women in your country.