Google pulls ‘stalkerware’ ads that promoted phone spying apps

Google has pulled several “stalkerware” ads that violated its policies by promoting apps that encouraged prospective users to spy on their spouses’ phone.

These consumer-grade spyware apps are often marketed to parents wishing to monitor their child’s calls, messages, apps, photos and location, often under the guise of protecting against predators. But these apps, which are often designed to be installed surreptitiously and without the device owner’s consent, have been repurposed by abusers to spy on the phones of their spouses.

The rise in the use of so-called “stalkerware” (or spouseware) prompted an industrywide response in recent years to combat the spread of phone monitoring apps. Antivirus makers have worked to better detect stalkerware, and federal authorities are taking action against spyware makers that further expose their victims to security threats. Last August, Google banned ads in users’ search results that promoted apps that are designed “with the express purpose of tracking or monitoring another person or their activities without their authorization.”

But TechCrunch found five app makers were still advertising their stalkerware apps as recently as last week.

“We do not allow ads promoting spyware for partner surveillance. We immediately removed the ads that violated this policy and will continue to track emerging behaviors to prevent bad actors from trying to evade our detection systems,” a Google spokesperson told TechCrunch.

Read more on TechCrunch

Google said its policy on enabling dishonest behavior, which governs the promotion of spyware, bans ads from promoting intimate partner surveillance, but does not extend to ads that promote tracking a child’s activity or workplaces monitoring their employees’ devices, the spokesperson confirmed. The policy also exempts private investigation services, though Google would not say if or how it determines for what purpose an app is used.

Vocal supporters of Google’s efforts against stalkerware have expressed concerns with the policy’s enforcement. Malwarebytes, a founding member of the Coalition Against Stalkerware, a group of companies committed to combating the growing threat of stalkerware, said last year that the policy was “incomplete” since it allowed stalkerware makers to “skirt the rules by changing the face of what they’re selling, without changing the core technology within.”

The spokesperson for Google declined to provide specifics of how Google’s enforcement works, but said it looks at a combination of factors to determine if an ad violates its policies, such as looking at the text and images of the ad, how the product is promoted and the landing pages of the ads when clicked.

TechCrunch found that several stalkerware apps used a variety of techniques to successfully evade Google’s ban on advertising apps for partner surveillance and were able to get Google ads approved.

In one case, mSpy, a spyware app that had a major security lapse in 2018, ran Google ads that linked to an interstitial web page on an entirely separate domain from mSpy’s website, which tripped up Google from detecting that the app was also being marketed to spy on “your kids, husband or wife, grandma or grandpa.”

Another stalkerware maker, ClevGuard, which in 2020 spilled the phone data on thousands of victims, ran Google ads that linked to a page on its website that said the app could be used on a spouse to “dispel any doubts in a relationship.” The page was hidden from Google’s search index using a “robots” file that tells search engines what should and shouldn’t appear in search results. TechCrunch found two other stalkerware apps using this same technique to run ads, which Google said also violated its policies.

Other violating ads were more overt. PhoneSpector, a spyware maker based on Long Island, NY, ran ads that promoted the app as a way to “catch a cheater.”

As of September, Google said it will suspend the accounts of advertisers for three months who repeatedly violate its ad policies, including for promoting spyware for targeting spouses.

None of the stalkerware companies responded to requests for comment.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or by email.