Parental Control App or Stalkerware?
Earlier this week Kaspersky malware expert Victor Chebyshev published a report on new super stalkerware Kaspersky encountered called MonitorMinor. MonitorMinor is being sold online as a parental control app, however, Chebyshev states this is actually stalkerware. It is possibly for this reason that it cannot be bought either on Google Play or via Apple’s App Store. Kaspersky categorized MonitorMinor as stalkerware because it is almost impossible to detect it on the victim’s device. Legitimate Parental Control apps do not hide themselves and an icon is visible on the phone on which they are installed. MonitorMinor also disguises itself to avoid being detected by anti-stalkerware tools, which further reinforces that its use is stalkerware. Furthermore, when Kaspersky investigated MonitorMinor in detail, they found that not only is it stalkerware but it “outstrips all existing software of its class in terms of functionality.”
What Makes MonitorMinor Super Stalkerware
Like most stalkerware, MonitorMinor can track a victim’s geolocation. It also uses geofencing technology, which is the main feature of parental control apps. Geofencing is used in parental control apps to notify parents if their child goes beyond a predefined distance from home. Furthermore, like more sophisticated stalkerware, MonitorMinor can intercept SMS and call data. However, that is not all it can do. It can also spy on other communication and social media channels such as WhatsApp, Gmail, Instagram and Facebook.
MonitorMinor can escalate its privileges
Normally apps on android phones cannot communicate with each other. Chebyshev states: “In a ‘clean’ Android operating system, direct communication between apps is prevented by the sandbox, so stalkerware cannot simply turn up and gain access to, say, WhatsApp messages. This access model is called DAC (Discretionary Access Control).” MonitorMinor relies on the existence of an app called the SuperUser-type app (also known as the SU utility). It is not certain how this utility comes to be installed on certain android phones. It could be installed at the factory, by a user or by malware. However, what is important about this utility is that it disables the DAC and provides root access to the operating system. As a result, MonitorMinor can escalate its privileges to obtain data from the above-mentioned apps and many more.
MonitorMinor can unlock phones
The other main feature that distinguishes MonitorMinor from other stalkerware, is its ability to unlock android phones. Not only can it intercept data from social networking apps and messengers, it can extract screen unlock patterns and passwords. To do this, MonitorMinor uses the root privileges gained with the SU utility. With these privileges it can then obtain the file that contains the hash sum to unlock the screen. Chebyshev writes: “This is the first time we have registered such a function in all our experience of monitoring mobile platform threats.”
Worldwide Installs
MonitorMinor is being installed the most in India and Mexico. Nearly 15% of MonitorMinor installations have occurred in India and almost 12% in Mexico. Then come Germany, Saudi Arabia and the UK, all with nearly 6% of installs. According to Chebyshev this stalkerware may originate from India since a Gmail account with an Indian name is hardcoded into MonitorMinor. However, since there are control panels also in Turkish and English, MonitorMinor’s origins are not certain.
How to Minimize Risk
To minimize the risk of falling victim to MonitorMinor, Kaspersky provides the following advice:
Block installations from unknown sources via the phone’s settings Regularly check that no suspicious apps have been installed on the phone Install anti-stalkerware tools on the phone