Picture from the Hacker News

In this technical blog post, we will examine the components of a stalkerware app designed for Android devices and marketed towards Italian customers. By analyzing the various components of this type of software, hopefully we can gain a deeper understanding of how these apps operate and develop strategies for detecting and removing it from infected devices.

What is stalkerware?

Stalkerware is a type of malicious software that is designed to track and monitor someone’s digital activity without their knowledge or consent. This type of software is often used by individuals who want to spy on their partners or children, or by employers who want to monitor the activity of their employees. Stalkerware can be used to track a wide range of digital activity, including web searches, geolocation, text messages and chats, photos, voice calls, and more. The use of stalkerware is generally considered unethical and may also be illegal, as it violates the privacy of the targeted individual.

These apps are often distributed as paid services outside of the Google Play Store, as Google’s Developer Program Policy prohibits the distribution of apps that collect and transmit personal or sensitive data from a device without adequate notice or consent (Developer Program Policy: September 16, 2020 announcement).

In this post, we will be focusing on a specific Android sample which was developed for the Italian market, as it was advertised in a website in Italian and the code of the sample contains numerous Italian expressions.

The website

The app is described on the website as a tool for “secretly spying Android phones without being noticed by the owner of the smartphone”. The company behind the app claims to be active in 24 countries around the world, with headquarters in Europe, New Zealand, Brazil, and Canada.

The website of the app includes an End-User License Agreement (EULA) stating that the app should only be installed on devices owned by the user, and it also requires the user to notify any person using a device with the software installed, or any other person with the right to access a monitored account, of the presence of the software.

'End-User License agreement' from the website of the app

‘End-User License Agreement’ from the website of the app. The highlighted section roughly translates to ‘you also agree to notify on the presence of the software any person using a device with the software installed, or any other person with the right to access a monitored account’.

However, according to the company’s website, the most common reason that clients use their stalkerware service is for “relationship cheating” with 40% of respondents citing this as their motivation; 32% of respondents said that they were using the service to monitor their minor children, and 11% cited “personal curiosity, no real reason”.

'Reasons for using the spy app' from the website of the app

‘Reasons for using the spy app’ from the website of the app

The licensing model for this stalkerware app includes a free trial of 3 days, during which users have access to all of the features of the app and the online panel for viewing the data captured from the device. After the free trial expires, users must pay a fee of €22 per month to continue using the service. This fee can be paid via PayPal or credit card, after registering in the admin panel of the website.


The list of features advertised include the ability to extract WhatsApp audios, pictures, and videos, access all media files on the phone, record calls and ambient audio, record the screen, report on notifications received, list installed apps, and track the phone’s location. The website of the app also claims that it is “invisible” to the user of the phone and to many antivirus solutions.

To use this stalkerware app, the user must have physical access to the victim’s phone and enable the installation of “unknown apps” from the Android settings. This process can be a bit tedious for non-experienced users, so the website provides various guides and short videos to help users download and install the app on different Android devices and access the panel to view the stolen information.

Analysis of the sample

The apk sample can be downloaded directly from the website. At time of writing, the sample is not listed in VirusTotal, but we can use a small tool I wrote called apkingo to gather some information on the app:

App name:	X Android Antivirus

* General info
PackageName:	com.vitefa.fosupevilucugo
Version:	1.0
MainActivity:	com.vitefa.fosupevilucugo.MainActivity
MinimumSdk:	22 (Android 5.1)
TargetSdk:	31 (Android 12)

* Hash values
Md5:		67f5f3b3c858453fdc0c901d3f09f985
Sha1:		86504d29d3d5a852e8e37c951c049917a9b11907
Sha256:		5ab4ff9f8028c02cbb0886922142227732cfe3aaec99af1a5af2ddb43b0fb5a8

* Permissions

* Metadata
no metadata found

* Certificate
Serial:		2126353726
Sha1:		f3e17dfdb98b1f7774a16967fd1d84d3d9d59389
Subject:	C=US, O=corudagiruducodi, CN=corudagiruducodi
Issuer:		C=US, O=corudagiruducodi, CN=corudagiruducodi
ValidFrom:	09 Dec 22 13:04 UTC
ValidTo:	23 Sep 96 13:04 UTC

* Play Store
app not found in Play Store

This sample was named like an antivirus app, in order to make the victim think it is safe.

app icon

Icon of this sample

Permissions requested

One tactic commonly used by stalkerware apps is to request a large number of permissions from the user, including access to call logs, contacts, camera, messages, and microphone. This is often done without the user’s knowledge or consent, as stalkerware apps are designed to be installed behind the user’s back.

permissions asked by the stalkerware

List of permissions aked by the stalkerweare

notification access

Notification access requested by the sample

In addition to requesting all these permissions, the sample is abusing Accessibility services and Device administration features of Android. Accessibility services are designed to help users with disabilities interact with their devices, but malicious apps can request access to these services in order to gain additional permissions on a device, such as: read and intercept text messages and notifications, even control the device simulating clicks, drawing over other apps and even reading the screen while other apps are being used. Device administration features, instead, allows IT departments to ensure the security and compliance of their devices by remotely controlling various settings and even remotely locking or wiping the device in case it was stolen. By requesting device administrator privileges, the sample can greatly extend its capabilities (as shown in the screenshot below) and even make it more difficult for the user to remove the app from their device.

abusing device admin
abusing device admin pt2

The stalkerware abusing the ‘Device administration’ feature of Android

Randomly generated package name

The package name of an Android app is used to uniquely identifies the app on the device and in the stores; usually developers choose a package name with a reference to the company developing the app or the product, but in this sample the package name is a bit odd. Downloading multiple samples of the app from the website, it is possible to note that every apk has a different package name and different certificate issuer, and both appear to be randomly generated.

This approach could be used for evading antivirus detections based on the package name and the hash of the apk, as well as for distinguishing between different licenses. The randomly generated package name is specified in the strings.xml file, and here are these sections for two different samples:

<string name="ACCOUNT_TYPE">com.vitefa.fosupevilucugo.sync</string>
<string name="AUTORITY">com.vitefa.fosupevilucugo.sync.StubProvider</string>

<string name="ACCOUNT_TYPE">com.babili.ribisosisubugu.sync</string>
<string name="AUTORITY">com.babili.ribisosisubugu.sync.StubProvider</string>

The strings ACCOUNT_TYPE and AUTORITY are referenced in the code while setting app the account of the service used to send the data to the online panel:

account class definition

Definition of the ‘account’ class using AUTORITY and ACCOUNT_TYPE

Getting the PIN

Right after installing the app, the following message will be shown: “Wait 5 seconds. Some windows may appear asking for authorization, accept and confirm everything. Below is a continuous button. After clicking on it, a numeric PIN will appear. You must enter the numeric PIN in our control panel, see the installation and license activation guides on our site. By clicking the continue button below you declare that you have read and accepted all the conditions on the site.”

post installation message

A screenshot showing part of the post-installation message

The PIN appearing after this prompt must be entered in the control panel to access the data stolen from the device. To retrieve this PIN, the app first attempts to generate a fingerprint of the device by gathering hardware and software information about it, like IMEI number, manufacturer and model, screen resolution, SDK version and build ID:

gathering info on the device

The function getPinFromServer is used to gather information about the device

The information obtained are then used to call the getPin function, which connects to the server, submits all the details gathered, and parses the response from the server to get the PIN associated with the license:

getting the pin

The function getPin is used to retrieve the PIN from the server

pin received

Message displayed afater obatining the PIN (a 9-digit number)

After entering the PIN received into the control panel, we can new send commands to the phone to perform various actions (see screenshot below), listen to phone calls, view media files stolen from the device, and even check the status of the permissions enabled for the stalkerware app.

cmd list

The list of commands available from the control panel: record audio for 6 seconds, 2, 5, 15 and 30 minutes, ask for GPS position, download data, record screen, and take a picture

Extracting and sending media files

One of the major feature provided by the stalkerware app is the extraction of all the media files stored in the device, including pictures and videos from WhatsApp chats. This feature is provided by the extractMedia function, which is designed to access the external and internal storage of the device, and it contains a call to the getMedia function, which searches for media files within the specified directory and its subdirectories:

extracting media files

Content ofextractMedia and getMedia functions

The getMedia function contains a call to getFile, which has the purpose of storing the name of the file found either in mediaWhatsapp or media (depending on where the file was found); both of these are SQL database used to store which files are sent to the server. The function is then used to call FileClientNoDelete on every file.

getFile function

Content of getFile function


Content of FileClientNoDelete and sendFile

The class FileClientNoDelete describes a client which can send a file to the remote server over a socket connection. When an object of FileClientNoDelete is created, it establishes a socket connection with the server at the specified IP address and port, and sets the timeout value of the socket to 15 minutes. Then it calls sendFile, which after writing the file name, the PIN number and the file lenght to the output stream of the socket, sends the specified file to the server by reading the file in 1024-byte chunks and writing them to the output stream until the end of the file is reached.

Screen and audio recording

This sample extends the Android class MediaProjection to capture screen contents and/or record system audio.

The function below is responsible for initializing, preparing, and starting the screen recording: it first retrieves the screen density of the device and initializes and prepares the media recorder by creating a MediaProjectionCallback instance, registering it with the media projection and creating a virtual display for the screen recording using the createVirtualDisplay function. Finally, it starts the media recorder and leave it working for 10 seconds, before stopping it.

screen recording function

Function used to setup recording of the screen

A second class is used to capture audio from the device and record it to a file. The code below shows how the sample does this by creating an instance of AudioRecord and calling its startRecording() method. It then creates a new thread which will run a method called writeAudioDataToFile(), which will be responsible for writing the recorded audio data to a file.

audio recording function

Function used to setup audio recording

Another functionality of the stalkerware app is the recording of WhatsApp calls. The code below is using Android’s accessibility services to identify which app is currently opened on the device, check if a WhatsApp call is happening, and extract the name or the phone number having a call with the victim. The code then checks for a view with the resource name end_call_btn, and if it finds it, it will attempt to record the audio call by using the service rCallVoip.

whatspp call recording

Function used to record WhatsApp calls


Function called when for the service rCallVoip is created

GPS location

The sample is also able to get the device’s current location by using either GPS or the device’s mobile network.

get position of the device

Function used to obtain the position of the device

The function above checks if either GPS or the device’s mobile network is enabled on the device: if one of those is enabled, it starts listening for location updates from the chosen provider. When the device’s location changes, the method onLocationChanged is called to write latitute and longitude coordinates in an XML document:

record device movement

Function called when the position of the device changes

Closing remarks

In conclusion, the android stalkerware app that was analyzed is a concerning and potentially dangerous tool. It has the ability to track a person’s location, access their messaging and call logs, and even record their phone calls without their knowledge or consent. This type of app can be used to stalk and harass individuals, and it raises serious privacy and security concerns. If you read this post and you now suspect there may be stalkerware on your device, refer to this article from the Coalition Against Stalkerware.

Mitre ATT&CK Tactics And Techniques

TA0011 - Command and Control

  • T1071 - Application Layer Protocol (uses HTTPS and performs DNS lookups)
  • T1095 - Non-Application Layer Protocol (performs DNS lookups)
  • T1573 - Encrypted Channel (uses HTTPS)

TA0030 - Defense Evasion

  • T1418 - Software Discovery (queries a list of installed applications)
  • T1447 - Delete Device Data (lists and deletes files in the same context)

TA0031 - Credential Access

  • T1409 - Stored Application Data (queries stored mail and application accounts like Gmail or WhatsApp)
  • T1412 - Capture SMS Messages (monitors incoming SMS)

TA0032 - Discovery

  • T1418 - Software Discovery (queries a list of installed applications)
  • T1421 - System Network Connections Discovery (checks an internet connection is available)
  • T1426 - System Information Discovery (queries the unqiue device ID)
  • T1430 - Location Tracking (queries the phones location)

TA0034 - Impact

  • T1447 - Delete Device Data (lists and deletes files in the same context)
  • T1448 - Carrier Billing Fraud (has permission to send SMS in the background)

TA0035 - Collection

  • T1409 - Stored Application Data (queries stored mail and application accounts like Gmail or WhatsApp)
  • T1412 - Capture SMS Messages (monitors incoming SMS)
  • T1429 - Audio Capture (accesses the audio/media managers and records audio/media)
  • T1430 - Location Tracking (queries the phones location)
  • T1432 - Access Contact List (queries phone contact information)
  • T1433 - Access Call Log (monitors incoming and outgoing Phone calls)
  • T1507 - Network Information Discovery (checks an internet connection is available)

TA0038 - Network Effects

  • T1449 - Exploit SS7 to Redirect Phone Calls/SMS (has permissions to perform, monitor, redirect and/or block calls and to send SMS in the background)


rule italianstalkerware : stalkerware {
        author = "Andrea Palmieri @andpalmier"
	ref = ""
        $s1 = "DataMariaDbSalentoBellaSarda" nocase ascii
        $s2 = "IsScreenOnServiceMarinellaBella" ascii
        $s3 = "preInstallServiceAnacondameritocronicavolenzia" nocase ascii
        $s4 = "ScreenIsOnReceiverMarinellaBella" ascii
        uint16(0) == 0x6564 and 4 of them


u1623673571u.apk	86504d29d3d5a852e8e37c951c049917a9b11907
u187763837u.apk 	19d990ace5e4fd5871265485d2ec4431bba33f28
u555625802u.apk		8fbaa94dfdce19e5484e12bac0ce4cbe56d908d8