Stalkerware Banned from Google Play Store

Written by

Google has told app developers to remove from its Play Store stalkerware capable of operating behind the scenes without the user's consent.

The tech giant yesterday issued an update to its Developer Program Policy requiring all apps that track users and send their data to another device to include an "adequate notice or consent" and show a "persistent notification" that the actions of the user are being tracked.

While an exception was made for apps used by parents to track their children, Google said that stalkerware was not to be used to track an adult without their consent. 

The update states: "Only policy compliant apps exclusively designed and marketed for parental (including family) monitoring or enterprise management may distribute on the Play Store with tracking and reporting features, provided they fully comply with the requirements described below."

App developers were told that they can no longer present their product as an aid to spying or a secret surveillance solution. Nor can they hide or cloak tracking behavior in an attempt to mislead users about an app's true functionality.

App developers have until October 1 to comply with the directives. 

Google has also said that, starting October 21, it will remove any apps "that engage in coordinated activity to mislead users."

Christoph Hebeisen, director of security intelligence research at Lookout, a California provider of mobile phishing solutions, welcomed Google's new approach to the stalkerware permitted in its app store.

“The use of mobile technology for surveillance in abusive relationships is a disturbing trend. Google's move to curb such apps on Play is a step in the right direction," said Hebeisen.

Lookout already considers any app that doesn't make it clear tracking is taking place to be malicious. Users receive alerts when surveillance-ware that is independent of the stated purpose of the app is deployed. 

Hebeisen said: "We consider such apps malicious if the app doesn't show a persistent notification, hides its icon, masquerades as something other than its true functionality or hides a part of its functionality. We apply this logic no matter if the app has been loaded from an official app store or sideloaded onto the device.”

What’s hot on Infosecurity Magazine?