For the first time, the Federal Trade Commission is set to block a US company from selling apps people used to spy on their significant others.
Under a proposed settlement, Florida-based Retina-X Studios will be barred selling three "stalkerware" apps that secretly collected personal details from people's phones, the FTC announced on Tuesday.
The three apps—MobileSpy, PhoneSheriff and TeenShield—were marketed as products to monitor the smartphone activities of children or employees. However, the FTC claims Retina-X made no attempts to ensure the apps were only being used for legitimate purposes.
The subscription-based apps were also quite powerful; once installed, they could collect all the information processed on the smartphone, including chat messages, GPS locations, email and photos—all of which was then sent to Retina-X cloud servers.
In 2017, it was revealed that many Retina-X customers were actually using the apps to spy on their romantic partners after a hacker breached the company's online database and leaked the information stored inside to journalists.
Retina-X previously defended its products as a security solution. But the FTC isn't convinced. Part of the reason is because Retina-X provided instructions to buyers on how to hide the app's icon from a smartphone's home screen, effectively allowing it to run without the smartphone owner knowing about it.
"Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses," FTC Director Andrew Smith said in today's announcement.
"Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product," he added, hinting at further crackdowns.
The commission is also faulting Retina-X for failing to protect customers' data from the vigilante hackers, who struck in 2017 and 2018 by breaching the company's databases, and eventually wiping the stored information.
According to the FTC, Retina-X sold more than 15,000 subscriptions to all three apps. However, the products also allegedly violated US regulations against unfair and deceptive practices, in addition to the Children's Online Privacy Protection Act, for dropping the ball on protecting customer accounts.
Under the proposed settlement, Retina-X can only continue selling its apps if changes are made to ensure they're used only for legitimate purposes. This includes making the app icons visible on smartphones and displaying a clear notice upon opening that the phone is being monitored. In addition, Retina-X must also undergo third-party audits every two years to assess the company's IT security.
However, the company stopped selling its products in 2018 following the hacks. In a statement, Retina-X thanked the FTC "for its professionalism during the course of the investigation."
Stalkerware Installs Continue
The settlement arrives as antivirus companies have been noticing a rise in stalkerware apps from other providers. Earlier this month, Kaspersky Lab reported an annual 35 percent increase in stalkerware installation attempts on Android devices for a total of 37,000 this year.
Symantec, on the other hand, said its Norton Mobile Security app has seen seeing about 2,000 devices infected with stalkerware each month. Whether the apps were there for legitimate purposes like monitoring a child is unknown. But Symantec told PCMag about 32 percent of consumers who have had a stalkerware app flagged to them have chosen to remove it.
If you suspect your phone has a stalkerware app, you can use antivirus apps from Kaspersky Lab, Symantec, and Malwarebytes to help you detect and remove them. The FTC says clues of a stalkerware infection include a phone battery that drains faster than usual, unexpected charges on your phone bill, o trouble turning off your phone.
"Our stance is that stalkerware is a huge problem," Malwarebytes told PCMag earlier this month. "This is because unlike other malware that just steal data/personal information, stalkerware is directly linked to domestic abuse, and physical harm."
The FTC will decide whether to finalize the Retina-X settlement after a 30-day public comment period.
'Donald' cracks the annual worst-passwords list
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
