The TinyCheck project, developed by security researcher Felix Aimé, aims to facilitate the detection of spyware on smartphones using dedicated software running on RaspberryPi.
Stalkerware: The term may not be obvious, even for those familiar with computer security. This category of software refers to a type of spyware, often sold freely but blithely flirting with the limits of the law, and which can be used to monitor the online activity of a third party without their knowledge, often a spouse or member of the family. A problem which is not new: in France, the Fireworld affair thus helped to shed light on the activity of this software which is generally sold freely by promising its users that their use is legal. In fact, the legislation governing these tools is a gray area: as Le Monde explained,French law aims above all to regulate physical surveillance devices and therefore does not rule on their software equivalents. And if Fireworld has folded up shop, a plethora of competitors, sometimes based abroad, are offering similar solutions.
Not a simple antivirus
Kaspersky is one of the antivirus vendors involved in the Coalition against Stalkerware, an organization that brings together several antivirus software vendors and associations fighting against the proliferation of this semi-legal spyware. In this context, Félix Aimé, researcher within Kaspersky's Great team, developed the Tiny Check project: “The idea came from a meeting with the Hubertine Auclert center, whose members explained to us that they did not 'had neither the time nor the skills to detect software of this type in their support of victims of domestic violence. So I had this idea to develop this kind of kiosk, which can detect stalkerware in activity on a person's device. "
The Tiny Check project takes the form of free licensed software for a Raspberry Pi. Once connected and configured, the Raspberry Pi will create a dedicated wifi network, to which you can connect the phone you want to analyze. “The software then takes care of analyzing the network communications live, and seeks to detect the presence of active stalkerware on the device,” explains Félix Aimé. The solution is completely agnostic and works just as well with an Android smartphone as it does on an iOS device or other connect devices.
The software does not analyze the content of the device for potential malware, but the network communications to the departments identified as part of the stalkerware list. "We have our own list of indicators of compromise which comes from researchers who have worked on the subject and from our own research" indicates Félix Aimé. TinyCheck is also able to conduct behavioral analyzes to detect possible spyware that is not listed in its database of indicators of compromise. But still without interacting directly with the files on the device: that was one of the constraints of the project. A classic antivirus, running on the device, could disable or block the operation of monitoring software, but this fairly standard behavior for antivirus software can cause problems for the person being monitored in the context of a case of marital harassment, for example. “The objective was to offer a detection solution that is not invasive,” explains Félix Aimé.
Once the analysis has been carried out, the user can retrieve a report indicating the presence or absence of stalkerware on his device, with more or less precision as needed. "The idea is to provide this type of device to associations which assist victims of domestic violence in order to help them identify the presence of this type of software on the victims' devices" explains Felix Aimé. The data can then be used in the context of a possible complaint or for police investigations. For now, the project is still in the experimentation and testing phase with interested associations, who would like to have a tool that is easier to use for people who are not necessarily familiar with the technique. Kaspersky does not currently plan to market the tool, but the project is stable and can be implemented by interested people wishing to test it. Tiny Check software is offered under a free license on Github, and is open to contributions. Felix Aimé is currently the main maintainer.
From stalkerware to spyware, there is only one step
Kaspersky has been involved since 2019, alongside other antivirus software publishers and associations, in a fight against this stalkerware. The difference between this spyware and traditional malware is sometimes tiny, as Arnaud Deschoux, head of public affairs at Kaspersky: “These are software that is generally sold legally, and publishers specify that only their use without it consents of the victim is illegal. Usually, they are installed manually by someone with physical access to the device, often without the user's knowledge. "
Here, no flaws, no phishing or malicious attachments, but a loved one or a spouse who takes advantage of a moment of inattention to install spyware on his target's device. "We are also looking to develop this type of tool for our anti viruses, which already detect most of the identified stalkerware, but we are considering offering prevention messages in order to better inform the victims of this type of threat" explains Arnaud Deschoux. An evolution which could come to put sticks in the wheels of the editors of stalkerwares, but these do not make themselves especially heard: “So far, we have had no feedback from editor contesting our action” explains Arnaud Deschoux.