They’re the sort of capabilities you might ordinarily prescribe to a cybercrime group or law-enforcement agency: intercepting text messages, remotely eavesdropping on phone calls, or sweeping up emails and social-media messages en masse.
But dozens of firms around the world sell powerful mobile-phone spyware to the everyday consumer, and in many cases with the explicit purpose of enabling surveillance on husbands, wives, and lovers.
And though the U.S. Justice Department has convicted people who use this technology as well as those who sell it, Google, through its ad services, has kept on running advertisements for many of the companies that offer it, The Daily Beast has found. After being informed of the issue, Google removed thousands of offending ads, but the news still highlights how Silicon Valley companies are sometimes unwitting accomplices to the sale of illegal technology, and how those same companies often let dubious clients slip through the cracks.
“Spy on wife app [...] invisible mode,” a Google ad from one company read Monday.
With these pieces of malware, an attacker—be that a jealous or suspicious lover or stalker, for example—will need physical access to the target’s mobile phone. Typically, they’ll visit a webpage that hosts the malware and download a specially crafted app, which can keep itself hidden from the user, and that will then collect whatever data from the phone the attacker wants and send it to them in an email or store it in an online account to access later. Software is available for both Android and iPhone devices, but for the latter the phone needs to be jailbroken, which allows the installation of unauthorized apps. With Android phones, the attacker may need to turn off a security setting for similar reasons.
The threat from this software, though, is real: “Spouseware” has a long history with domestic and sexual violence, and even murder. In one recent case, a man allegedly used spyware to monitor his ex-wife’s phone during divorce proceedings. And a 2014 NPR investigation found that three-fourths of 70 surveyed domestic-violence shelters came across victims whose abusers had listened in on conversations using some form of hidden app.
Companies sell this software for anywhere from $20 to a few hundred dollars, depending on how potent its capabilities are and how long the stalker wants to use it. Hundreds of thousands of people have purchased this type of software over the years, judging by a number of data breaches that included customer records.
And, it works: This reporter previously bought a piece of spyware for $170 that, among other things, tracked the phone’s GPS location and siphoned photos taken with the device’s camera. A colleague in New York even sent a text message to the phone in Europe and triggered the device’s microphone and recorded a conversation.
Many of these companies market their products directly to those wanting to spy on their beloved. In 2014, the Justice Department ordered the creator of a piece of consumer malware called StealthGenie to pay a $500,000 fine. A woman was also sentenced to three years of probation for using the software.
According to internal data belonging to one spyware company called FlexiSpy that was acquired by Motherboard, the firm researched search-engine optimization phrases such as “how to catch a cheating spouse,” and “how to know if your husband is cheating.”
These recently discovered ads on Google seem to follow that same sort of marketing strategy. On Monday, typing terms such as “spy on wife’s phone” or “spy app wife,” for example, would sometimes return adverts for related products. These ads would appear prominently on the page, with some being in the first few results.
“#1 Wife Android Spy—Limited Time 50% Off,” another recently uncovered Google ad reads.
Other adverts were less explicit in whether the software could be used to target a spouse; but in the consumer-spyware industry, that sometimes means very little. Even when a company’s website says the software should only be deployed to monitor children or employees—which can be done legally—customer-support reps will often undermine those statements entirely, by admitting that customers can use this on their wife’s phone without permission. In a similar way, although the company linked to the first Google ad makes it very clear on its website that the software should only be used legally, the advert itself markets the product for spying on someone’s wife. The company behind this ad did not respond to a request for comment.
“Thanks for flagging these to us. We strictly prohibit advertising of these kinds of services and have removed these ads. When we find ads that violate our policies, we take immediate action to disable the offending sources,” a Google spokesperson told The Daily Beast in a statement.
These adverts violated Google’s “Enabling Dishonest Behavior” policy, which includes “products or services that enable a user to gain unauthorized access (or make unauthorized changes) to systems, devices, or property.” This would also cover items such as malicious hacking services and radar-jammers, the policy continues. The Daily Beast confirmed that the previously scrutinized search terms no longer return any adverts as of Tuesday.
This response sits in stark contrast to how YouTube, which is owned by Google, handled a similar situation. When Motherboard found that networks of YouTubers were making videos advertising spyware to monitor lovers, and were taking a cut of any referred sales, YouTube reacted with a proverbial shrug, left many of the videos online, and did not provide a statement.