It’s a surveillance software that can spy on the texts, calls, location, and social media of romantic partners without their consent. But in an unprecedented move, the Federal Trade Commission announced Wednesday that it was banning the maker of the stalkerware, SpyFone.
The FTC also banned the CEO of the company, Scott Zuckerman, from the surveillance business over allegations that he and his company have been running “brazen” invasions of Americans’ privacy for years.
SpyFone’s products, which have been on sale since 2018, give stalkers near-total visibility into victims’ every move on their phones, according to the FTC. The products, which range from $99.95 per year to a more premium version that costs nearly $500 annually, are capable of tracking victims’ text messages, call history, live GPS location, emails, keystrokes, video chats, notifications, contacts, pictures, calendars, files, and social media, according to the FTC complaint obtained by The Daily Beast. Some of SpyFone’s products can also give abusers the ability to remotely take pictures, record calls, and record audio through the victim’s microphone as well.
"SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information," said Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection. "The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security. This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy."
As the FTC noted, what made SpyFone particularly invasive—beyond its powerful monitoring capabilities—was that it lurked on the phones without showing an icon on a victim’s phone.
The move to ban the stalkerware comes amid renewed calls for law enforcement and world leaders to scrutinize surveillance software developers—and to whom they sell products. Following the publication of a report that detailed how victims could have been hit with surveillance software made by Israeli spyware company NSO Group last month, world leaders and policymakers around the globe have begun to place spyware companies—particularly NSO Group—under a microscope.
Although NSO Group and stalkerware applications generally vary in how they gain access to phones, their end result is the same: They leave victims incredibly vulnerable to unwanted monitoring, raising questions about the lackadaisical oversight surrounding their sale, use, and distribution.
“They are in many ways just as powerful,” the Electronic Frontier Foundation’s director of cybersecurity, Eva Galperin, told The Daily Beast, referring to NSO Group’s and SpyFone’s products. “Both products once installed will get you keystrokes, microphone, camera, access to passwords, all kinds of things like that. Once you are on the phone you are on the phone.”
In some cases, for domestic violence victims, when an abuser can trace their every move, escaping unsafe situations can become near impossible or extremely dangerous. Banning SpyFone could help survivors of domestic abuse move closer to escaping unsafe situations in the coming days, the Coalition Against Stalkerware, a group of security researchers and anti-domestic violence advocates, told The Daily Beast.
In addition to getting barred, the FTC is forcing SpyFone and Zuckerman to delete all the sensitive data that the company stole from unsuspecting targets and notify all victims that were targeted.
The move is welcome news for advocates against intimate partner abuse and for cybersecurity researchers—the U.S. government historically hasn’t taken much action against those who create and distribute stalkerware.
“The FTC ban on SpyFone's surveillance work is a significant victory for survivors and an exciting step forward in addressing technology abuse and the importance of privacy for survivors,” Erica Olsen, the safety net director for National Network to End Domestic Violence (NNEDV), told The Daily Beast. “The more these products can be removed from the market in the first place, the better.”
SpyFone’s case is just the second case the FTC has made against stalkerware applications. The FTC brought its first case against just one other maker, Retina-X, in 2019. In that case, the FTC said it was blocking Retina-X and its apps—except in cases where it was used for “legitimate” reasons.
Stalkerware makers typically market their applications as a way for employers or parents to monitor their employees’ or children’s phones—when in reality, they are used for monitoring romantic partners, and exerting control in relationships, researchers note.
Part of the difficulty in taking action against stalkerware is that the developers constantly rename their products and companies to avoid getting caught, making the FTC’s decision to ban a particular individual from the surveillance scene particularly important, Galperin said.
SpyFone—as many other stalkerware businesses have—switched its name to “Support King” in recent years, according to the FTC.
“Holding the CEO responsible is an extremely important tactic precisely because the companies change and their names change and they change the names of their product all the time. But the actors remain largely the same,” Galperin said.
Support King did not return a call requesting comment for this story. An attorney who represented Zuckerman in FTC documents told The Daily Beast in a statement that working with the FTC on this settlement was a business decision.
“SpyFone was marketed to parents and employers and not a single incident of customer misuse of the product has been identified,” Alexandra Megaris said. “The company [voluntarily] discontinued marketing SpyFone in 2019; it never had more than 3,000 U.S. subscribers. At the end of the day, entering into this settlement was the right business decision.”
In the coming days, every victim who was targeted with SpyFone malware will be notified by Zuckerman and SpyFone, if the FTC order is followed, which will leave a significant number of people who have been abused by their partners in the lurch and finding out, possibly for the first time, that they’ve been secretly monitored.
It’s unclear how many people have fallen prey to SpyFone’s surveillance since 2018. On average, SpyFone stalkerware is detected 42 times each month, according to data security researchers at Malwarebytes shared with The Daily Beast.
For those who may be getting a surprise notification, Galperin cautioned sometimes it’s not safe to immediately remove the stalkerware, as this can escalate abuse and lead to violence if abusers find out the jig is up.
“It is really tempting to think that the moment you discover that stalkerware is installed on your device that the right thing to do is delete it,” Galperin told The Daily Beast. “But the dynamics of abuse are tricky. And sometimes if you delete the stalkerware or you let the abuser know that you know you’re being spied on in some way, or you limit their access, it can sometimes lead them to escalate their abuse and put the survivor into even more danger.”
Although the SpyFone case is a win for security researchers and domestic abuse survivors’ advocates, there are several other stalkerware applications that have been used more frequently in 2021 when compared with SpyFone’s products, according to data from Malwarebytes.
"I imagine this is not the last time we’ll be hearing from the FTC on this matter,” Galperin said. “They have taken action before and I am pleased they are taking action now—but there are so many companies left.”