Over the last year, Eva Galperin says she's learned the signs: the survivors of domestic abuse who come to her describing how their tormentors seem to know everyone they've called, texted, and even what they discussed in their most private conversations. How their abusers seem to know where they've been and sometimes even turn up at those locations to menace them. How they flaunt photos mysteriously obtained from the victim's phone, sometimes using them for harassment or blackmail. And how none of the usual remedies to suspected hacking— changing passwords, setting up two-factor authentication—seem to help.

The reason those fixes don't work, in these cases, is because the abuser has deeply compromised the victim's phone itself. The stalker doesn't have to be a skilled hacker; they just need easily accessible consumer spyware and an opportunity to install it on their target's device. An entire industry of that so-called spouseware, or stalkerware, has grown in recent years, one that Galperin argues represents a deeply underestimated scourge of digital privacy.

"Full access to someone’s phone is essentially full access to someone’s mind," says Galperin, a security researcher who leads the Threat Lab of the digital civil liberties group the Electronic Frontier Foundation. "The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge."

"It starts with someone standing up and saying this is not OK, this is not acceptable, this is spying." Eva Galperin, EFF

Now Galperin has a plan to end that scourge for good—or at least take a serious bite out of the industry. In a talk she is scheduled to give next week at the Kaspersky Security Analyst Summit in Singapore, Galperin will lay out a list of demands: First, she's calling on the antivirus industry to finally take the threat of stalkerware seriously, after years of negligence and inaction. She'll also ask Apple to take measures to protect iPhone users from stalkerware, given that the company doesn't allow antivirus apps into its App Store. Finally, and perhaps most drastically, she says she'll call on state and federal officials to use their prosecutorial powers to indict executives of stalkerware-selling companies on hacking charges. "It would be nice to see some of these companies shut down," she says. "It would be nice to see some people go to jail."

Ahead of her talk, Galperin has notched her first win: Russian security firm Kaspersky announced today that it will make a significant change to how its antivirus software treats stalkerware on Android phones, where it's far more common than on iPhones. Rather than merely flag those spy apps as suspect but label them with a confusing "not a virus" message, as it has for most breeds of stalkerware in the past, Kaspersky's software will now show its users an unmistakeable "privacy alert" for any of dozens of blacklisted apps, and then offer options to delete or quarantine them to cut off their access to sensitive information.

Prior to today, Kaspersky flagged stalkerware with the confusing label "not a virus," (left) compared with an unmistakeable "privacy alert" it will now display for the same spyware. (right) Kaspersky

Galperin, who has been working directly with stalkerware victims, sees the Moscow-based firm's move as raising the bar for the entire security industry. Once one company begins to call out consumer spyware as a full-fledged security threat, she argues, competition will drive the other antivirus firms to meet that standard. The result, she hopes, will be a broader remedy to a security industry that has long underestimated stalkerware—often because security researchers don't count spy tools that require full access to a device as "real" hacking, despite domestic abusers in controlling relationships having exactly that sort of physical access to a partner's phone.

"Stalkerware is considered beneath the interest of most security researchers," Galperin says. "Changing norms takes time. But it starts with someone standing up and saying this is not OK, this is not acceptable, this is spying."

A Creepware Crackdown

Within the notoriously shoddy Android antivirus market, the numbers bear out the negligence of stalkerware that Galperin points to: A study last year by researchers at Cornell Tech, New York University, and the University of Washington looked at 70 known Android stalkerware apps and found that antivirus failed to detect a significant portion of those not found in the Google Play Store. Among well-known antivirus products, McAfee antivirus did the best job of those in the study, missing 10 percent of the apps; most others missed 25 to 40 percent. ESET, an otherwise reputable antivirus product, missed 85 percent. Google also allows some surveillance apps—often advertised as for tracking kids or stolen phones—in the Play Store itself; antivirus apps flagged virtually none of them.