Remix.run Logo
lewiscollard a day ago

> The article mentions that an abuser could put spyware on your phone? Is that a realistic scenario?

Yes, stalkerware is an entire genre of software and it is designed for exactly this purpose.

How “stalkerware” apps are letting abusive partners spy on their victims https://www.technologyreview.com/2019/07/10/134249/stalkerwa...

The Abuser in Your Pocket: How Stalkerware Threatens Women’s Privacy https://safeescape.org/stalkerware-threatens-womens-privacy/

'I thought I'd been microchipped': How abusers spy on partners with 'parental control' apps https://news.sky.com/story/i-thought-id-been-microchipped-ho...

A web search for the term will turn up many more results. Graphene OS's hardening against exploits, compared to the abysmal record of Android vendors, gives much better odds against any of these apps being able to run with elevated privileges, which means Android's sandboxing is effective.

(Happy Graphene OS user of many years here.)

palata a day ago | parent [-]

Happy GrapheneOS user here as well, but...

I am having a hard time believing your first link, which says:

> In Anna’s case, stalkerware was disguised as a picture message, sent to her by the man she was dating (let’s call him David), just a few weeks after they met. She was then under constant surveillance for about two years

That sounds like an NSO-level attack, right? I doubt abusers routinely pull that out?!

I totally get the problem that "the abuser knows the iCloud password and can use the FindMyPhone feature to track the victim", or "the abuser convinced the victim to install an app that would track the victim without their consent". But I am genuinely wondering how much GrapheneOS protects against that.

grapheneos a day ago | parent | next [-]

> That sounds like an NSO-level attack, right?

There are many tiers of far easier remote attacks far easier than exploiting an up-to-date iPhone through iMessage of WhatsApp. It doesn't mean that's what happened but it's often not something that's extremely difficult. Many people use phones with years of missing security patches. It's getting increasingly easy to exploit those in the age of LLMs.

Regardless, it sounds more like a social engineering attack tricking someone into installing an invasive app and granting invasive permissions to it.

> I doubt abusers routinely pull that out?!

They do regularly use social engineering to trick their partners into setting up stalkerware or permitting it to be installed. Getting a new phone and accounts is a very helpful for people who are victims of it. They've often given access to their accounts and devices without knowing how to fully get rid of it. Reclaiming the existing devices and accounts is far easier if they have a clean one to start from where they can get technical help. It doesn't specifically need to be a GrapheneOS device, but it's a good choice in general and doesn't require being technically savvy to use or even install it.

palata a day ago | parent [-]

> Many people use phones with years of missing security patches

Right, yeah that's actually a good reason to use GrapheneOS.

> It doesn't specifically need to be a GrapheneOS device, but it's a good choice in general and doesn't require being technically savvy to use or even install it.

I totally agree here. Very good choice, and I would argue that a "normal" person wouldn't make the difference between GrapheneOS with sandbox Play Services and stock Android. Installing may be intimidating, even though the GrapheneOS installer is extremely impressive (it just works and doesn't require any knowledge). Still normies tend to get intimidated just from the idea of reinstalling their system :-).

watwut a day ago | parent | prev [-]

> That sounds like an NSO-level attack, right?

Not really, these are available to any script kiddy as long as unpatched phones and software exists. It takes some initial effort to find them out, but that is it.

And I remember similar attacks floating around few years ago even outside domestic violence situation.