PayPal Processes Payments for ‘Stalkerware’ Software Sold to Abusive Partners

This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.

As Motherboard has found with multiple sets of hacked data, there is a booming industry for so-called stalkerware; malicious software installed on mobile phones for abusive partners to track their wives, husbands, or ex-spouses. Sometimes, the companies behind this software explicitly market their products for illicit use, such as monitoring someone without their consent, and even use imagery of domestic violence on their websites.

But this industry doesn’t exist in a vacuum. Instead, various tech and financial giants process payments or push adverts to customers for these companies. Now, Motherboard has found that PayPal has been allowing various spyware companies that specifically market to people who want to abusively spy on their spouse to sell its products.

One of those is HelloSpy. HelloSpy’s website includes multiple references to using its malware for catching cheating spouses.

“Up to 90 percent of marital affairs may include the use of a mobile phone or email as a preferred means for communication. Good news is that technology can also be used to detect & reveal infidelity,” the website reads, next to an image of a man holding a woman, her face beaten and bruised.

PayPal closed HelloSpy’s account after Motherboard’s request for comment: “PayPal’s policy is not to allow our platform to be used for the sale of services or products that are marketed for illicit purposes,” a PayPal spokesperson told Motherboard in an email.

HelloSpy requires physical access to a device to install, but once loaded onto a phone, it can sweep up all sorts of information and present it in a web browser for the stalker to scroll through. That includes tracking its GPS location, reading text messages and browsing history, seeing the device’s call history, and even remotely activating the device’s microphone, according to HelloSpy’s website.

Motherboard has spoken to multiple victims of stalkerware, including a woman named Jessica, whose ex-husband installed malware on her phone, intercepted her text messages, and then referenced the messages he had read while sexually assaulting her.

Earlier this week, Motherboard found it was possible to use PayPal to pay for a copy of HelloSpy via the company’s website. At the time of writing, that is no longer possible.

“Things don’t appear to be working at the moment,” is the message from PayPal a user sees when trying to purchase a copy of HelloSpy.

Cindy Southworth, executive vice president and founder of the Safety Net Technology Project at the National Network to End Domestic Violence (NNEDV), told Motherboard in an email, "I applaud PayPal for booting a product that is designed and advertised to commit the crime of stalking and harms countless victims of domestic violence.”

Eva Galperin, director of cybersecurity at campaign group the Electronic Frontier Foundation, and who has worked extensively on how malware is abused in domestic situations, said in an online chat, “I am generally wary of calls for platform censorship, including censorship of financial platforms such as PayPal, but this is clearly a violation of PayPal’s terms of service and they’re welcome to show HelloSpy the door.”

HelloSpy did not respond to a request for comment.

PayPal still processes payments for other consumer spyware companies, however, including those that do cater to the stalker market. One of those is a more established company called FlexiSpy, which Motherboard has previously reported on extensively.

“Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won’t,” FlexiSpy’s website previously read.

While Motherboard was reporting a series of pieces based on hacked FlexiSpy data, the company tried to remove all mentions of monitoring spouses from its website, and focused instead on child and employee monitoring. But the company still advertises some instances of potentially illegal use cases for malware on the company’s site and social media accounts.

Motherboard also asked PayPal for comment about whether it would continue to process payments for FlexiSpy. The spokesperson did not directly address FlexiSpy, and did not respond to a follow-up request for clarification. FlexiSpy’s PayPal service remains active at the time of writing.

PayPal also processes payments for TheTruthSpy and Spy Master Pro, two other malware companies. TheTruthSpy’s website reads, “Although this seems a difficult task using spying application will make it easier than you could ever imagine. The best way to catch a cheating spouse is by spying on his/her smartphone.” Spy Master Pro’s website, meanwhile, says that “with its help, you can track each and every (virtually) activities of your wife’s Smartphone, right from her contact, social engagements to her location. And the best part is that all this will take place secretly without grabbing your spouse’s phone and watching anytime you want to and that too at leisure of your convenience.”

Motherboard did not flag these last two companies to PayPal, but the company’s failure to remove these sorts of companies after years of business shows its platform moderation has holes.

PayPal is not the only internet giant that has indirectly given a platform to stalkerware companies. Researchers have previously criticized Google for allowing customers to pay for advertisements that clearly advocate for illegal and abusive use of consumer spyware.

Until last year, after researchers pointed it out, if you Googled “how to catch a cheating spouse with his cell phone,” or similar keywords, the internet giant would return dozens of ads for apps that help people illegally spy on their partners or children.

“If you wanted to spy on your partner without them knowing, the first thing you’d do is probably Google it, because that's what most people do when they are trying to solve any kind of problem,” New York University researcher Periwinkle Doerfler, one of the authors of perhaps the most exhaustive academic study on the use of these apps, told Motherboard before her research was published last year.

Doerfler set up a script to scrape both Google search and the search feature on the Google Play Store for search terms such as “catch cheating spouse cellphone,” “catch wife cheating,” “catch cheating husband,” and “catch cheating wife,” among others. Over the course of 10 days, she found 7,776 ads for more than 200 spyware apps. Doerfler’s research was first reported in a New York Times investigation.

[A GIF that shows the keywords Google sold ads for, and the total number of ads Doerfler found for each set of keywords. (Image: Motherboard.)]

Since then, and when journalists also found Google pushing stalkerware advertisements, Google appears to have taken the issue much more seriously.

“Though they only blacklisted keywords as far as I know, not any specific advertisers. For a while I was still running the scrape with all 10k+ search terms we had and there were still ads on some of them,” Doerfler told Motherboard this week via email, describing the immediate fallout of the 2018 research.

Google told Motherboard in a statement at the time that "this is a significant new field of research and we're committed to supporting it however possible. We published our own, related study in 2017, "S tories from Survivors: Privacy & Security Practices when Coping with Intimate Partner Abuse,” work which has served as an important resource for our teams as they're developing products.”

“Most recently, we collaborated with the researchers from New York University and Cornell Tech as they conducted their study, removed policy-violating apps and ads that they discovered, and tightened our existing product policies to further restrict the promotion and distribution of the types of apps they highlight in their work. We will be funding more studies like this one going forward,” the company added.

Google added it has expanded its restrictions on adverts around these types of issues, and that adverts for software that are marketed with the intention of spying on someone such as a spouse or girlfriend, are not allowed.

But Google-owned YouTube also hosts a slew of videos that explicitly market stalkerware to those hoping to spy on their spouses. Many of these don’t just include information about the product, but often referral links where those advertising the products for illegal spying can make money from each sale.

In a statement for this article, a Google spokesperson told Motherboard in an email "We have strict policies the govern the kinds of ads we allow on our platform, and ads for products that enable dishonest behavior are a violation of those policies. When we find ads that violate our policies, we remove them. In addition, YouTube's Community Guidelines do not permit videos that encourage dangerous or illegal activities such as hacking."

Update: This piece has been updated to include more comment from Google.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.