PayPal is Handling Stalkerware Blood Money

Various shady companies enable and actively encourage domestic abusers to illegally spy on those closest to them, PayPal and other payment processors must stop being complicit by handling their subscription fees.

Cian Heasley
5 min readJun 8, 2019

In 2011 Lisa Harnum was murdered, thrown from the 15th floor balcony of her Sydney apartment by her boyfriend, Simon Gittany. What Lisa didn’t know was that Gittany had installed “MobiStealth”, a hidden surveillance app referred to as “stalkerware”, on her phone and was able to read all of her private communications. As Rachel Olding wrote in 2014, Lisa was killed “when Gittany learned of Ms Harnum’s plan to escape the abusive relationship”.

The company that sold Gittany the app that enabled him to spy on Lisa, “MobiStealth”, is still very much in business today and advertises its product with the rather chilling tagline “care for your loved ones without pushing them away”.

How does MobiStealth take payments for their services?

A screenshot of MobiStealth’s app subscription payment page.

Watching the watchers

I have been studying the phenomenon of stalkerware for months now, I recently presented on the subject at a security conference and maintain a resource that details some of my research for others interested in the topic.

I have been able to pinpoint the location of some of these companies, identify the developers and people behind the marketing and have examined the code of the applications themselves.

Stalkerware developer “Hellospy” explicitly markets to domestic abusers.

Earlier this year I found a directory hosted by a stalkerware company that contained around 95,000 images and tens of thousands of audio recordings from victim’s phones that was left sitting on the web for anyone to stumble across. Among those images were photos of women with bruises, cuts and black eyes, screenshots of conversations about violent confrontations and a screenshot of someone in the US calling child protective services.

These images were harrowing, thinking about them as I am writing this I still feel a small but powerful echo of the sadness and anger I felt when I found them. Those emotions have stayed with me.

It was then that I realized that I had made the transition from being a researcher examining a problem to an activist, determined to solve this problem by destroying this industry and putting the people profiting off of this misery out of business.

It is all about the money

Joseph Cox and Lorenzo Franceschi-Bicchierai have written extensively about stalkerware for Vice’s “Motherboard”, I honestly cannot recommend reading their reporting enough. One article in particular though stands out for me, and it is because I think their insights are absolutely correct.

“The booming industry of spyware to spy on romantic partners doesn’t exist in a vacuum: Companies need financial and tech giants to process their payments and advertise their wares.”

The quote above is from an article they wrote entitled “PayPal Processes Payments for ‘Stalkerware’ Software Sold to Abusive Partners”, and you should read it. In the article they state that “Motherboard has found that PayPal has been allowing various spyware companies that specifically market to people who want to abusively spy on their spouse to sell its products” and once again they are absolutely correct.

I undertook a survey (the first of its kind I think) of 23 stalkerware companies that are among the more egregious offenders when it comes to explicitly marketing to jealous and paranoid spouses, companies openly advocating illegal hacking of phones and covert surveillance and using imagery evocative of domestic violence. You can see the result of this survey below.

23 stalkerware companies and their methods of receiving online payments.

It is not difficult to see a trend here. Out of 23 companies that I surveyed 16 use PayPal to take cash from subscribers.

PayPal has taken action to close accounts associated with far right figures in the past, blocked sex workers from using their services and recently stopped a controversial militia group from accepting donations by permanently closing their account. Why the inaction in regards to stalkerware?

PayPal’s own terms of service state that it is forbidden to use their services to “facilitate any viruses, trojan horses, worms or other computer programming routines that may damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or Information”.

Mobistealth’s FAQ states that “you can select the option to hide app icon during installation so that it becomes invisible on the device” and elsewhere on their site they say that you can “monitor all incoming and outgoing text messages and call details using Mobistealth”.

For PayPal, closing Mobistealth’s account and blocking their parent company permanently should be a no brainer. All of the companies I listed above clearly violate PayPal’s terms of service.

Solutions to a serious problem

There has been only one conviction of a CEO of a company that sells stalkerware, in 2014 Hammad Akbar pleaded guilty to the charge of of sale of an interception device and advertisement of a known interception device.

As there have been no arrests or convictions of developers of these apps since, they are currently operating in a legal grey area in which they can profit from the sale of this software with little risk of consequences.

In allowing their service to be used to accept subscription money from would be stalkers PayPal is adding a veneer of legitimacy to a transaction that consumers might otherwise balk at, sending money to a shady online business to facilitate an overtly criminal act.

People trust PayPal, they are familiar with the company and trust that their transactions will be secure and that their money will be safe.

If PayPal will stop allowing stalkerware developers to use their service they will most likely move to other payment services, this is hard to dispute. These other services though are more likely to also block stalkerware apps if a company the size of PayPal, a market dominator, has already led the way.

There are no simple solutions to tech enabled abuse, serious problems require action however, we need tech companies to take this issue seriously.

If the companies behind these apps are forced to use progressively smaller and more obscure services to take payments consumer trust will wane accordingly. If they are eventually forced to fall back on using cryptocurrency then I predict that many potential customers will be unable or unwilling to meet the technical requirements necessary to transfer funds for subscriptions.

There are no simple solutions to tech enabled abuse, serious problems require action however, we need tech companies to take this issue seriously.

You can find me on Twitter: @nscrutables.



Cian Heasley

I work in infosec and live in Scotland, I am fascinated by computer security, privacy and the intersection of the internet, technology and human rights.