Google has updated the Play Store rules to impose an "official" ban on stalkerware applications, but the company appears to have left a large gap as it allows them to upload stalkerware to the Play Store as child monitoring applications.
Stalkerware is a term used to describe applications that track a user's movements, monitor calls, messages, and record the activity of other applications.
Stalkerware, also known as spouseware, is commonly advertised to users as a way to find out who is stealing partners, watching children when they are away from home or employees at work.
The main feature of all applications stalkerware, whether intended for use on smartphones or laptops, is that these applications can be installed and run without the knowledge of the device owner. Also these applications run in the background of any operating system.
Over the past decade, the Play Store has hosted hundreds of stalkerware applications.
Google, which has been trying to remove stalkerware applications cited by security researchers, has generally refrained from making public statements on the matter.
However today in a updating the Programmer Program Policy, Google states that all applications that monitor users and send their data to another device must include "consent" and display a "persistent notice" that the user's actions are being monitored by the application.
The new rules, which take effect next month, October 1, ban stalkerware applications, depriving them of the ability to install and operate without being detected when installed on devices. If user tracking apps do not have these changes, they will not go through the approval process to appear in the Play Store.
But while the new rules seem a step in the right direction, Google has also left a gap that could be abused by stalkerware devs.
According to Google, apps that monitor children can continue to run without asking for the user's consent or displaying a persistent on-screen alert. Adult monitoring applications must include both components, according to the company.
In other words, there is nothing to prevent a stalkerware dev from rebranding his application to continue running smoothly.
In fact, today's announcement is more like an update for all malware developers than a real stalkerware ban, with application developers having almost two weeks to comply with the rules.
This exception for child tracking applications is the same gap left by Google in a similar ban it imposed on stalkerware ads in July. A survey by TechCrunch he found that the ban on stalkerware ads was never enforced, which raises questions about whether what the company says applies or is more about PR.