EFF’s Threat Lab is dedicated to deep-dive investigations that examine technology-enforced power imbalances in society. In 2022 we’ve sharpened our knives and honed our skills in an effort to bring down the stalkerware industry, taken aim at invasive surveillance by police, raised red flags around the security and privacy of daycare apps, developed new tools and techniques for reversing android malware, and taken part in coalitions to protect the most vulnerable in our society. Our crack team of technologists and researchers issued FOIAs, guided policymakers, pushed back against big tech, and dissected hardware and software to achieve these goals.

Here we highlight some of the achievements that made 2022 such an eventful year for Threat Lab.

Combating Surveillance

Our Atlas of Surveillance project surpassed a major milestone, documenting over 10,000 instances of police tech programs across the US. Shining a light on these programs was bittersweet, reminding us that this transparency also reveals just how expansive and widespread advanced technologies employed by police departments across the country have become. A collaborative effort between EFF and the University of Nevada Reno’s Reynolds School of Journalism crowdsourced thousands of distinct mini-research tasks to students to achieve this milestone.

Cell-site simulators are one such technology employed by law enforcement. Sometimes called “Stingrays,” these devices use a small, mobile transceiver to masquerade as a cellphone tower, tricking phones into connecting to it instead of the legitimate tower, and allowing location tracking and even potentially interception of communications from everyone in a certain area—not just those suspected of a crime. Alongside Threat Lab’s efforts to reveal cell-site simulators (CSSs), dozens of FOIA requests were issued to California police departments in 2018 to reveal the extent of their usage of CSSs. As a result, EFF learned that San Bernardino County law enforcement officials were improperly sealing search warrant records involving the use of CSSs indefinitely. In October, we asked the Supreme Court of California to review the case, arguing that sealing these records in perpetuity violates the public’s right to access court records and effectively prevents the public from raising important questions regarding the scope and overreach of law enforcement use of invasive technologies.

As part of our work combating creepy surveillance tech, we dissected a GPS tracking device that was surreptitiously installed on the car of one of our supporters. Trying to determine if it was placed there by an auto dealer or as a stalking tool led us to take the device apart and issue commands to determine when it had been installed and what information we could get out of the device, and having a good bit of fun hacking (literally) on it in the process. In the end, a bit of old-fashioned investigative querying in the form of phone calls got us the answer we were looking for: the GPS device was installed by the auto dealer as part of an agreement with an anti-theft company which may have seen GPS devices unknowingly installed in hundreds of thousands of vehicles.

Fighting Stalkerware

This year, we made significant inroads with policymakers and regulators as part of our work in the Coalition Against Stalkerware. In April, the Maryland legislature unanimously passed a law requiring law enforcement officers to be trained on what stalkerware looks like, as a direct result of conversations Threat Lab’s very own Director of Cybersecurity, Eva Galperin, had with state officials. The bill was signed into law in May, making it the first state to take on electronic forms of domestic violence and intimate partner abuse. We hope Maryland is only the first of many states to do so. In response to an investigation TechCrunch led, which revealed significant security vulnerabilities opened up by a string of stalkerware apps, we urged the Federal Trade Commission to take action to protect victims of this abusive industry by shutting stalkerware apps down.

Last year, Apple addressed a concerning ability for stalkers to use their AirTags to track their victims, releasing an Android app called Tracker Detect. This year, in response to our advocacy as well as numerous testimonies of unwanted tracking, Apple took new steps to shore up its protections against the practice.

Investigating Apps & Malware

Part of our mandate is to be the security team for those who are underrepresented. To that end, we investigated a number of popular apps which monitor the daily behaviors of toddlers in daycare and report these to parents. We found dangerous security and privacy flaws in the way these apps function, and alerted these app makers of the flaws. Unfortunately, little change was made to fix these problems, and in some cases no response was given at all. We raised a red flag to the FTC, asking them to look into the matter and issue regulations regarding the rampant negligence. The letter was subsequently included as part of an open comments period where the FTC solicited the public for information on industry surveillance, the first stage in the long process of its federal rulemaking to regulate commercial surveillance and lax data security practices.

Threat Lab’s malware analysis team focused its attention on the Android ecosystem this year, investigating a multi-stage class of malware called “tor-hydra” which masquerades as a banking app. The malware uses a number of obfuscation techniques to hide its true functionality: connecting to a C2 server via the tor network, and adding your device to a botnet controlled by malicious hackers in order to launch attacks. We also continued to work on uncovering Dark Caracal and will have a new report coming out next year, stay tuned.

In addition to investigating instances of Android malware, we also described in detail a technique researchers can use to observe the behavior of apps they are looking into without the need for a sophisticated multi-device lab setup, or where complex real-world interactions (such as unlocking a car door with an app) are being analyzed. We continued building out our Android app (apk) downloading application apkeep, bringing it to more platforms and supporting more app stores for download. One of the stores we now support is Huawei’s App Gallery, a popular source of apps in China, and one we feel will be of particular interest to privacy researchers.

Advancing Freedom of Information

Finally, Threat Lab worked to support ESPLERP, an organization of sex workers and erotic service providers, in their preparation of a report funded by the Rose Foundation about the technologies used to surveil sex workers in California. We've been working with them on their records request strategy, to file records requests across the state, to push back on recalcitrant police agencies, and to interpret the records they've gathered.

Our work focuses on supporting the most vulnerable segments of society with our investigative research and reverse engineering skills and policy recommendations. As we continue to grow our operations, we remain committed to this goal in the coming year and beyond. We hope you will support us as we continue making these groundbreaking strides for the advancement of privacy and security in an ever-increasingly interconnected world.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2022.