Skip to content

Introduction

SpyCheck detects spyware and stalkerware using passive network traffic analysis. It runs on a computer or laptop and creates a Wi-Fi hotspot or shared Ethernet connection, which the inspected device connects to. It scans the network traffic for known spyware domains and IP addresses, and other unusual behavior. SpyCheck aims to be a successor of TinyCheck and SpyGuard. See the source code repository and README for more technical information.

Requirements

SpyCheck runs on Linux computers with NetworkManager. NetworkManager is used by most Linux distributions nowadays. SpyCheck requires an unused network interface, e. g. an additional Wi-Fi module.

Limitations

  • SpyCheck detects known spyware which sends network traffic regularly.
  • SpyCheck may detect spyware based on network traffic anomalies or the amount of data uploaded.
  • SpyCheck may not detect unknown, targeted, or low profile spyware which transmits data rarely or infrequently.

Smartphone analysis best practices

  • Do the interception in a public place (library, restaurant, train station...) or common place (office, home...);
  • Intercept the network communications of the device for at least 15 minutes;
  • Interact with the analysed device during the interception (reboot it, take a photo, send an SMS...);

SpyGuard (Apache-2.0 license)

German Federal Ministry of Research, Technology and Space Prototype Fund