Private messages, voicemails, internet browsing, passwords and location data—this is the type of private phone data that is being monitored in real time, unbeknownst to hundreds of thousands of people around the world being tracked by consumer-grade spyware.
There is a massive network of stalkerware apps that is harvesting the private data of at least 400,000 people through consumer-grade spyware apps that share a major security flaw, according to TechCrunch security editor Zack Whittaker’s report this week.
The stalkerware app network investigated by TechCrunch presents itself as a collection of white-label Android spyware apps that each have custom branding and identical websites claiming U.S. corporate ownership, but are, according to TechCrunch’s investigation, really controlled by a Vietnam-based company called 1Byte.
Dubbed “stalkerware” for its ability to track and monitor people without their consent, consumer-grade spyware can be easily installed by anyone with just a few moments of access to the target device. They are often marketed as child-tracking apps or apps for monitoring employees, but are commonly used by domestic abusers who spy on their ex- or current partners. TechCrunch has led several investigations into the spyware industry to open the public’s eye into how they are used for immoral purposes by both app creators and users.
In his latest TechCrunch report, Whittaker wrote that an entire fleet of Android spyware apps, nine that have been identified so far, share a security vulnerability that allows “near-unfettered remote access to a device’s data.” The vulnerability Whittaker identifies stems from a class of bug known as an insecure direct object reference (IDOR), a common web application flaw that exposes files or data on a server due to inadequate security controls.
Whittaker said his efforts to notify the app makers and Codero, the company that hosts the spyware on the back end, have been unsuccessful, making it pertinent that victims are aware.
“With no expectation that the vulnerability will be fixed any time soon, TechCrunch is now revealing more about the spyware apps and the operation so that owners of compromised devices can uninstall the spyware themselves, if it’s safe to do so,” Whittaker wrote.
CERT/CC, the vulnerability disclosure center at Carnegie Mellon University’s Software Engineering Institute, has published a vulnerability note about the issue.
TechCrunch identified the compromised apps, which are practically identical in look and operation, as Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy.
TechCrunch created an explainer on how to detect and remove these apps from your device if it’s been compromised. TechCrunch warns that removing stalkerware will likely alert the person who planted it, which could create an unsafe situation, so make sure you have a safety plan in place. Visit the Coalition Against Stalkerware for tips on creating a safety plan and other resources.
As leaders in the campaign to stop stalkerware, EFF urges the Federal Trade Commission to launch an investigation of 1Byte and its network of stalkerware apps to protect the potential targets of stalkers and domestic abusers, as they have done in similar cases.The FTC last year banned the Android app company Support King and its CEO Scott Zuckerman from the surveillance business for its stalkerware app SpyFone. The first outright ban of a stalkerware company, the FTC’s case against Support King happened two years after EFF and its Director of Cybersecurity Eva Galperin launched the Coalition Against Stalkerware to combat and shut down malicious stalkerware apps. Previously, the FTC’s strongest action against a stalkerware developer involved a 2019 settlement that stopped Retina-X from distributing its mobile apps until it could ensure its apps were only being used for “legitimate purposes.” Installing hidden spyware on another person’s device to covertly monitor their communications may violate a variety of laws, including the Computer Fraud and Abuse Act (CFAA), wiretapping statutes, and anti-stalking laws.
Stalkerware is, in and of itself, a dangerous tool for tech-enabled abuse. Insecure stalkerware is doubly dangerous because it leaves victims vulnerable to an entirely new range of abusers. Companies such as 1Byte have little incentive to create secure stalkerware when they can always reskin their product and sell it under another name. Research such as Whittaker’s is essential for keeping users safe from their abusers and from opportunistic hackers, but it must be followed by action from FTC.