A massive 'stalkerware' leak puts the phone data of thousands at risk


The private phone data of hundreds of thousands of people are at risk. Call records, text messages, photos, browsing history, precise geolocations and call recordings can all be pulled from a person's phone because of a security issue in widely used consumer-grade spyware.

But that's about as much as we can tell you. TechCrunch repeatedly emailed the developer, whose identity is well hidden, through all known and non-public email addresses, but lines of inquiry to disclose the issue went cold. We sent emails with open trackers to tell if they had been read, but no luck there either.

Efforts were made to contact the spyware developer because the security and privacy of thousands of people are at risk until the issue is fixed. We can't name the spyware or its developer since it would make it easier for bad actors to access the insecure data.

TechCrunch discovered the security issue as part of a wider investigation into consumer-grade spyware. These apps, often marketed as child tracking or monitoring software, can go by another name - "stalkerware" - for their ability to track and monitor people without their consent. These spyware apps silently and continually siphon the contents of a person's phone, allowing its operator to track a person's whereabouts and who they communicate with. Many will have no idea that their phones are compromised, since these apps are designed to disappear from home screens to avoid detection or deletion.

"I am disappointed but not even slightly surprised," said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation who led the effort to launch the Coalition Against Stalkerware, in a call with TechCrunch. "I think that we could reasonably characterize this kind of behavior as negligent. Not only do we have a company, which is making a product which enables abuse, but they're doing such a poor job of securing the information that's exfiltrated that they are opening the targets of this abuse to even further abuse."

TechCrunch also contacted Codero, the web company that provides hosting for the developer's spyware infrastructure, but Codero did not respond to several requests for comment. Codero is no stranger to hosting stalkerware; the web host "took action" against stalkerware maker Mobiispy in 2019 after it was found spilling thousands of photos and phone recordings.

"I suppose it's no surprise the web host which hosts one stalkerware company would host other stalkerware companies, and they would if they were previously unresponsive, that they would be unresponsive this time around," said Galperin.

The proliferation of this easy-to-obtain spyware prompted an industrywide effort to crack down on these apps. Antivirus makers have worked to improve their ability to detect stalkerware, and Google has also banned spyware makers from promoting their products as a way to spy on a spouse's phone, though some developers are using new tactics to evade Google's ads ban.

Mobile spyware is no stranger to security issues. In the past few years, over a dozen stalkerware makers are known to have been hacked, left data exposed or otherwise compromised the data of people's phones - including mSpy, Mobistealth, Flexispy and Family Orbit. Another stalkerware, KidsGuard, had a security lapse that exposed thousands of people's phone data, and most recently pcTattleTale, which promotes itself as able to spy on a spouse's device, was leaking screenshots by way of easily guessable web addresses.

Federal regulators are starting to take notice. In September, the Federal Trade Commission banned SpyFone, a stalkerware app that also exposed the phone data of more than 2,000 people, and was ordered to notify victims that their phones had been hacked. It's the second action taken by the FTC against a spyware maker; the first was Retina-X, after the company was hacked several times and eventually shut down.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. This reporter can be reached on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.


More Related News

Better.com gets $750M cash infusion in new agreement with its SPAC backers
Better.com gets $750M cash infusion in new agreement with its SPAC backers

Digital mortgage lender Better.com, which announced in May that it was going public via a SPAC, is getting a cash infusion from its backers sooner than expected. Blank-check company Aurora Acquisition Corp. and SoftBank have decided to amend the terms of their financing agreement to provide Better with half of the $1.5 billion they committed immediately instead of waiting till the deal closes. Specifically, according to an email from Better CFO Kevin Ryan to the company and obtained by TechCrunch, Better.com will have $1 billion on its balance sheet by week's end.

Daily Crunch: AWS unveils new open source autoscaling tool Karpenter at customer conference
Daily Crunch: AWS unveils new open source autoscaling tool Karpenter at customer conference

Nubank cuts IPO price range target: Bellwether Brazilian tech company Nubank has reduced its price range ahead of its public offering. TechCrunch dug into whether the news matters for Latin American startups more broadly. Facebook told to sell Giphy: Remember when Facebook bought Giphy, the GIF search engine?

TechCrunch+ roundup: Jack leaves Twitter, Black Friday data, Nubank lowers IPO pricing
TechCrunch+ roundup: Jack leaves Twitter, Black Friday data, Nubank lowers IPO pricing

Jack Dorsey was Twitter's first CEO - and also its fourth. In 2015, Dorsey returned to the role after Dick Costolo's stint, even though he was simultaneously serving as CEO of fintech platform Square.

Daily Crunch: Twitter CEO Jack Dorsey steps down, board moves CTO Parag Agrawal to top spot
Daily Crunch: Twitter CEO Jack Dorsey steps down, board moves CTO Parag Agrawal to top spot

Jack logs off: From Twitter's CEO role, that is. This morning, double-CEO Jack Dorsey announced that he will bounce from his perch atop Twitter, handing off the chief executive reins to the company's CTO. TechCrunch's take is that the elevation of Parag Agrawal to the top role bodes well for the company's larger crypto efforts.

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply


  • Friduric Tziporah
    (2021-10-21 07:49:56Z)

    เฮง เฮง ไปกับ การเล่นเกมคาสิโนออนไลน์จากเว็บไซต์ askmebet เว็บเกมเว็บนี้ไม่ว่าใครเข้ามาเป็นสมาชิก หรือว่าใครเข้ามาใช้บริการล้วนพากันปังกันเป็นส่วนใหญ่ เพราะเกมที่หลากหลาย การบริการที่ดีเยี่ยม ส่งผลให้ทุก ๆ อย่างราบรื่น ไม่ว่าจะเป็นการเดิมพัน การทำกิจกรรมอื่น ๆ ที่เกี่ยวกับเว็บไซต์ ถ้าทุกอย่างออกมาดี อารฒย์ผู้เล่นก็ดี และการเล่นเกมก็จะมีความสุข


Top News: Economy