A massive 'stalkerware' leak puts the phone data of thousands at risk


The private phone data of hundreds of thousands of people are at risk. Call records, text messages, photos, browsing history, precise geolocations and call recordings can all be pulled from a person's phone because of a security issue in widely used consumer-grade spyware.

But that's about as much as we can tell you. TechCrunch repeatedly emailed the developer, whose identity is well hidden, through all known and non-public email addresses, but lines of inquiry to disclose the issue went cold. We sent emails with open trackers to tell if they had been read, but no luck there either.

Efforts were made to contact the spyware developer because the security and privacy of thousands of people are at risk until the issue is fixed. We can't name the spyware or its developer since it would make it easier for bad actors to access the insecure data.

TechCrunch discovered the security issue as part of a wider investigation into consumer-grade spyware. These apps, often marketed as child tracking or monitoring software, can go by another name - "stalkerware" - for their ability to track and monitor people without their consent. These spyware apps silently and continually siphon the contents of a person's phone, allowing its operator to track a person's whereabouts and who they communicate with. Many will have no idea that their phones are compromised, since these apps are designed to disappear from home screens to avoid detection or deletion.

"I am disappointed but not even slightly surprised," said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation who led the effort to launch the Coalition Against Stalkerware, in a call with TechCrunch. "I think that we could reasonably characterize this kind of behavior as negligent. Not only do we have a company, which is making a product which enables abuse, but they're doing such a poor job of securing the information that's exfiltrated that they are opening the targets of this abuse to even further abuse."

TechCrunch also contacted Codero, the web company that provides hosting for the developer's spyware infrastructure, but Codero did not respond to several requests for comment. Codero is no stranger to hosting stalkerware; the web host "took action" against stalkerware maker Mobiispy in 2019 after it was found spilling thousands of photos and phone recordings.

"I suppose it's no surprise the web host which hosts one stalkerware company would host other stalkerware companies, and they would if they were previously unresponsive, that they would be unresponsive this time around," said Galperin.

The proliferation of this easy-to-obtain spyware prompted an industrywide effort to crack down on these apps. Antivirus makers have worked to improve their ability to detect stalkerware, and Google has also banned spyware makers from promoting their products as a way to spy on a spouse's phone, though some developers are using new tactics to evade Google's ads ban.

Mobile spyware is no stranger to security issues. In the past few years, over a dozen stalkerware makers are known to have been hacked, left data exposed or otherwise compromised the data of people's phones - including mSpy, Mobistealth, Flexispy and Family Orbit. Another stalkerware, KidsGuard, had a security lapse that exposed thousands of people's phone data, and most recently pcTattleTale, which promotes itself as able to spy on a spouse's device, was leaking screenshots by way of easily guessable web addresses.

Federal regulators are starting to take notice. In September, the Federal Trade Commission banned SpyFone, a stalkerware app that also exposed the phone data of more than 2,000 people, and was ordered to notify victims that their phones had been hacked. It's the second action taken by the FTC against a spyware maker; the first was Retina-X, after the company was hacked several times and eventually shut down.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. This reporter can be reached on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.


More Related News

Daily Crunch: Byju
Daily Crunch: Byju's edtech buying spree continues with $100M purchase of Austria's GeoGebra

TechCrunch is getting into the holiday spirit with some end-of-year content, including our Vaunted, Famous and World-Renowned gift guides. Byju's buys Austrian edtech startup GeoGebra: Indian edtech giant Byju's is once again buying a smaller company, this time GeoGebra, or what TechCrunch described as an "interactive and collaborative mathematics learning tool." Synthesia's bet on corporate avatars: Jordan Crook wrote up a $50 million round for a startup betting on synthetic avatars and the work of turning PowerPoints into videos.

Black Ops Ventures launches to invest in Black founders
Black Ops Ventures launches to invest in Black founders

The venture capital market is on a tear, pumping capital into a host of startups around the world. While the venture capital boom of the last few years has helped a great number of founders, the capital is not landing equally. Black founders are raising more capital than ever, but still just a fraction of a fraction of what others have managed in recent years.

Opontia gets $42M to buy more e-commerce brands in Eastern Europe, Middle East and Africa
Opontia gets $42M to buy more e-commerce brands in Eastern Europe, Middle East and Africa

E-commerce roll-up play Opontia launched in June, raising $20 million in debt and equity to acquire older, small e-commerce brands in the Middle East and Africa. Today, the company confirmed to TechCrunch that it has closed a subsequent round, a $42 million Series A nine months after it was founded. Opontia's seed round was the case, but the share between equity and venture debt stands at about 50% each for its Series A financing.

Better.com CEO Vishal Garg apologizes to current employees for
Better.com CEO Vishal Garg apologizes to current employees for 'blundering' of mass layoffs; SPAC delayed

Better.com CEO Vishal Garg apparently realizes he's done wrong. Today, a letter to current employees was leaked on Blind by a verified Better employee...

Daily Crunch: Digital infrastructure giant Equinix buys Nigeria-based MainOne for $320M
Daily Crunch: Digital infrastructure giant Equinix buys Nigeria-based MainOne for $320M

Long ignored by the global investing set, startups from the African continent are having a barnstorming year. Twitter buys Quill, will work on DMs: Let's be clear, Twitter is a fun place to hang out, but its private-messaging service is pretty basic. Meta: Facebook's parent company is busy generating headlines this week, with the head of its Messenger service leaving the company, adding to a roster of exits in recent months (more here and here).

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply


  • Friduric Tziporah
    (2021-10-21 07:49:56Z)

    เฮง เฮง ไปกับ การเล่นเกมคาสิโนออนไลน์จากเว็บไซต์ askmebet เว็บเกมเว็บนี้ไม่ว่าใครเข้ามาเป็นสมาชิก หรือว่าใครเข้ามาใช้บริการล้วนพากันปังกันเป็นส่วนใหญ่ เพราะเกมที่หลากหลาย การบริการที่ดีเยี่ยม ส่งผลให้ทุก ๆ อย่างราบรื่น ไม่ว่าจะเป็นการเดิมพัน การทำกิจกรรมอื่น ๆ ที่เกี่ยวกับเว็บไซต์ ถ้าทุกอย่างออกมาดี อารฒย์ผู้เล่นก็ดี และการเล่นเกมก็จะมีความสุข


Top News: Economy