A massive ‘stalkerware’ leak puts the phone data of thousands at risk

The private phone data of hundreds of thousands of people are at risk. Call records, text messages, photos, browsing history, precise geolocations and call recordings can all be pulled from a person’s phone because of a security issue in widely used consumer-grade spyware.

But that’s about as much as we can tell you. TechCrunch repeatedly emailed the developer, whose identity is well hidden, through all known and non-public email addresses, but lines of inquiry to disclose the issue went cold. We sent emails with open trackers to tell if they had been read, but no luck there either.

Efforts were made to contact the spyware developer because the security and privacy of thousands of people are at risk until the issue is fixed. We can’t name the spyware or its developer since it would make it easier for bad actors to access the insecure data.

TechCrunch discovered the security issue as part of a wider investigation into consumer-grade spyware. These apps, often marketed as child tracking or monitoring software, can go by another name — “stalkerware” — for their ability to track and monitor people without their consent. These spyware apps silently and continually siphon the contents of a person’s phone, allowing its operator to track a person’s whereabouts and who they communicate with. Many will have no idea that their phones are compromised, since these apps are designed to disappear from home screens to avoid detection or deletion.

“I am disappointed but not even slightly surprised,” said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation who led the effort to launch the Coalition Against Stalkerware, in a call with TechCrunch. “I think that we could reasonably characterize this kind of behavior as negligent. Not only do we have a company, which is making a product which enables abuse, but they’re doing such a poor job of securing the information that’s exfiltrated that they are opening the targets of this abuse to even further abuse.”

TechCrunch also contacted Codero, the web company that provides hosting for the developer’s spyware infrastructure, but Codero did not respond to several requests for comment. Codero is no stranger to hosting stalkerware; the web host “took action” against stalkerware maker Mobiispy in 2019 after it was found spilling thousands of photos and phone recordings.

“I suppose it’s no surprise the web host which hosts one stalkerware company would host other stalkerware companies, and they would if they were previously unresponsive, that they would be unresponsive this time around,” said Galperin.

The proliferation of this easy-to-obtain spyware prompted an industrywide effort to crack down on these apps. Antivirus makers have worked to improve their ability to detect stalkerware, and Google has also banned spyware makers from promoting their products as a way to spy on a spouse’s phone, though some developers are using new tactics to evade Google’s ads ban.

Mobile spyware is no stranger to security issues. In the past few years, over a dozen stalkerware makers are known to have been hacked, left data exposed or otherwise compromised the data of people’s phones — including mSpy, Mobistealth, Flexispy and Family Orbit. Another stalkerware, KidsGuard, had a security lapse that exposed thousands of people’s phone data, and most recently pcTattleTale, which promotes itself as able to spy on a spouse’s device, was leaking screenshots by way of easily guessable web addresses.

Federal regulators are starting to take notice. In September, the Federal Trade Commission banned SpyFone, a stalkerware app that also exposed the phone data of more than 2,000 people, and was ordered to notify victims that their phones had been hacked. It’s the second action taken by the FTC against a spyware maker; the first was Retina-X, after the company was hacked several times and eventually shut down.