Stalkerware Leak: Thousands of Phones at Risk - Data Breach

Data Breach Risk Affects Hundreds of Thousands

The personal phone data of a substantial number of individuals – numbering in the hundreds of thousands – is currently facing potential compromise. Sensitive information such as call logs, text messages, photographs, browsing activity, precise geolocation data, and even call recordings could be extracted from personal devices.

This vulnerability stems from a security flaw present in widely distributed, consumer-level spyware. Despite repeated attempts to contact the developer, their identity remains obscured, and communication regarding this issue has been unsuccessful.

Developer Unresponsive to Security Concerns

TechCrunch made numerous attempts to reach the spyware’s creator via all known email addresses, including those not publicly available. However, these efforts to disclose the security issue were met with silence.

The decision not to publicly identify the spyware or its developer is deliberate. Naming them could inadvertently facilitate access to the vulnerable data by malicious actors.

The Rise of Consumer Spyware and "Stalkerware"

This discovery arose during a broader investigation into consumer-grade spyware applications. Often marketed as tools for child monitoring or parental control, these apps are increasingly referred to as “stalkerware” due to their capacity to track and monitor individuals without their knowledge or consent.

These applications operate discreetly, continuously collecting data from a person’s phone. This allows the operator to monitor their location and communications. Many users are unaware their devices have been compromised, as the apps are designed to remain hidden.

Expert Commentary on Negligence

Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation and leader of the Coalition Against Stalkerware, expressed her disappointment, but not surprise, regarding this situation. She stated, “This behavior can reasonably be characterized as negligent.”

Galperin further explained that the company not only produces a product enabling abuse, but also demonstrates a lack of diligence in securing the extracted data, potentially exposing victims to further harm.

Hosting Provider's Lack of Response

TechCrunch also contacted Codero, the web hosting company providing infrastructure for the spyware developer. Unfortunately, Codero did not respond to multiple requests for comment.

Codero has prior experience with hosting stalkerware, having previously taken action against Mobiispy in 2019 after the app exposed thousands of photos and phone recordings.

Galperin noted, “It’s unsurprising that a web host previously accommodating one stalkerware company would continue to host others, especially given their past unresponsiveness.”

Industry Efforts to Combat Spyware

The increasing availability of this easily accessible spyware has spurred industry-wide efforts to combat these applications. Antivirus developers are enhancing their detection capabilities, and Google has prohibited spyware makers from advertising their products as tools for spousal surveillance.

However, some developers are employing new tactics to circumvent Google’s advertising restrictions.

History of Security Breaches in Mobile Spyware

Security vulnerabilities are not uncommon in mobile spyware. Over the past several years, more than a dozen stalkerware developers have been compromised, resulting in data exposure. Affected companies include mSpy, Mobistealth, Flexispy, and Family Orbit.

Previously, KidsGuard experienced a security lapse that exposed the data of thousands of users, and pcTattleTale, marketed for spousal monitoring, leaked screenshots through easily predictable web addresses.

Regulatory Action and Enforcement

Federal regulators are beginning to address this issue. In September, the Federal Trade Commission (FTC) banned SpyFone, a stalkerware app that exposed the data of over 2,000 individuals, and mandated notification of affected users.

This action follows a previous FTC enforcement against Retina-X, which was shut down after multiple security breaches.

Resources for Victims

• National Domestic Violence Hotline: 1-800-799-7233 (24/7 confidential support)
• Emergency: 911
• Coalition Against Stalkerware: Resources for compromised phones
• Contact Reporter: Signal/WhatsApp +1 646-755-8849 or zack.whittaker@techcrunch.com