TruthSpy Spyware Security Flaw: Victims at Risk

Critical Security Flaw Discovered in Stalkerware App TheTruthSpy

A developer of stalkerware, previously impacted by numerous data leaks and security breaches, is now facing a critical vulnerability. This flaw permits unauthorized access to user accounts and the potential theft of sensitive personal information, as confirmed by TechCrunch.

Swarang Wade, an independent security researcher, identified the vulnerability. It enables anyone to initiate a password reset for any user of TheTruthSpy and its associated Android spyware applications, effectively allowing account hijacking across the platform.

Implications for Users

Considering the nature of TheTruthSpy, a significant number of its users may be deploying the software without the knowledge or consent of those being monitored. This means individuals are potentially unaware their phone data is being intercepted and shared with others.

This fundamental security weakness underscores the inherent untrustworthiness of consumer spyware providers like TheTruthSpy and their competitors when it comes to data protection. These surveillance applications not only enable unlawful spying, frequently perpetrated by individuals in abusive relationships, but also demonstrate consistently poor security protocols.

A Pattern of Security Lapses

To date, TechCrunch has documented at least 26 instances of spyware operations experiencing data leaks, exposures, or other forms of data compromise in recent years. This latest incident marks at least the fourth security failure involving TheTruthSpy specifically.

TechCrunch validated the vulnerability by granting the researcher access to usernames for several test accounts. The researcher was able to promptly alter the passwords associated with these accounts.

Developer's Response

Attempts by Wade to notify the owner of TheTruthSpy regarding the flaw were unsuccessful, as no response was received.

When approached by TechCrunch, Van (Vardy) Thieu, the director of the spyware operation, stated that the source code had been “lost,” preventing any possibility of a fix.

Ongoing Risk

As of this publication, the vulnerability remains unaddressed, posing a substantial risk to the potentially thousands of individuals whose phones are unknowingly compromised by TheTruthSpy’s spyware.

To mitigate potential misuse, detailed information regarding the vulnerability will not be disclosed, preventing malicious actors from exploiting it.

Key Takeaways

• TheTruthSpy faces a critical security vulnerability.
• Account hijacking and data theft are possible.
• The developer claims the source code is lost.
• The vulnerability remains active and poses a significant risk.

A Chronicle of Security Vulnerabilities in TheTruthSpy

TheTruthSpy represents a significant and long-standing spyware operation, with its origins tracing back nearly ten years. At one point, this network constituted one of the most extensive phone surveillance operations publicly known.

Development of TheTruthSpy is undertaken by 1Byte Software, a spyware developer situated in Vietnam and directed by Thieu. TheTruthSpy is part of a collection of remarkably similar Android spyware applications, differing primarily in branding. Examples include Copy9, as well as now-inactive brands like iSpyoo and MxSpy.

These spyware applications all utilize a shared back-end dashboard, the same interface through which TheTruthSpy customers gain access to data illicitly obtained from compromised phones.

Consequently, security flaws identified within TheTruthSpy also impact users and those targeted by any spyware application that leverages TheTruthSpy’s core code.

During a 2021 investigation into the stalkerware landscape, TechCrunch discovered a critical security vulnerability in TheTruthSpy. This flaw resulted in the exposure of sensitive data belonging to approximately 400,000 individuals to public access on the internet.

The compromised data encompassed highly personal information, including private messages, photographs, call histories, and detailed records of past locations.

TechCrunch subsequently received a substantial collection of files originating from TheTruthSpy’s servers, providing insight into the operation’s internal mechanisms. These files also included a comprehensive list of Android devices that had been compromised by TheTruthSpy or its associated applications.

While this device list lacked sufficient detail for individual victim identification, it enabled TechCrunch to create a spyware lookup tool, allowing potential victims to determine if their device was present in the compromised records.

Further reporting, based on an analysis of hundreds of leaked documents from 1Byte’s servers provided to TechCrunch, revealed that TheTruthSpy was supported by a large-scale money laundering scheme. This scheme employed falsified documentation and assumed identities to circumvent restrictions imposed by credit card companies on spyware-related transactions.

This allowed TheTruthSpy to channel millions of dollars in revenue from illicit customer payments into bank accounts globally, controlled by those operating the spyware.

In late 2023, TheTruthSpy experienced another data breach, leading to the exposure of private data pertaining to an additional 50,000 victims. TechCrunch received a copy of this newly exposed data and integrated these updated records into its existing lookup tool.

PhoneParental Emerges Following Data Exposure Issues with TheTruthSpy

Recent developments indicate that TheTruthSpy, despite facing scrutiny, has undergone a rebranding effort. Certain aspects of its operations have been discontinued, while others have been repositioned to mitigate damage to its public image.

Despite the changes, TheTruthSpy remains active and continues to utilize its original, often flawed, code and vulnerable server interfaces. This has resulted in the emergence of a new spyware application known as PhoneParental.

Thieu, the individual previously associated with TheTruthSpy, maintains a continued role in the creation of phone monitoring software and the facilitation of surveillance activities.

Continued Reliance on the JFramework

An examination of TheTruthSpy’s current online infrastructure, based on publicly available internet records, reveals its ongoing dependence on a software platform developed by Thieu. This platform, originally called the Jexpa Framework and now known as the JFramework, serves as the data transmission pathway for TheTruthSpy and its related spyware applications.

In a direct communication, Thieu stated his intention to completely rebuild the applications, including a new phone monitoring app named MyPhones.app. However, network analysis conducted by TechCrunch demonstrates that MyPhones.app also utilizes the JFramework for its core functionalities, mirroring the system employed by TheTruthSpy.

TechCrunch provides a guide detailing how to detect and eliminate stalkerware from mobile devices.

Like other operators of stalkerware, TheTruthSpy presents a persistent risk to individuals whose devices are infiltrated by its applications. This threat stems not only from the highly personal data that is compromised, but also from the consistent inability of these operations to adequately secure the information they collect.

—

For those in need of assistance, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential support to victims of domestic abuse and violence. In urgent situations, please dial 911. The Coalition Against Stalkerware provides resources for individuals suspecting their phone has been compromised by spyware.