Amazon Data Breach: Spyware Victims' Data Still Hosted

Amazon's Response to Stalkerware Data Storage

Despite being alerted to the issue weeks prior, Amazon has not publicly stated whether it intends to address the storage of extensive private phone data by three surveillance applications on its cloud servers.

Following notification from TechCrunch in February, Amazon acknowledged it was “following [its] process.” However, the operations of Cocospy, Spyic, and Spyzie – apps identified as stalkerware – continue to upload and maintain photos extracted from individuals’ phones using Amazon Web Services (AWS).

Identical Apps, Widespread Data Exposure

A security researcher discovered that Cocospy, Spyic, and Spyzie share the same underlying source code and a common security vulnerability. This researcher brought the issue to TechCrunch’s attention.

The exposed data affects an estimated 3.1 million individuals, many unaware their devices have been compromised. The researcher subsequently shared this data with Have I Been Pwned, a breach notification website.

Data Uploads to AWS

TechCrunch’s investigation, including direct analysis of the applications, confirmed that compromised devices are having their contents uploaded to storage servers operated by AWS.

TechCrunch initially notified Amazon on February 20th regarding data exfiltration by Cocospy and Spyic. A subsequent notification was sent earlier this week concerning stolen data from Spyzie.

Specific Storage Buckets Identified

In both communications, TechCrunch provided Amazon with the specific names of the Amazon-hosted storage “buckets” containing the compromised data.

Amazon's Response and Lack of Action

Ryan Walsh, an Amazon spokesperson, stated that AWS has terms requiring customers to comply with applicable laws and that they “act quickly” to address potential violations. He directed TechCrunch to an abuse reporting form.

However, Walsh declined to comment on the status of the servers utilized by the identified applications.

A follow-up email referencing the initial February 20th communication prompted Walsh to thank TechCrunch and again provide the abuse reporting form link.

When directly asked about potential action against the storage buckets, Walsh responded that Amazon had not yet received an abuse report through the provided link.

Dispute Over Reporting

Casey McGee, also an Amazon spokesperson, asserted that characterizing the email exchange as a “report” of potential abuse would be “inaccurate.”

Financial Interests at Play

Amazon Web Services generated $39.8 billion in profit during 2024, representing a significant portion of Amazon’s overall annual income. This highlights the company’s commercial interest in maintaining its customer base.

Ongoing Data Storage

As of the time of publication, the storage buckets utilized by Cocospy, Spyic, and Spyzie remain operational and continue to store potentially sensitive data.

The Significance of the Issue

Amazon’s stated acceptable use policy clearly defines the types of content permitted on its platform. The company doesn't contest its right to prohibit the uploading of data by spyware and stalkerware operations. The core of Amazon’s disagreement centers on procedural aspects, rather than the content itself.

It is not the responsibility of journalists, or any external party, to monitor and regulate the content hosted on Amazon’s infrastructure, or that of any other cloud provider.

Amazon possesses substantial financial and technological capabilities to effectively enforce its own policies. This includes preventing malicious actors from misusing its services.

Ultimately, TechCrunch alerted Amazon to the presence of stolen, private phone data, even providing specific locations. A deliberate decision was then made by Amazon not to take action based on the information provided.

Amazon's Responsibility

The dispute isn't about whether harmful activities should be allowed; Amazon’s policies already prohibit them. Instead, the contention revolves around the process Amazon employs to address violations.

The ability to identify and remove illicit content rests with Amazon, given its extensive resources. They are uniquely positioned to proactively safeguard their platform.

Providing detailed information regarding the location of compromised data represents a significant step in assisting Amazon’s enforcement efforts. The subsequent inaction raises questions about prioritization and commitment.

Implications of Inaction

The case highlights the critical role cloud providers play in maintaining data security and user privacy. Their policies are only effective if consistently enforced.

Failure to act on credible reports of illicit activity can have severe consequences for individuals whose data is compromised. This underscores the need for robust oversight and accountability.

Data breaches and the misuse of personal information remain significant concerns. Cloud providers must demonstrate a commitment to protecting their users from these threats.

Uncovering Victims’ Data Hosted on Amazon

TechCrunch undertakes investigations whenever a data breach related to surveillance comes to light – and numerous stalkerware hacks and data leaks have occurred in recent years. These investigations aim to ascertain details about the operations involved.

Our work can assist in identifying individuals whose phones have been compromised, while simultaneously revealing the often-concealed identities of those operating the surveillance systems. We also determine which platforms are utilized to enable surveillance or store the data illicitly obtained from victims. Analysis of the applications, when accessible, is performed to aid victims in recognizing and eliminating these apps.

As standard journalistic practice dictates, TechCrunch contacts any company identified as hosting or providing support for spyware and stalkerware activities prior to publication. It’s also typical for companies, including web hosting providers and payment processors, to suspend accounts or remove data violating their terms of service, a practice previously seen with spyware operations hosted on Amazon.

In February, TechCrunch became aware of breaches affecting both Cocospy and Spyic, prompting a deeper investigation.

Given that the compromised data primarily impacted users of Android devices, TechCrunch began by identifying, downloading, and installing the Cocospy and Spyic applications on a virtual Android environment. This virtual device allows for the execution of stalkerware apps within a secure sandbox, preventing access to any real-world data, such as location information. Both Cocospy and Spyic presented themselves as generic apps labeled “System Service,” designed to avoid detection by mimicking legitimate Android system applications.

A network traffic analysis tool was employed to examine the data transmitted to and from these applications. This process helps to understand the functionality of each app and pinpoint what data is being surreptitiously uploaded from the test device.

Analysis of the web traffic revealed that both stalkerware applications were uploading data belonging to some victims, including photographs, to storage buckets bearing their respective names on Amazon Web Services. 

Further confirmation was obtained by accessing the Cocospy and Spyic user dashboards, which provide access to the stolen data of targeted individuals for those who deploy the stalkerware. Compromising our virtual device with the stalkerware apps allowed us to access the contents of its photo gallery through these web dashboards. 

When viewing the photo gallery content from each app’s web dashboard, the images were loaded from web addresses containing the respective bucket names hosted on the amazonaws.com domain, operated by Amazon Web Services. 

Following reports of a data breach impacting Spyzie, TechCrunch also analyzed the Spyzie Android application using a network analysis tool. The resulting traffic data was found to be identical to that of Cocospy and Spyic. The Spyzie app was similarly uploading victims’ device data to its dedicated storage bucket on Amazon’s cloud infrastructure, a matter which was brought to Amazon’s attention on March 10.

Individuals needing assistance can contact the National Domestic Violence Hotline (1-800-799-7233) for 24/7 free, confidential support regarding domestic abuse and violence. In emergency situations, please call 911. The Coalition Against Stalkerware provides resources for those suspecting their phone has been compromised by spyware.