Stalkerware Apps: Cocospy & Spyic Exposing User Data

Security Flaw Exposes Data of Millions Through Phone-Monitoring Apps

A significant security vulnerability has been discovered within a pair of phone-monitoring applications, potentially compromising the personal information of a vast number of individuals. This exposure occurs due to the apps being installed on devices without the owners’ knowledge, as reported by a security researcher who identified the issue.

Data Breach Details

The discovered flaw permits unauthorized access to personal data – including text messages, photographs, call histories, and more – extracted from any phone or tablet affected by Cocospy and Spyic. These two mobile applications, despite differing branding, largely share a common codebase. Furthermore, the vulnerability reveals the email addresses of individuals who registered with Cocospy and Spyic intending to secretly monitor another person’s device.

Like other forms of spyware, applications such as Cocospy and Spyic are engineered to operate discreetly on a victim’s device. They continuously upload the device’s data to a dashboard accessible to the person who installed the app. Due to the covert nature of such spyware, most device owners are likely unaware of a compromise.

Lack of Response and Vulnerability Details

Attempts to reach the operators of Cocospy and Spyic for comment were unsuccessful. As of this report, the vulnerability remains unpatched. To prevent malicious exploitation and further data exposure, specific details regarding the flaw are not being publicly disclosed.

The security researcher who uncovered the vulnerability explained to TechCrunch that it grants access to the email addresses associated with user accounts on both phone-monitoring apps.

Data Collection and Notification

By exploiting the bug, the researcher was able to collect 1.81 million email addresses belonging to Cocospy customers and 880,167 email addresses from Spyic customers. This data was then provided to Troy Hunt, the administrator of the data breach notification service Have I Been Pwned.

After removing duplicate entries, Hunt confirmed that a total of 2.65 million unique email addresses linked to Cocospy and Spyic were added to Have I Been Pwned. He noted that, consistent with previous spyware-related breaches, this data is flagged as “sensitive,” meaning only affected individuals can actively search for their information.

A Growing Trend of Surveillance Software Breaches

Cocospy and Spyic represent the latest additions to a growing list of surveillance products that have experienced security incidents in recent years. These incidents often stem from software bugs or inadequate security measures. According to records, these apps are now among the 23 known surveillance operations compromised since 2017, resulting in the online exposure of sensitive customer and victim data.

Stalkerware and its Implications

Phone-monitoring apps like Cocospy and Spyic are often marketed as tools for parental control or employee monitoring. However, they are frequently categorized as stalkerware (or spouseware). Some providers even explicitly promote their apps as a means of surreptitiously monitoring a spouse or partner, an activity that is often illegal.

Even when not explicitly marketed for illicit purposes, these apps are often utilized for questionable or unlawful activities.

Installation and Access Methods

Stalkerware applications are typically unavailable on official app stores and are downloaded directly from the provider’s website. Installation usually requires physical access to the target Android device and knowledge of the device’s passcode. For iPhones and iPads, stalkerware can access data stored in Apple’s iCloud service, requiring stolen Apple account credentials.

Stalkerware Operations Linked to China

Details surrounding the entities responsible for Cocospy and Spyic remain limited. Operators of stalkerware frequently seek to avoid public scrutiny, considering the potential legal and reputational consequences associated with surveillance activities.

Both Cocospy and Spyic were introduced in 2018 and 2019, respectively. Based on registered user numbers, Cocospy stands as one of the most extensive stalkerware operations currently known.

A 2022 research project conducted by security researchers Vangelis Stykas and Felipe Solferini revealed connections between the operation of Cocospy and Spyic and 711.icu, a mobile app developer based in China. The developer’s website is currently inaccessible.

TechCrunch recently installed both Cocospy and Spyic on a virtual device. This allowed for analysis within a secure environment, preventing the transmission of any actual user data, such as location information.

Both stalkerware applications disguise themselves as a generic “System Service” app for Android. This tactic aims to circumvent detection by blending with the operating system’s native applications.

A network analysis tool was employed to monitor data transmission to and from the apps. This helped to understand the spyware’s functionality, data sharing practices, and server locations.

Traffic analysis indicated that data from the virtual device was being sent through Cloudflare, a network security provider that masks the true location and hosting details of the stalkerware operations.

However, the web traffic also revealed that certain victim data, including photographs, was being uploaded to cloud storage servers hosted on Amazon Web Services.

Amazon spokesperson Ryan Walsh stated that the company promptly addresses potential violations by disabling prohibited content when reported. However, no evidence of such action was provided, nor was any future action against the spyware operation indicated.

Cloudflare did not respond to TechCrunch’s requests for comment regarding these stalkerware operations.

Furthermore, the analysis demonstrated that the server occasionally returned status or error messages in Chinese. This suggests the applications were developed by individuals with ties to China.

• Cocospy and Spyic were launched in 2018 and 2019.
• Both apps masquerade as a “System Service” app on Android.
• Data is transmitted via Cloudflare and stored on Amazon Web Services.

Key Findings

The investigation highlights a potential China-based connection to significant stalkerware operations. The use of obfuscation techniques, like Cloudflare, complicates tracking the true origins of these applications.

Removing Cocospy and Spyic Stalkerware: A Comprehensive Guide

The email addresses obtained from data breaches involving Cocospy and Spyic enable those who initially deployed these applications to ascertain whether their own information, as well as the data of those targeted, has been compromised. However, the available data lacks sufficient identifying details to directly notify individuals whose devices may have been affected.

Despite this, several steps can be taken to determine if your phone has been compromised by either Cocospy or Spyic. Similar to other forms of stalkerware, these apps typically require a deliberate reduction in security measures on Android devices for installation. In the case of iPhones and iPads, access to the victim’s Apple account – including their username and password – is necessary.

Although Cocospy and Spyic attempt to conceal themselves by masquerading as a system application labeled “System Service,” detection is still possible.

On Android phones, entering ✱✱001✱✱ into the dialer and pressing the call button can often reveal the presence of these stalkerware applications, should they be installed. This feature is intentionally incorporated into Cocospy and Spyic to facilitate re-access for the person who originally installed the app. Interestingly, this same function can be utilized by the victim to verify if the app is present on their device.

Furthermore, a review of installed applications within the Android Settings menu can reveal hidden apps.

A general guide for removing spyware from Android devices is available from TechCrunch, offering assistance in identifying and eliminating various types of phone stalkerware. It is crucial to establish a safety plan beforehand, as disabling spyware may alert the individual responsible for its installation.

Android users should activate Google Play Protect, a protective measure against malicious apps, including stalkerware. This feature can be enabled through the settings menu within the Google Play Store if it is not already active.

iPhone and iPad users who suspect a compromise should verify that their Apple account utilizes a strong, unique password – ideally managed by a password manager – and that two-factor authentication is enabled. Additionally, review and remove any unrecognized devices associated with the account.

If you or someone you know requires assistance, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential support to those experiencing domestic abuse and violence. In emergency situations, please dial 911. The Coalition Against Stalkerware provides resources for individuals concerned about spyware compromise.

Zack Whittaker can be contacted securely via Signal and WhatsApp at +1 646-755-8849. Secure document sharing with TechCrunch is possible through SecureDrop.

This article has been updated to include further information from Amazon.