Incompetent Android spyware can’t even manage to keep its own stolen data safe

Software that covertly pulls info off your phone is a danger none of us want to face, and the fact that there are companies out there selling these tools to anyone who may want to spy on us is outright chilling. If that threat weren’t bad enough already, it turns out that a number of these “stalkerware” apps are themselves woefully insecure, and end up leaving your data potentially exposed to even more prying eyes.

The apps we’re looking at today all share much of the same code base, and were uncovered through the work ofTechCrunch’s investigating into suspicious software. They go by names like Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker, and GuestSpy and appear to have affected some 400,000 phones in countries around the globe.

4

Their intended operation is pretty standard cyber-stalker fare, giving an attacker access to a dashboard that displays real-time data coming from your phone as a feed — and the software is grabbingeverything: messaging, GPS data, photos, all of it. Research also shows all these apps communicate back to the same server setup.

That part is a telling find: Since the people behind these spy apps seem to be copying the same setup, they’realsocopying anyflawsin that implementation — and it turns out there’s a pretty severe one here. The exploit is triggered by way of aninsecure direct object reference(IDOR) and it has the potential to expose server-side information.

Google Home icon with some gadgets around it.

TheIDOR flawreveals information stolen from the phones of innocent victims — and according to TechCrunch, some intriguing data about the people behind the operation. That trail leads to 1Byte, a mysterious company with ties to London and Ho Chi Minh City in Vietnam, and Affiligate, a company handling the money coming from the spyware operators.Someof these sketchy apps were deactivated after TechCrunch’s attempts to contact 1Byte, but the trail is otherwise cold — for now.

TechCrunch has a helpful tutorial onremoving spyware apps from Android devices, if you fear you’ve been affected. Of course, an ounce of prevention is worth a pound of cure, so make sure you keep on top of your security updates, don’t click sketchy links, and think twice about whom you’re letting use your devices.

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes

It helped me wind down before bed

An advanced, compact, purpose-built device

A person holding up a phone next to battery sign graphic from empty to full on a green background

It’s been an interesting journey

$135 is its lowest price in months

The Android Security logo on top of a background filled with bugs that represent computer viruses

New data from Circana affirmed that Nintendo Switch 2 is still a resounding success in the United States, having now sold 2 million units

Pixel downsides never change