Behind the Stalkerware Network Spilling the Private Phone Data of Thousands (techcrunch.com) 17
An anonymous reader quotes a report from TechCrunch, written by security editor Zack Whittaker: Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term "stalkerware" for its ability to track and monitor other people or spouses without their consent. Stalkerware apps are installed surreptitiously by someone with physical access to a person's phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner's knowledge. Many of these spyware apps are built for Android, since it's easier to plant a malicious app than on iPhones, which have tighter restrictions on what kind of apps can be installed and what data can be accessed. Last October, TechCrunch revealed a consumer-grade spyware security issue that's putting the private phone data, messages and locations of hundreds of thousands of people, including Americans, at risk. But in this case it's not just one spyware app exposing people's phone data. It's an entire fleet of Android spyware apps that share the same security vulnerability.
On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person's phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte. TechCrunch found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim's phone data in real time -- their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when TechCrunch analyzed the apps' network traffic, we found the apps all contact the same server infrastructure. But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.
The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It's similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability [...]. But shoddy coding didn't just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It's how we came to learn that data on some 400,000 devices -- though perhaps more -- have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves. After emailing 1Byte with details of the security vulnerability, the email address was shut down along with "at least two of the branded spyware apps," according to TechCrunch. "That leaves us here. Without a fix, or intervention from the web host, TechCrunch cannot disclose more about the security vulnerability -- even if it's the result of bad actors themselves -- because of the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised by this spyware."
In a separate report, security editor Zack Whittaker explains how one can remove common consumer-grade spyware.
On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person's phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte. TechCrunch found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim's phone data in real time -- their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when TechCrunch analyzed the apps' network traffic, we found the apps all contact the same server infrastructure. But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.
The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It's similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability [...]. But shoddy coding didn't just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It's how we came to learn that data on some 400,000 devices -- though perhaps more -- have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves. After emailing 1Byte with details of the security vulnerability, the email address was shut down along with "at least two of the branded spyware apps," according to TechCrunch. "That leaves us here. Without a fix, or intervention from the web host, TechCrunch cannot disclose more about the security vulnerability -- even if it's the result of bad actors themselves -- because of the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised by this spyware."
In a separate report, security editor Zack Whittaker explains how one can remove common consumer-grade spyware.
Blow their cover? (Score:3)
Re: (Score:2)
Nice idea. Go do it.
Re: (Score:3)
If not done anonymously then it's a surefire way to get sued for damaging their spyware business as well as be prosecuted for unauthorized access to the spyware infrastructure. Right now TechCrunch is in good legal graces as any access was incidental in an journalistic investigation but taking further action would cross a line.
The best TechCrunch can hope to do without getting into legal trouble is to publish just enough details to put people on the trail to do just that (or provide cover for doing so them
mass pwnage (Score:2)
This is nice. What about Pegasus? derp! (Score:3)
Honestly. Who fucking cares about installed-on-purpose-spyware when we have literally zero-click spyware on the open market for governments (and rich fuckwits) to buy at will. This seems like a very obvious hate-redirection operation. Fuck that. Pegasus is a black mark on the world, and NGO owns that mark in whole. Fuck them and everyone that bothers themselves to work there. Hey you, employees of this bullshit empire, do you want to know how you can help stop this nonsense: You QUIT and get a USEFUL JOB.
ffs, I'm getting too old for this sort of crap. gtfo my lawn...
Whataboutism isn't a compliment (Score:3)
I can understand why you might find it disconcerting that your government has the capability to spy on you, if they choose to target you specifically.
Quite apart from any product they might buy from NSO group, the same government has the capability and resources to have teams of people physically watching your every movement. Sometimes, they install cameras atop telephone poles, disguised as utility equipment, and point it at someone's house. They can do that very easily.
That doesn't mean you want your ex t
Re: (Score:2)
Re: This is nice. What about Pegasus? derp! (Score:2)
Re: (Score:2)
What about Pegasus?
They reported on it extensively. [techcrunch.com]
Who fucking cares about installed-on-purpose-spyware when we have literally zero-click spyware on the open market for governments (and rich fuckwits) to buy at will.
Everyone who doesn't want to live in a shitty society.
This seems like a very obvious hate-redirection operation.
Your post seems like you are invested in a spyware company, so there's that.
Luckily... (Score:2)
...the Government nor the ultra wealthy have access to these sorts of programs. Just imagine the uproar that would occur if THAT story ever broke, huh? Be no way this nation full of FreeDumb loving Patriots(tm) would ever stand for that sort of intrusion, why that's why they but all them guns!
What? That already happened years ago and they cheered or yawned?