At risk are the private phone records of hundreds of thousands of individuals. Because of widespread consumer-grade spyware, call records, text messages and photos can all be retrieved from a person's phone.
That's all we have to say. TechCrunch repeatedly reached out to the developer (whose identity is kept secret) through all of its email addresses. However, no lines of inquiry were opened to reveal the issue. We tried to find out if the emails had been opened by using open trackers, but we were unsuccessful.
We tried to reach the spyware developer, but the security and privacy rights of thousands of people is at stake until this issue is resolved. Since it would be easier for bad actors access the insecure data, we can't identify the spyware developer.
TechCrunch found the security problem as part of its wider investigation into consumer-grade spyware. These spyware apps are often called child tracking software or monitoring software. They can track and monitor individuals without their consent. These spyware apps silently steal the contents of phones and allow their operator to track whereabouts and communicate with people. These apps can be hidden from your home screen to hide their presence.
Eva Galperin (Director of Cybersecurity at the Electronic Frontier Foundation) said that she was disappointed, but not surprised by the launch of the Coalition Against Stalkerware in a TechCrunch call. This behavior could be considered negligent, I believe. We have a company that is creating a product that allows abuse. They are also doing such a poor job at securing the information exfiltrated that it opens the doors to further abuse.
TechCrunch also reached out to Codero, a web company that hosts the spyware infrastructure developers. Codero didn't respond to multiple requests for comment. Codero has a history of hosting stalkerware. In 2019, Codero took action against Mobiispy, a stalkerware maker that was discovered to have stomped on thousands of phone recordings and photos.
It is not surprising that a web host who hosts one stalkerware business would also host other stalkerware businesses, even if they weren't responsive in the past, stated Galperin.
This easy-to-obtain malware prompted an industry-wide crackdown. While antivirus manufacturers have improved their detection of stalkerware, Google banned spyware developers from promoting their products to spy on spouses phones. However, some developers are using new techniques to get around Google's ban on ads.
Security issues are not uncommon for mobile spyware. Over a dozen stalkerware manufacturers have been hacked in the last few years. This has left people's data exposed or compromised. KidsGuard was another stalkerware that was exposed to thousands of phone data. Most recently, pcTattleTale which claims it can spy on a spouse's phone, leaked screenshots via easily guessable web addresses.
Federal regulators are beginning to notice. The Federal Trade Commission (FTC) banned SpyFone in September. This stalkerware app also exposed more than 2,000 people's phone data. They were ordered to notify those affected that their phones had been hacked. This is the second FTC action against a spyware manufacturer; the first was Retina-X after the company had been hacked multiple times and was eventually shut down.
The National Domestic Violence Hotline (1 800 799 7233) offers confidential, 24/7 support for victims of domestic violence and abuse. Call 911 if you're in an emergency. If you suspect your phone is being compromised by spyware, the Coalition Against Stalkerware has resources. This reporter can be reached on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.