Millions of stalkerware users exposed again
There are many reasons not to use stalkerware, but the risk of getting exposed yourself seems to be a recurring deterrent, according to a new investigaton.
As we have reported many times before, stalkerware-type apps are coded so badly that it’s possible to gain access to the back-end databases and retrieve data about everyone that has the app on their device—and those are not just the victims.
By definition, stalkerware is a term used to describe the tools—software programs and mobile apps—that enable someone to secretly spy on another person’s private life via their mobile device. Many stalkerware-type applications market themselves as parental monitoring tools, but they can be and often are used to stalk and spy on a person. A commonly recorded use of stalkerware is in situations of domestic abuse, in which abusers will load these programs onto their partner’s computer or mobile device without their knowledge.
Stalkerware apps are notoriously badly coded and secured. In the past we have written about similar problems with:
- mSpy, a mobile monitoring app which suffered multiple data breaches.
- pcTattleTale, another stalkerware app that faced significant security issues. Among others, it was found to upload victim screenshots to an unsecured AWS server.
- TheTruthSpy, exposed photographs of children the app took on the internet because of poor cybersecurity practices by the app vendor.
As reported by TechCrunch, researchers found a vulnerability in three very similar stalkerware apps called Spyzie, Cocospy, and Spyic. The bug not only exposes the data from the victim’s device like messages, photos, and location data, but also allowed the researcher to collect 518,643 unique email addresses of Spyzie customers, 1.81 million email addresses of Cocospy customers, and 880,167 email addresses of Spyic customers.
Apparently, the bug is so easy to exploit that TechCrunch and the researcher found it not advisable to reveal any details, since anyone would have been able to exploit it.
Our advice, don’t use stalkerware
If you are thinking about installing such an app, and you are reading this:
- Don’t!
- It definitely is illegal in almost every country, unless it’s done with government consent or to monitor your children (and even here, the rules can be murky).
- We have never heard of anyone who was able to solve a problem by using stalkerware. Usually resorting to stalkerware only makes the problems worse.
- Consider the consequences of someone finding out what you did and remember that is a very distinct possibility.
- Listen to this podcast.
Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware from your device. It is good to keep in mind however that by removing any stalkerware-type app, you will alert the person spying on you that you know the app is there. If you are facing domestic abuse, we recommend that you first develop a safety plan with an organization like National Network to End Domestic Violence before removing any stalkerware-type app from your device.
Stalkerware apps are usually hidden or camouflaged as other apps, so to find them on your phone, we recommend scanning with an anti-malware app that is able to identify stalkerware.
Malwarebytes also provides a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.
