Incompetent Android spyware can't even manage to keep its own stolen data safe

Downloader beware

Software that covertly pulls info off your phone is a danger none of us want to face, and the fact that there are companies out there selling these tools to anyone who may want to spy on us is outright chilling. If that threat weren't bad enough already, it turns out that a number of these "stalkerware" apps are themselves woefully insecure, and end up leaving your data potentially exposed to even more prying eyes.

The apps we're looking at today all share much of the same code base, and were uncovered through the work of TechCrunch's investigating into suspicious software. They go by names like Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker, and GuestSpy and appear to have affected some 400,000 phones in countries around the globe.

Their intended operation is pretty standard cyber-stalker fare, giving an attacker access to a dashboard that displays real-time data coming from your phone as a feed — and the software is grabbing everything: messaging, GPS data, photos, all of it. Research also shows all these apps communicate back to the same server setup.

That part is a telling find: Since the people behind these spy apps seem to be copying the same setup, they're also copying any flaws in that implementation — and it turns out there's a pretty severe one here. The exploit is triggered by way of an insecure direct object reference (IDOR) and it has the potential to expose server-side information.

The IDOR flaw reveals information stolen from the phones of innocent victims — and according to TechCrunch, some intriguing data about the people behind the operation. That trail leads to 1Byte, a mysterious company with ties to London and Ho Chi Minh City in Vietnam, and Affiligate, a company handling the money coming from the spyware operators. Some of these sketchy apps were deactivated after TechCrunch's attempts to contact 1Byte, but the trail is otherwise cold — for now.

TechCrunch has a helpful tutorial on removing spyware apps from Android devices, if you fear you've been affected. Of course, an ounce of prevention is worth a pound of cure, so make sure you keep on top of your security updates, don't click sketchy links, and think twice about whom you're letting use your devices.

About The Author