A stalkerware maker with a historical past of a number of knowledge leaks and breaches now has a important safety vulnerability that permits anybody to take over any consumer account and steal their sufferer’s delicate private knowledge, TechCrunch has confirmed.
Impartial safety researcher Swarang Wade discovered the vulnerability, which permits anybody to reset the password of any consumer of the stalkerware app TheTruthSpy and its many companion Android spyware and adware apps, resulting in the hijacking of any account on the platform. Given the character of TheTruthSpy, it’s seemingly that a lot of its clients are working it with out the consent of their targets, who’re unaware that their telephone knowledge is being siphoned off to anyone else.
This primary flaw reveals, as soon as once more, that makers of client spyware and adware similar to TheTruthSpy — and its many rivals — can’t be trusted with anybody’s knowledge. These surveillance apps not solely facilitate unlawful spying, typically by abusive romantic companions, however in addition they have shoddy safety practices that expose the non-public knowledge of each victims and perpetrators.
Up to now, TechCrunch has counted not less than 26 spyware and adware operations that’ve leaked, uncovered, or in any other case spilled knowledge lately. By our rely, that is not less than the fourth safety lapse involving TheTruthSpy.
TechCrunch verified the vulnerability by offering the researcher with the username of a number of take a look at accounts. The researcher shortly modified the passwords on the accounts. Wade tried to contact the proprietor of TheTruthSpy to alert him of the flaw, however he didn’t obtain any response.
When contacted by TechCrunch, the spyware and adware operation’s director Van (Vardy) Thieu stated he “misplaced” the supply code and can’t repair the bug.
As of publication, the vulnerability nonetheless exists and presents a big danger to the hundreds of individuals whose telephones are believed to be unknowingly compromised by TheTruthSpy’s spyware and adware.
Given the danger to most people, we’re not describing the vulnerability in additional element in order to not help malicious actors.
A short historical past of TheTruthSpy’s many safety flaws
TheTruthSpy is a prolific spyware and adware operation with roots that return virtually a decade. For a time, the spyware and adware community was one of many largest identified telephone surveillance operations on the internet.
TheTruthSpy is developed by 1Byte Software program, a Vietnam-based spyware and adware maker run by Thieu, its director. TheTruthSpy is certainly one of a fleet of near-identical Android spyware and adware apps with completely different branding, together with Copy9, and since-defunct manufacturers iSpyoo, MxSpy, and others. The spyware and adware apps share the identical back-end dashboards that TheTruthSpy’s clients use to entry their sufferer’s stolen telephone knowledge.
As such, the safety bugs in TheTruthSpy additionally have an effect on clients and victims of any branded or whitelabeled spyware and adware app that depends on TheTruthSpy’s underlying code.
As a part of an investigation into the stalkerware trade in 2021, TechCrunch discovered that TheTruthSpy had a safety bug that was exposing the non-public knowledge of its 400,000 victims to anybody on the web. The uncovered knowledge included the victims’ most private info, together with their non-public messages, photographs, name logs, and their historic location knowledge.
TechCrunch later obtained a cache of recordsdata from TheTruthSpy’s servers, exposing the internal workings of the spyware and adware operation. The recordsdata additionally contained an inventory of each Android gadget compromised by TheTruthSpy or certainly one of its companion apps. Whereas the listing of gadgets didn’t include sufficient info to personally establish every sufferer, it allowed TechCrunch to construct a spyware and adware lookup software for any potential sufferer to verify whether or not their telephone was discovered within the listing.
Our subsequent reporting, primarily based on lots of of leaked paperwork from 1Byte’s servers despatched to TechCrunch, revealed that TheTruthSpy relied on a large money-laundering operation that used solid paperwork and false identities to skirt restrictions put in place by bank card processors on spyware and adware operations. The scheme allowed TheTruthSpy to funnel tens of millions of {dollars} of illicit buyer funds into financial institution accounts world wide managed by its operators.
In late 2023, TheTruthSpy had one other knowledge breach, exposing the non-public knowledge on one other 50,000 new victims. TechCrunch was despatched a duplicate of this knowledge, and we added the up to date data to our lookup software.
TheTruthSpy, nonetheless exposing knowledge, rebrands to PhoneParental
Because it stands, a few of TheTruthSpy’s operations wound down, and different components rebranded to flee reputational scrutiny. TheTruthSpy nonetheless exists immediately, and it has saved a lot of its buggy supply code and weak back-end dashboards whereas rebranding as a brand new spyware and adware app known as PhoneParental.
Thieu continues to be concerned within the growth of telephone monitoring software program, in addition to the continuing facilitation of surveillance.
In keeping with a latest evaluation of TheTruthSpy’s present web-facing infrastructure utilizing public web data, the operation continues to depend on a software program stack developed by Thieu known as the JFramework (beforehand referred to as the Jexpa Framework), which TheTruthSpy and its different spyware and adware apps depend on to share knowledge again to its servers.
In an e-mail, Thieu stated he was rebuilding the apps from scratch, together with a brand new telephone monitoring app known as MyPhones.app. A community evaluation take a look at carried out by TechCrunch reveals MyPhones.app depends on the JFramework for its back-end operations, the identical system utilized by TheTruthSpy.
TechCrunch has an explainer on the way to establish and take away stalkerware out of your telephone.
TheTruthSpy, very similar to different stalkerware operators, stays a menace to the victims whose telephones are compromised by its apps, not simply due to the extremely delicate knowledge that they steal, however as a result of these operations frequently show that they can’t maintain their sufferer’s knowledge protected.
—
Should you or somebody you realize wants assist, the Nationwide Home Violence Hotline (1-800-799-7233) gives 24/7 free, confidential help to victims of home abuse and violence. If you’re in an emergency scenario, name 911. The Coalition Against Stalkerware has sources when you assume your telephone has been compromised by spyware and adware.