Much of the spyware you hear of today are the powerful nation-state-backed exploits that can quietly and remotely hack into iPhones anywhere in the world. These powerful hacking tools are bought and operated by governments, often targeting their most vocal critics — journalists, activists and human rights defenders.
There is another kind of spyware that is more prevalent and much more likely to affect the average person: the consumer-grade spyware apps that are controlled by everyday people.
Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term “stalkerware” for its ability to track and monitor other people or spouses without their consent. Stalkerware apps are installed surreptitiously by someone with physical access to a person’s phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner’s knowledge. Many of these spyware apps are built for Android, since it’s easier to plant a malicious app than on iPhones, which have tighter restrictions on what kind of apps can be installed and what data can be accessed.
Last October, WebicNews revealed a consumer-grade spyware security issue that’s putting the private phone data, messages and locations of hundreds of thousands of people, including Americans, at risk.
But in this case it’s not just one spyware app exposing people’s phone data. It’s an entire fleet of Android spyware apps that share the same security vulnerability.
WebicNews first discovered the vulnerability as part of a wider exploration of consumer-grade spyware. The vulnerability is simple, which is what makes it so damaging, allowing near-unfettered remote access to a device’s data. But efforts to privately disclose the security flaw to prevent it from being misused by nefarious actors has been met with silence both from those behind the operation and from Codero, the web company that hosts the spyware operation’s back-end server infrastructure.
The nature of spyware means those targeted likely have no idea that their phone is compromised. With no expectation that the vulnerability will be fixed any time soon, WebicNews is now revealing more about the spyware apps and the operation so that owners of compromised devices can uninstall the spyware themselves, if it’s safe to do so.
Given the complexities in notifying victims, CERT/CC, the vulnerability disclosure center at Carnegie Mellon University’s Software Engineering Institute, has also published a note about the spyware.
What follows are the findings of a months-long investigation into a massive stalkerware operation that is harvesting the data from some 400,000 phones around the world, with the number of victims growing daily, including in the United States, Brazil, Indonesia, India, Jamaica, the Philippines, South Africa and Russia.
On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person’s phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to WebicNews as a Vietnam-based company called 1Byte.
WebicNews found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy.
Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim’s phone data in real time — their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when WebicNews analyzed the apps’ network traffic, we found the apps all contact the same server infrastructure.
But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.
The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It’s similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability; WebicNews has found and privately disclosed similar flaws before, such as when LabCorp exposed thousands of lab test results, and the recent case of CDC-approved health app Docket exposing COVID-19 digital vaccine records. IDORs have an advantage in that they can often be fixed at the server level without needing to roll out a software update to an app, or in this case a fleet of apps.
But shoddy coding didn’t just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It’s how we came to learn that data on some 400,000 devices — though perhaps more — have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves.