A stalkerware maker with a historical past of a number of knowledge leaks and breaches now has a important security vulnerability that enables anybody to take over any consumer account and steal their sufferer’s delicate private knowledge, information.killnetswitch has confirmed.
Impartial security researcher Swarang Wade discovered the vulnerability, which permits anybody to reset the password of any consumer of the stalkerware app TheTruthSpy and its many companion Android spyware and adware apps, resulting in the hijacking of any account on the platform. Given the character of TheTruthSpy, it’s possible that lots of its clients are working it with out the consent of their targets, who’re unaware that their telephone knowledge is being siphoned off to any individual else.
This fundamental flaw exhibits, as soon as once more, that makers of client spyware and adware corresponding to TheTruthSpy — and its many opponents — can’t be trusted with anybody’s knowledge. These surveillance apps not solely facilitate unlawful spying, typically by abusive romantic companions, however in addition they have shoddy security practices that expose the private knowledge of each victims and perpetrators.
Thus far, information.killnetswitch has counted at the very least 26 spyware and adware operations that’ve leaked, uncovered, or in any other case spilled knowledge lately. By our depend, that is at the very least the fourth security lapse involving TheTruthSpy.
information.killnetswitch verified the vulnerability by offering the researcher with the username of a number of check accounts. The researcher shortly modified the passwords on the accounts. Wade tried to contact the proprietor of TheTruthSpy to alert him of the flaw, however he didn’t obtain any response.
When contacted by information.killnetswitch, the spyware and adware operation’s director Van (Vardy) Thieu stated he “misplaced” the supply code and can’t repair the bug.
As of publication, the vulnerability nonetheless exists and presents a major danger to the hundreds of individuals whose telephones are believed to be unknowingly compromised by TheTruthSpy’s spyware and adware.
Given the chance to most people, we’re not describing the vulnerability in additional element in order to not help malicious actors.
A quick historical past of TheTruthSpy’s many security flaws
TheTruthSpy is a prolific spyware and adware operation with roots that return nearly a decade. For a time, the spyware and adware community was one of many largest recognized telephone surveillance operations on the net.
TheTruthSpy is developed by 1Byte Software program, a Vietnam-based spyware and adware maker run by Thieu, its director. TheTruthSpy is one among a fleet of near-identical Android spyware and adware apps with completely different branding, together with Copy9, and since-defunct manufacturers iSpyoo, MxSpy, and others. The spyware and adware apps share the identical back-end dashboards that TheTruthSpy’s clients use to entry their sufferer’s stolen telephone knowledge.
As such, the security bugs in TheTruthSpy additionally have an effect on clients and victims of any branded or whitelabeled spyware and adware app that depends on TheTruthSpy’s underlying code.
As a part of an investigation into the stalkerware business in 2021, information.killnetswitch discovered that TheTruthSpy had a security bug that was exposing the non-public knowledge of its 400,000 victims to anybody on the web. The uncovered knowledge included the victims’ most private data, together with their non-public messages, photographs, name logs, and their historic location knowledge.
information.killnetswitch later acquired a cache of recordsdata from TheTruthSpy’s servers, exposing the internal workings of the spyware and adware operation. The recordsdata additionally contained an inventory of each Android system compromised by TheTruthSpy or one among its companion apps. Whereas the listing of units didn’t comprise sufficient data to personally establish every sufferer, it allowed information.killnetswitch to construct a spyware and adware lookup software for any potential sufferer to verify whether or not their telephone was discovered within the listing.
Our subsequent reporting, based mostly on lots of of leaked paperwork from 1Byte’s servers despatched to information.killnetswitch, revealed that TheTruthSpy relied on a large money-laundering operation that used cast paperwork and false identities to skirt restrictions put in place by bank card processors on spyware and adware operations. The scheme allowed TheTruthSpy to funnel thousands and thousands of {dollars} of illicit buyer funds into financial institution accounts all over the world managed by its operators.
In late 2023, TheTruthSpy had one other data breach, exposing the non-public knowledge on one other 50,000 new victims. information.killnetswitch was despatched a duplicate of this knowledge, and we added the up to date information to our lookup software.
TheTruthSpy, nonetheless exposing knowledge, rebrands to PhoneParental
Because it stands, a few of TheTruthSpy’s operations wound down, and different components rebranded to flee reputational scrutiny. TheTruthSpy nonetheless exists in the present day, and it has stored a lot of its buggy supply code and susceptible back-end dashboards whereas rebranding as a brand new spyware and adware app known as PhoneParental.
Thieu continues to be concerned within the improvement of telephone monitoring software program, in addition to the continued facilitation of surveillance.
In accordance with a latest evaluation of TheTruthSpy’s present web-facing infrastructure utilizing public web information, the operation continues to depend on a software program stack developed by Thieu known as the JFramework (beforehand often known as the Jexpa Framework), which TheTruthSpy and its different spyware and adware apps depend on to share knowledge again to its servers.
In an e-mail, Thieu stated he was rebuilding the apps from scratch, together with a brand new telephone monitoring app known as MyPhones.app. A community evaluation check carried out by information.killnetswitch exhibits MyPhones.app depends on the JFramework for its back-end operations, the identical system utilized by TheTruthSpy.
information.killnetswitch has an explainer on methods to establish and take away stalkerware out of your telephone.
TheTruthSpy, very like different stalkerware operators, stays a menace to the victims whose telephones are compromised by its apps, not simply due to the extremely delicate knowledge that they steal, however as a result of these operations frequently show that they can not preserve their sufferer’s knowledge secure.
—
For those who or somebody you realize wants assist, the Nationwide Home Violence Hotline (1-800-799-7233) gives 24/7 free, confidential help to victims of home abuse and violence. In case you are in an emergency state of affairs, name 911. The Coalition In opposition to Stalkerware has assets should you suppose your telephone has been compromised by spyware and adware.
