A huge cache of leaked data reveals the inner workings of a stalkerware operation that spies on hundreds of thousands of people around the world, including Americans.
The leaked data includes call logs, text messages, granular location data, and other personal device data from unsuspecting victims whose Android phones and tablets were compromised by a fleet of nearly stalkerware apps. identical, including TheTruthSpy, Copy9, MxSpy and others.
These Android apps are planted by someone with physical access to a person’s device and are designed to remain hidden on their home screens, but continuously and silently download content from the phone without the owner’s knowledge. .
SPYWARE SEARCH TOOL
You can check if your Android phone or tablet has been compromised here.
Months after the publication of our investigation revealing the stalkerware operation, a source provided TechCrunch with tens of gigabytes of data extracted from the stalkerware servers. The cache contains the main database of the stalkerware operation, which includes detailed records on every Android device that has been compromised by one of TheTruthSpy’s network stalkerware apps since early 2019 (although some records date back to 2019). ‘before) and what device data was stolen.
Since the victims had no idea that their device data had been stolen, TechCrunch extracted every unique device ID from the leaked database and created a search tool to allow anyone to check if their device was compromised by one of the stalkerware apps until April 2022, which is when the data was wiped.
TechCrunch has since analyzed the rest of the database. Using mapping software for geospatial analysis, we plotted hundreds of thousands of location data points from the database to understand its scale. Our analysis shows that TheTruthSpy’s network is huge, with victims on every continent and in almost every country. But stalking software like TheTruthSpy operates in a legal gray area that makes it difficult for authorities around the world to fight back, despite the growing threat it poses to victims.
First, a word about data. The database is approximately 34 gigabytes in size and consists of metadata, such as times and dates, as well as textual content, such as call logs, text messages, and location data – even names of Wi-Fi networks a device has connected to and what has been copied and pasted from the phone’s clipboard, including passwords and two-factor authentication codes. The database did not contain media, images, videos or call recordings from the victims’ devices, but rather recorded information about each file, such as when a photo or video was taken , and when calls were recorded and for how long, allowing us to determine how much content was exfiltrated from victim devices and when. Each compromised device downloaded a varying amount of data depending on how long their devices were compromised and the network coverage available.
TechCrunch reviewed data covering the period from March 4 to April 14, 2022, which is six weeks of the most recent data stored in the database at the time of the leak. It is possible that TheTruthSpy’s servers only retain certain data, such as call logs and location data, for a few weeks, but other content, such as photos and text messages, for longer.
That’s what we found.
The database contains approximately 360,000 unique device identifiers, including IMEI numbers for phones and advertising IDs for tablets. This number represents the number of devices compromised by the operation to date and the number of people affected. The database also contains the email addresses of every person who has registered to use one of the many TheTruthSpy apps and stalkerware clones with the intention of planting them on a victim’s device, approximately 337 000 users. Indeed, some devices may have been compromised more than once (or by another application in the stalkerware network), and some users have more than one compromised device.
Approximately 9,400 new devices were compromised during the six-week period, according to our analysis, which represents hundreds of new devices every day.
The database stored 608,966 location data points during that same six-week period. We’ve plotted the data and created a time lapse to show the cumulative spread of known compromised devices around the world. We did this to understand how large-scale TheTruthSpy’s operation is. The animation is zoomed globally to protect the privacy of individuals, but the data is extremely granular and shows victims in transportation hubs, places of worship and other sensitive locations.
By breakdown, the United States ranked first with the most location data points (278,861) of any other country during the six-week period. India had the second highest number of location data points (77,425), Indonesia the third (42,701), Argentina the fourth (19,015) and the UK (12,801) the fifth .
Canada, Nepal, Israel, Ghana and Tanzania were also included in the top 10 countries in terms of location data volume.
The database contained a total of 1.2 million text messages, including the recipient’s contact name, and 4.42 million call logs over the six-week period, including detailed records of who called who, for how long, and their contact name and phone number.
TechCrunch has seen evidence that data was likely collected from children’s phones.
These stalkerware apps also recorded the content of thousands of calls over the six weeks, according to the data. The database contains 179,055 call recording file entries stored on another TheTruthSpy server. Our analysis correlated the recordings with the dates and times of the call recordings with location data stored elsewhere in the database to determine where the calls were recorded. We focused on US states that have stricter phone call recording laws, which require more than one person (or each person) on the line to agree that the call can be recorded or violate the laws of the state on telephone tapping. Most US states have laws that require at least one person to consent to registration, but stalkerware is inherently designed to operate without the knowledge of the victim.
We found evidence that 164 compromised devices in 11 states recorded thousands of calls over a six-week period without the knowledge of device owners. Most of the devices were located in densely populated states like California and Illinois.
The database also contained 473,211 records of photos and videos downloaded from compromised phones over the six weeks, including screenshots, photos received from messaging apps and saved to Camera Roll, and filenames, which may reveal information about the file. The database also contained 454,641 records of data siphoned from the user’s keyboard, known as a keylogger, which included sensitive credentials and codes pasted from password managers and other apps. It also includes 231,550 records of networks each device has connected to, such as the Wi-Fi network names of hotels, workplaces, apartments, airports and other guessable locations.
TheTruthSpy’s operation is the latest in a long line of stalkerware apps to expose victims’ data due to security flaws that then lead to a breach.
Although owning stalkerware applications is not illegal, using it to record calls and private conversations of people without their consent is illegal under federal wiretapping laws and many state laws. But while it’s illegal to sell phone monitoring apps for the sole reason of recording private messages, many stalkerware apps are sold under the guise of child monitoring software, but are often exploited to spy on phones. spouses and involuntary domestic partners.
Much of the effort against stalking software is led by cybersecurity companies and antivirus vendors working to block unwanted malware on users’ devices. The Coalition Against Stalkerware, which was launched in 2019, shares resources and samples of known stalkerware so that information about new and emerging threats can be shared with other cybersecurity companies and automatically blocked at the device level. . The coalition’s website has more information about what tech companies can do to detect and block stalking software.
But only a handful of stalkerware operators, such as Retina X and SpyFone, have been sanctioned by federal regulators like the Federal Trade Commission (FTC) for allowing large-scale surveillance, which relied on the use new legal approaches to bringing charges citing poor cybersecurity. practices and data breaches that fall more closely within their regulatory jurisdiction.
When contacted for comment by TechCrunch before publication, an FTC spokesperson said the agency does not comment if it is investigating a particular case.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential 24/7 support for victims of domestic violence. If you are in an emergency, call 911. The Coalition Against Stalkerware also has resources if you suspect your phone has been compromised by spyware. You can reach this reporter on Signal and WhatsApp at +1 646-755-8849 or email firstname.lastname@example.org.
#TheTruthSpy #stalkerware #network #spying #thousands #people