A shocking investigation by Swiss hacker “maia arson crimew” has exposed TheTruthSpy, a notorious stalkerware app, for spying on its own users due to gross security negligence. The update adds about 50,000 victims to the list of 400,000 who have already had their data stolen maliciously because of the app.
TheTruthSpy is a stealthy surveillance program planted on victims’ phones, often by abusive partners, to secretly monitor communications and activities. However, crimew revealed that this invasive spyware operation fails to safely handle stolen user data, creating further privacy violations. The result is that unaware victims are having their data stolen by multiple people.
What Is Stalkerware and Why Is It Dangerous?
Stalkerware, also called spouseware, refers to commercial spying software marketed for remote monitoring of spouses, partners, employees, children, and others without consent. Once installed on the victim’s phone, the hidden apps silently upload private usage data including messages, photos, locations, and browsing history to a dashboard viewable by the stalker.
Consumer spyware apps are, in some cases, available on the Google Play Store while others can be installed on Android devices via “.apk” files.
To install them, the spies have to gain physical access to unlock and tamper with the target device. This makes victims vulnerable to continued abuse and control in toxic relationships. Stalkerware access can enable life-threatening domestic violence through surveillance of escape plans.
While they are usually advertised as aids to parental oversight, the majority of stalkerware customers deploy them illegally out of mistrust and jealousy. Security experts lambast stalkerware companies for enabling intimate partner abuse and failing to deter criminal use cases. The invasive software is already illegal in some jurisdictions in the US (though enforcement is nonexistent) and faces legislative bans in several US states and countries including Germany.
Spying On Victims Twice – How TheTruthSpy Got Hacked
It shouldn’t be all that surprising that a hacking tool doesn’t actually care about the cybersecurity of its victims. Despite promises of powerful monitoring abilities, TheTruthSpy spyware operation neglected to secure its own infrastructure and effectively stored massive volumes of stolen user data. This oversight exposed every compromised victim to additional privacy risks beyond the app itself.
Also read: Best Spy App Removal Tools in 2024
In December 2022, hacking groups ByteMeCrew and SiegedSec independently discovered a trivial vulnerability that granted them access to TheTruthSpy’s database. An authentication bypass via insecure direct object reference allowed anyone to arbitrarily view a significant amount of details on all hacked devices. This included personal information submitted during app registration by controlling partners/employers.
Crimew acquired the pilfered database from ByteMeCrew for further scrutiny into TheTruthSpy’s inner works and weaknesses. Her investigation uncovered even more flaws that permitted unauthorized access and arbitrary code execution. She also matched leaked data to publicly searchable identities of TheTruthSpy developers.
How to Check If You’ve Been Compromised
This wasn’t the first major blunder experienced by TheTruthSpy. Earlier leaks analyzed by TechCrunch reporter Zack Whittaker enabled correlating device identifiers to known compromised units. Whittaker built an automated online database allowing Android users to check if their phone matched records in TheTruthSpy’s stolen data trove.
This free tool also detects mobile devices infected by TheTruthSpy clone apps like Hoverwatch, iSpyoo, and others – all of which share its flawed back-end framework called Jexpa.
Crimew’s new findings expanded the breach database to 50,000 compromised devices including recent 2023 infections. She provided the updated compromised device list to Whittaker, who incorporated it into the spyware lookup tool.
Vietnam Startup 1Byte Linked To TheTruthSpy
Further adding insult to injury, the poorly masked operations carried out by TheTruthSpy developers failed to mask their real-world identities. Whittaker’s prior work exposed the Vietnam IT company 1Byte and its director “Vardy Thieu” as some of the prominent figures behind the stalkerware business.
Despite apparent efforts to conceal their identities through fake American personas and shell companies, traceable transactions led straight back to staff located in Hanoi. According to records reviewed by Whittaker, 1Byte raked in at least $2 million in subscription fees through TheTruthSpy’s commercial spying suite.
How to Check for and Remove TheTruthSpy
If you are concerned that your device’s security may have been compromised, visit TechCrunch’s lookup tool by using this tool. Enter your smartphone’s IMEI number and Android advertising ID to see if it matches a device found in TheTruthSpy’s breach database.
For victims seeking to regain control after confirming that they have been infected by this stalkerware, removing the hidden apps can be risky before reaching safety. If you are able to safely remove it without the threat of retaliation from an abuser, check out Malwarebyte’s guide to uninstalling this kind of software.
Moving Forward – Accountability For Stalkerware Makers?
Despite open flaunting of laws prohibiting secret surveillance, shady spyware operations like TheTruthSpy continue victimizing people to date. However, crimew notes that the long rap sheet of ethical negligence makes legal intervention overdue, even if symbolic.
Ultimately, stalkerware distribution models thrive on evasion and information asymmetry, with providers obscuring ownership while selling to predators who covertly spied on their intimate partners to keep track of their activities and have leverage on them. Worryingly, unlike other more heavily regulated spheres in the consumer software arena, few incentives promote safer design or ethical practices.
Instead, insecurity and breach risks compound privacy destruction via these parasitic technologies. Those unfortunates who happen to be unwarily monitored suffer ongoing abuse through data exposure.
Perhaps breach accountability legislation that aims to apply fines to those who abuse this kind of technology can result in additional protections for those who have fallen victim to this type of crime. Unfortunately, few if any major politicians are making any major pushes to further criminalize this behavior.
Until then, victims face roughly no recourse to obtain compensation from businesses that have been built on the basis of violating their privacy and accessing their data without their consent. The only alternative they have for now is severing whatever relationship that enabled their technology-aided oppression.