A covert sector thrives catering to individuals desiring to clandestinely track their family members. Various developers promote their products, oftentimes dubbed stalkerware, which enables suspicious individuals to secretly observe their partners by gaining unauthorized access to their smartphones.
However, the ironical twist lies in the vast quantities of sensitive data these firms are inadvertently letting slip through their fingers.
TechCrunch has documented, with the recent intrusion into mSpy’s systems included, that at the very least, 20 stalkerware firms have been victimized by cyberattacks or unintentional data disclosures online since 2017. This includes four vendors who have suffered breaches on multiple occasions.
The year 2024 witnessed at least two substantial breaches within this disreputable industry. The latest involved mSpy, a long-established stalkerware application, resulting in the exposure of millions of customer support inquiries, compromising the personal details of a vast number of its users.
Previously, the tactics of an unknown assailant allowed them to infiltrate the systems of pcTattletale, a stalkerware vendor based in the United States. The perpetrator extracted internal company data and defaced the company’s official website, aiming to disgrace the business. This action came shortly after a TechCrunch report disclosed pcTattletale’s use for monitoring activities at a U.S. hotel chain’s reception desks.
Following the hack, the exposure, and the subsequent public shaming, pcTattletale’s founder, Bryan Fleming, announced the closure of his enterprise.
Software applications like mSpy and pcTattletale, often branded as “stalkerware” or “spouseware,” cater to suspicious spouses who deploy them for covertly observing their partners. These firms often blatantly advocate their solutions for unearthing infidelity, encouraging illicit and morally questionable activities. Furthermore, numerous legal battles, investigative reports, and studies involving domestic abuse facilities have showcased the real-life dangers and violence that can stem from such clandestine surveillance.
This has invariably made these stalkerware firms an attractive target for hackers.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a prominent figure in the battle against stalkerware, points out these entities as “soft targets.”
“These firm owners might not be the most ethical or principally concerned about their product’s integrity,” Galperin expressed to TechCrunch.
Considering the history of security lapses within this sector, Galperin’s remark might just be putting it mildly. The blatant disregard these companies have for securing their customer data — and by extension, the private details of countless unsuspecting victims — amplifies the irresponsibility of using such invasive software. Stalkerware clients not only risk legal repercussions and perpetrate partner abuse but also endanger sensitive data.
An Overview of Stalkerware Security Breaches
The onslaught of security breaches shadowing the stalkerware sector initiated in 2017 with hackers targeting the U.S.-rooted Retina-X and Thailand’s FlexiSpy consecutively. These incidents disclosed that between them, the two companies serviced an international clientele base of 130,000.
The hackers, taking pride in their intrusion, stated their objective was to shed light on and eventually dismantle a sector they deemed morally repugnant.
“I intend to raze them to the ground, leaving no hiding place for their revival,” one invader confided to Motherboard about FlexiSpy. They continued, “I hope they disintegrate and contemplate their actions. Yet, I’m wary they might try resurrecting under a new guise. Should that happen, I’ll be ready.”
Despite these contraventions and sustained negative scrutiny, FlexiSpy continues its operations today, unlike Retina-X which faltered following multiple attacks.
After breaching Retina-X, the antagonist wiped its servers aiming to debilitate the firm. Not long after regaining its footing, Retina-X faced another breach, subsequently announcing its cessation.
Close on the heels of the second Retina-X incident, two more stalkerware vendors, Mobistealth and Spy Master Pro, had vast swathes of their customer and victim data stolen. Similar fate befell the India-based SpyHuman a few months later, with hackers making away with extensive personal communication logs.
An accidental data leak, unlike a deliberate hack, implicated SpyFone when it carelessly left a cloud storage unguarded online. Consequently, a wealth of stolen personal data, unbeknownst to the victims of surveillance, was laid bare for public access.
Additional stalkerware firms guilty of negligently exposing victim and client data online include FamilyOrbit, mSpy, Xnore, MobiiSpy, KidsGuard, pcTattletale, and Xnspy, each demonstrating varying degrees of security lapses.
In terms of outright hacks, Copy9, LetMeSpy, WebDetetive, OwnSpy, Spyhide, Oospy, and the recent mSpy breach enumerate instances where attackers directly compromised these companies’ security to steal or destroy data.
Notably, TheTruthSpy holds the dubious distinction of being breached or leaking data no less than three times.
Unrepentant After Hacks
Out of the 20 stalkerware companies identified by TechCrunch, eight have shuttered. A notable case emerged when the Federal Trade Commission barred SpyFone and its CEO, Scott Zuckerman, from the surveillance market due to a security misstep that led to a significant data leak, leading another linked operation, SpyTrac, to close after investigative work by TechCrunch.
However, a closure does not necessarily spell the end for a stalkerware company. Some, like Spyhide and SpyFone, reemerge under new branding, demonstrating the resilience and adaptability of these nefarious players.
“These hacks have an impact, indeed making a mark, but expecting a stalkerware entity to simply vanish after a breach is impractical,” Galperin commented. “More often, these companies sprout anew, much like mushrooms after a rainstorm,” she added.
On a brighter note, recent findings from Malwarebytes suggest a decline in stalkerware usage, supported by an uptick in negative app reviews from dissatisfied customers or prospects. Yet, Galperin posits this could also indicate that security services are less adept at stalkerware detection, or perhaps cyberstalkers have shifted towards physical tracking devices like AirTags for surveillance.
“Stalkerware is but a fragment of a broader scheme of tech-facilitated abuse,” Galperin remarked.
Rejecting Stalkerware
Employing spyware to monitor loved ones is deemed unprincipled and unlawfully invasive in many regions, posing substantial privacy invasions and potential legal repercussions.
This stark reality, coupled with the stalkerware developers’ proven inability to safeguard data, underscores the importance of abstaining from such apps. Although monitoring one’s children using stalkerware may be legal in specific locales like the U.S., it remains ethically questionable.
Even within legal bounds, Galperin advises parents to seek transparent and consensual monitoring solutions, advocating for reputable parental tracking features provided by major smartphone platforms over unsecured and invasive stalkerware applications.
Update as of July 16, noting the recent mSpy security breach.
For immediate assistance, contact the National Domestic Violence Hotline (1-800-799-7233) for confidential support 24/7 if you or someone you know is a victim of domestic abuse. In emergency situations, dial 911. Visit the Coalition Against Stalkerware for resources if you suspect spyware compromise on your device.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
