22 hours ago
20 ARTICLE AD
A security vulnerability in a pair of phone-monitoring apps is exposing the personal data of millions of people who have the apps unwittingly installed on their devices, according to a security researcher who found the flaw.
The bug allows anyone to access the personal data — messages, photos, call logs, and more — exfiltrated from any phone or tablet compromised by Cocospy and Spyic, two differently branded mobile stalkerware apps that share largely the same source code. The bug also exposes the email addresses of the people who signed up to Cocospy and Spyic with the intention of planting the app on someone’s device to covertly monitor them.
Much like other kinds of spyware, products like Cocospy and Spyic are designed to remain hidden on a victim’s device while covertly and continually uploading their device’s data to a dashboard visible by the person who planted the app. By nature of how stealthy spyware can be, the majority of phone owners are likely unaware that their devices have been compromised.
The operators of Cocospy and Spyic did not return TechCrunch’s request for comment, nor have they fixed the bug at the time of publishing.
The bug is relatively simple to exploit. As such, TechCrunch is not publishing specific details of the vulnerability so as to not help bad actors exploit it and further expose the sensitive personal data of individuals whose devices have already been compromised by Cocospy and Spyic.
The security researcher who found the bug told TechCrunch that it allows anyone to access the email address of the person who signed up for either of the two phone-monitoring apps.
The researcher collected 1.81 million email addresses of Cocospy customers and 880,167 email addresses of Spyic customers by exploiting the bug to scrape the data from the apps’ servers. The researcher provided the cache of email addresses to Troy Hunt, who runs data breach notification service Have I Been Pwned.
Hunt told TechCrunch that he loaded a combined total of 2.65 million unique email addresses registered with Cocospy and Spyic to Have I Been Pwned, after he removed duplicate email addresses that appeared in both batches of data. Hunt said that as with previous spyware-related data breaches, the Cocospy and Spyic cache is marked as “sensitive,” in Have I Been Pwned, which means that only the person with an affected email address can search to see if their information is in there.
Cocospy and Spyic are the latest in a long list of surveillance products that have experienced security mishaps in recent years, often as a result of bugs or poor security practices. By TechCrunch’s running count, Cocospy and Spyic are now among the 23 known surveillance operations since 2017 that have been hacked, breached, or otherwise exposed customers’ and victims’ highly sensitive data online.
Phone-monitoring apps like Cocospy and Spyic are typically sold as parental control or employee-monitoring apps but are often referred to as stalkerware (or spouseware), as some of these products expressly promote their apps online as a means of spying on a person’s spouse or romantic partner without their knowledge, which is illegal. Even in the case of mobile surveillance apps that are not explicitly marketed for nefarious activity, often the customers still use these apps for ostensibly illegal purposes.
Stalkerware apps are banned from app stores and so are usually downloaded directly from the stalkerware provider. As a result, stalkerware apps usually require physical access to someone’s Android device to be planted, often with prior knowledge of the victim’s device passcode. In the case of iPhones and iPads, stalkerware can tap into a person’s device’s data stored in Apple’s cloud storage service iCloud, which requires using their stolen Apple account credentials.
Stalkerware with a China nexus
Little else is known about these two spyware operations, including who runs Cocospy and Spyic. Stalkerware operators often try to eschew public attention, given the reputational and legal risks that go with running surveillance operations.
Cocospy and Spyic launched in 2018 and 2019, respectively. From the number of registered users alone, Cocospy is one of the largest-known stalkerware operations going today.
Security researchers Vangelis Stykas and Felipe Solferini, who analyzed several stalkerware families as part of a 2022 research project, found evidence linking the operation of Cocospy and Spyic to 711.icu, a China-based mobile app developer, whose website no longer loads.
This week, TechCrunch installed the Cocospy and Spyic apps on a virtual device (which allows us to run the apps in a safe sandbox without giving either of the spy services any real-world data, such as our location). Both of the stalkerware apps masquerade as a nondescript-looking “System Service” app for Android, which appears to evade detection by blending in with Android’s built-in apps.
We used a network analysis tool to watch data flowing in and out of the app to understand how the spyware operations work, what data is shared, and where the servers are located.
Our traffic analysis found the app was sending our virtual device’s data via Cloudflare, a network security provider which obfuscates the true real-world location and web host of the spyware operations. But some of the web traffic showed the two stalkerware apps were uploading some of victims’ data, like photos, to a cloud storage server hosted on Amazon Web Services.
Neither Amazon nor Cloudflare responded to TechCrunch’s inquiries about the stalkerware operations.
The analysis also showed that while using the app, the server would occasionally respond with status or error messages in Chinese, suggesting the apps are developed by someone with a nexus to China.
What you can do to remove the stalkerware
The email addresses scraped from Cocospy and Spyic allow anyone who planted the apps to determine if their information (and their victim’s data) was compromised. But the data does not contain enough identifiable information to notify individuals whose phones are compromised.
However, there are things you can do to check if your phone is compromised by Cocospy and Spyic. Like most stalkerware, both of these apps rely on a person deliberately weakening the security settings on an Android device to plant the apps — or in the case of iPhones and iPads, accessing a person’s Apple Account with knowledge of their username and password.
Even though both Cocospy and Spyic try to hide by appearing as a generic-looking app called “System Service,” there are ways to spot them.
With Cocospy and Spyic, you can usually dial ✱✱001✱✱ into your Android’s phone app’s keypad and then the “call” button to make the stalkerware apps appear on screen — if they are installed. This is a feature built into Cocospy and Spyic to allow the person who planted the app on the victim’s device to regain access. In this case, the feature can also be used by the victim to determine if the app is installed.
You can also check your installed apps through the apps menu in the Android Settings menu, even if the app is hidden from view.
The Cocospy and Spyic stalkerware apps masquerading as a ‘System Service’ app.Image Credits:TechCrunch
TechCrunch has a general Android spyware removal guide that can help you identify and remove common types of phone stalkerware. Remember to have a safety plan in place, given that switching off spyware may alert the person who planted it.
For Android users, switching on Google Play Protect is a helpful safeguard that can protect against malicious Android apps, including stalkerware. You can enable it from Google Play’s settings menu if it isn’t already enabled.
And for iPhone and iPad users who think you may be compromised, you should check that your Apple Account uses a long and unique password (ideally saved in a password manager) and that your account also has two-factor authentication switched on. You should also check and remove any devices from your account that you don’t recognize.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Contact Zack Whittaker securely on Signal and WhatsApp at +1 646-755-8849. You can also share documents securely with TechCrunch viaSecureDrop.
