Another little-known phone monitoring outfit has quietly amassed half a million customers, whose email addresses are now in Have I Been Pwned.
A bug in the Android and iPhone monitoring operations allows anyone to access private data exfiltrated from a victim's device.
Key findings from our analysis include:
Advanced Surveillance Capabilities:
Comprehensive Data Exfiltration:
Persistence Mechanisms:
Abuse of Legitimate Services:
Indicators of Compromise (IoCs):
Need for Collective Protection:
people frequently reach out to me with companies to look into. usually it takes me about 10 minutes before i move on for one reason or another—it's not interesting for a story or has good security, for example. i didnt expect anything different when an acquaintance told me about Tracki, a self-proclaimed "world leader in GPS tracking" that they suspected could be used nefariously.
at first glance, Tracki appeared to be a serious company, maybe even one that cared about security. we could never have guessed what was about to unfold before us.
half a year into our investigation, we'd found it all: a hidden conglomerate posing as five independent companies, masked from governments and customers alike through the use of dozens of false identities, US letterbox companies, and an undeclared owner. a 90s phone sex scheme that, through targeting by one of hollywood's most notorious fixers, spiraled into a collection of almost a hundred domains advertising everything from online dating to sore throat remedies. a slew of device-assisted murder cases, on top of potential data breaches affecting almost 12 million users, ranging from federal government officials to literal infants. and most importantly, a little-known Snoop Dogg song. how in the world did we get here?
starting our descent
PCTattletale is a simple stalkerware app. Rather than the sophisticated monitoring of many similarly insecure competitors it simply asks for permission to record the targeted device (Android and Windows are supported) on infection. Afterward the observer can log in to an online portal and activate recording, at which point a screen capture is taken on the device and played on the target's browser.
we continue our series on stalkerware with a write-up and batch of data sent to me by a source last night. this time it is the brazilian ownspy (aka webdetective and saferspy, by mobileinnova) that has been completely hacked. among other things ownspy claims to be the #1 most privacy focused "parental control app" allegedly featuring E2E encryption, if this sounds too good to be true that's because it mostly is, but more on that later.
year after it was banned by the Federal Trade Commission, a notorious phone surveillance company is back in all but name, a TechCrunch investigation has found.
A groundbreaking FTC order in 2021 banned the stalkerware app SpyFone, its parent company Support King, and its chief executive Scott Zuckerman from the surveillance industry. The order, unanimously approved by the regulator’s five sitting commissioners, also demanded that Support King delete the phone data it illegally collected and notify victims that its app was secretly installed on their device.
Leaked data obtained by TechCrunch reveals the notorious network of Android spyware apps tracked locations and recorded calls of Americans.
It's not just one spyware app exposing people's phone data, but an entire fleet of Android spyware apps that share the same security vulnerability.
