Huge cache The leaked data shows the inner workings of stalkerware that is spying on hundreds of thousands of people around the world, including Americans.
The data, logs, text messages, granular location data and other personal data of unsuspecting victims, whose MAS phones and tablets were captured by nearly identical stalking apps, including TheTruthSpy, Copy9, MxSpy and others.
These Android apps are planted by someone with physical access to a person’s device and are designed to remain hidden on their home screen, but they continuously and silently upload phone content without the owner’s knowledge.
SPYWARE LOOKUP tools
You can see if your MAS phone or tablet has been hacked this.
Months after we published our investigation, uncovering the operation of the stubs, a source provided TechCrunch with ten gigabytes of data leaked from the servers. The cache contains the core database of the hacking operation, which includes every Android device discovered by any of the stipulating tools on the TheTruthSpy network since the beginning of 2019 (although before other records were given), and which devices have been stolen.
Since those victims didn’t know their data had been stolen, TechCrunch extracted every unique device identifier from the public database and created a tool to check if their device had been hacked by any of the hacking tools up until April 2012, which is when the data was scraped.
TechCrunch analyzed the rest of the database. Using mapping software for geospatial analysis, we mapped hundreds of thousands of geographic data points from the database to understand the scale. Our analysis shows that TheTruthSpy’s network is very large, with victims on every continent and in almost every country. But organizations like TheTruthSpy operate in a legal gray area that makes it difficult for authorities around the world to combat it, even though the threat has a growing number of victims.
First, let’s talk about data. The database is about 34 gigabytes in size and consists of metadata such as dates and times, as well as text-based content such as call logs, text messages and location information – including the names of the Wi-Fi networks to which the device is connected and which are copied and pasted from the phone’s clipboard. including passwords and two-factor authentication. The data tools do not contain images, videos or pictures taken from the victim’s devices, but instead start with information about each file, such as when the photo or video was taken, and the recorded calls and for how long they allow us. We determine how much content was obtained from the victims’ devices and when. Each device uploads a different amount of data depending on how long their plans are suspect and the available network coverage.
TechCrunch analyzed data from March 4 to April 14, 2022, or the six weeks of most recent data stored in the database. It is possible that TheTruthSpy servers only retain some data, such as call logs and location data, for several weeks, but other content, such as images and text messages, for longer.
This is what we found.
It has a database of about 360,000 unique device identifiers, including IMEI numbers for phones and IDs for selling tablets. This number represents how many building blocks are in modern operation and how many people are affected. The database also contains the e-mail addresses of every person who signed up as one of the many TheTruthSpy and clone tools with the intention of planting them on the victim’s devices or about 337,000 users. This means that some devices can be tricked more than once (or by another app on the network stalkerware), and some users have more than one suspect device.
About 900,000 new thoughts were designed in the space of six weeks, our analysis shows, hundreds of new thoughts every day.
The database stored 608,966 location data points over the same six-week period. We plotted the data and created a time lapse to show the cumulative spread of known suspicious devices around the world. We did this to understand how widespread TheTruthSpy’s operation is. The animation is zoomed to the level of the world to protect the privacy of individuals, but the data is extremely granular and shows the victims in deportation camps, places of worship and other sensitive areas.
By breakdown, the United States ranked first with the worst data points (278,861) of any other country over a six-week period. India ranked highest in terms of data points (77,425), Indonesia third (42,701), Argentina fourth (19,015) and the United Kingdom fifth (12,801).
Canada, Nepal, Israel, Ghana and Tanzania are also included in the top 10 countries by rental volume.
the database contained a total of 1.2 million messages, including the recipient’s contact name, and 4.42 million call records over a six-week period, including detailed records of who called whom, for how long, and their contact name and phone number.
TechCrunch has seen evidence that the data was likely collected from the children’s phones.
This stalkerware application also recorded thousands of calls over six weeks, the data shows. The database contains 179,055 entries of call recording files that are stored on another TheTruthSpy server. Our analysis correlates records with the times and times of call recordings with location data stored elsewhere in the database to determine where the calls were recorded. In the United States, we noted that there are stricter wiretapping laws that require more than one person (or every person) on the line to agree that the call can be recorded or fall under the state’s illegal wiretapping laws. Most states have statutes that require at least one person to consent to the recording, but the nature of the statute is designed to operate without the victim’s knowledge.
We found evidence that 164 building machines in 11 states recorded thousands of calls over a six-week period without the knowledge of the machines’ owners. Most of the machines were located in populous states like California and Illinois.
The database also contains 473,211 records of photos and videos uploaded from phones committed over a six-week period, including screenshots, images downloaded from messaging apps and saved to the camera’s file system, and filenames that can reveal information about the file. The database also contained 454,641 records of information siphoned from a user’s keyboard, known as a keylogger, which included sensitive documents and pasted codes from password managers and other apps. It also contains 231,550 records of networks that each device is connected to, such as Wi-Fi network names of hotels, workplaces, apartments, airports and other speculative locations.
TheTruthSpy operation is the latest in a long line of stalkerware apps to expose victims’ data because of security flaws that later lead to the breach.
While possession of tape recorders is not illegal, their use to record calls and private conversations of individuals without their consent is not permitted under federal surveillance laws and many state laws. But since phone monitoring apps are not allowed for the sole purpose of recording private messages, many of the popular apps sold under the guise of child monitoring software are often misused to spy on the phones of unwitting spouses and family members.
Much of the effort against stalkerware is led by cyber-security companies and antivirus vendors who block unwanted malware from users’ devices. The Coalition Against Stalkerware, which was launched in 2019, shares the resources and examples of data stubs so that information about new and emerging threats can be shared with other cybersecurity companies and automatically blocked at the device level. The coalition has more information from tech companies about what they can do to detect and contain stalkerware.
But only a few of the stipulated operators, like Retina X and SpyFone, have faced penalties from federal regulators like the Federal Trade Commission (FTC) as they have largely surrounded surveillance, which has led to new legal-based approaches to poor cyber security. practices and data breaches that fall more closely within their regulatory oversight.
When reached for comment by TechCrunch ahead of publication, a spokesperson for the FTC said the agency does not comment on whether it will investigate a particular matter.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support for victims of domestic abuse and violence. If you’re in an emergency, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been targeted by spyware. You can contact this reporter by signing up and WhatsApp at +1 646-755-8849 or [email protected] by email.