Hackers uncover new TheTruthSpy stalkerware victims: Is your Android machine compromised?

A consumer-grade adware operation referred to as TheTruthSpy poses an ongoing safety and privateness threat to 1000’s of individuals whose Android units are unknowingly compromised with its cellular surveillance apps, not least due to a simple security flaw that its operators never fixed.

Now, two hacking teams have independently discovered the flaw that enables the mass entry of victims’ stolen cellular machine information instantly from TheTruthSpy’s servers.

Switzerland-based hacker maia arson crimew said in a blog post that the hacking teams SiegedSec and ByteMeCrew recognized and exploited the flaw in December 2023. Crimew, who was given a cache of TheTruthSpy’s sufferer information from ByteMeCrew, additionally described finding several new security vulnerabilities in TheTruthSpy’s software program stack.

In a put up on Telegram, SiegedSec and ByteMeCrew mentioned they don’t seem to be publicly releasing the breached information, given its extremely delicate nature.

Crimew offered TechCrunch with among the breached TheTruthSpy information for verification and evaluation, which included the distinctive machine IMEI numbers and promoting IDs of tens of 1000’s of Android telephones lately compromised by TheTruthSpy.

TechCrunch verified the brand new information is genuine by matching among the IMEI numbers and promoting IDs towards an inventory of earlier units identified to be compromised by TheTruthSpy as discovered during an earlier TechCrunch investigation.

The newest batch of knowledge consists of the Android machine identifiers of each cellphone and pill compromised by TheTruthSpy as much as and together with December 2023. The info exhibits TheTruthSpy continues to actively spy on giant clusters of victims throughout Europe, India, Indonesia, the USA, the UK and elsewhere.

TechCrunch has added the most recent distinctive identifiers — about 50,000 new Android units — to our free spyware lookup tool that lets you check if your Android device was compromised by TheTruthSpy.

Safety bug in TheTruthSpy uncovered victims’ machine information

For a time, TheTruthSpy was one of the prolific apps for facilitating secret cellular machine surveillance.

TheTruthSpy is one in all a fleet of near-identical Android adware apps, together with Copy9 and iSpyoo and others, that are stealthily planted on an individual’s machine by somebody sometimes with data of their passcode. These apps are referred to as “stalkerware,” or “spouseware,” for his or her capability to illegally monitor and monitor individuals, typically spouses, with out their data.

Apps like TheTruthSpy are designed to remain hidden on dwelling screens, making these apps troublesome to identify and remove, all of the whereas continuously uploading the contents of a victim’s phone to a dashboard viewable by the abuser.

However whereas TheTruthSpy touted its highly effective surveillance capabilities, the adware operation paid little consideration to the safety of the info it was stealing.

As a part of an investigation into consumer-grade adware apps in February 2022, TechCrunch found that TheTruthSpy and its clone apps share a common vulnerability that exposes the sufferer’s cellphone information saved on TheTruthSpy’s servers. The bug is especially damaging as a result of this can be very simple to take advantage of, and grants unfettered distant entry to all the information collected from a sufferer’s Android machine, together with their textual content messages, pictures, name recordings and exact real-time location information.

However the operators behind TheTruthSpy by no means fastened the bug, leaving its victims uncovered to having their information additional compromised. Solely restricted details about the bug, known as CVE-2022-0732, was subsequently disclosed, and TechCrunch continues to withhold particulars of the bug because of the ongoing threat it poses to victims.

Given the simplicity of the bug, its public exploitation was solely a matter of time.

TheTruthSpy linked to Vietnam-based startup, 1Byte

That is the most recent in a streak of safety incidents involving TheTruthSpy, and by extension the lots of of 1000’s of individuals whose units have been compromised and had their information stolen.

In June 2022, a supply offered TechCrunch with leaked information containing information of each Android machine ever compromised by TheTruthSpy. With no strategy to alert victims (and with out doubtlessly alerting their abusers), TechCrunch constructed a spyware lookup tool to permit anybody to test for themselves if their units have been compromised.

The lookup software appears for matches towards an inventory of IMEI numbers and promoting IDs identified to have been compromised by TheTruthSpy and its clone apps. TechCrunch additionally has a guide on how to remove TheTruthSpy spyware — whether it is secure to take action.

However TheTruthSpy’s poor safety practices and leaky servers additionally helped to reveal the real-world identities of the builders behind the operation, who had taken appreciable efforts to hide their identities.

TechCrunch later discovered {that a} Vietnam-based startup referred to as 1Byte is behind TheTruthSpy. Our investigation discovered that 1Byte made millions of dollars over the years in proceeds from its spyware operation by funneling buyer funds into Stripe and PayPal accounts arrange below false American identities utilizing faux U.S. passports, Social Safety numbers and different cast paperwork.

Our investigation discovered that the false identities have been linked to financial institution accounts in Vietnam run by 1Byte staff and its director, Van Thieu. At its peak, TheTruthSpy revamped $2 million in buyer funds.

PayPal and Stripe suspended the adware maker’s accounts following latest inquiries from TechCrunch, as did the U.S.-based webhosting corporations that 1Byte used to host the adware operation’s infrastructure and retailer the huge banks of victims’ stolen cellphone information.

After the U.S. net hosts booted TheTruthSpy from their networks, the adware operation is now hosted on servers in Moldova by an online host referred to as AlexHost, run by Alexandru Scutaru, which claims a coverage of ignoring U.S. copyright takedown requests.

Although hobbled and degraded, TheTruthSpy nonetheless actively facilitates surveillance on 1000’s of individuals, together with Individuals.

For so long as it stays on-line and operational, TheTruthSpy will threaten the safety and privateness of its victims, previous and current. Not simply due to the adware’s capability to invade an individual’s digital life, however as a result of TheTruthSpy can not maintain the info it steals from spilling onto the web.

Learn extra on TechCrunch: