Inside TheTruthSpy, the stalkerware network spying on thousands - TechCrunch

A monolithic cache of leaked information reveals the interior workings of a stalkerware operation that is spying connected hundreds of thousands of radical astir the world, including Americans.

The leaked information includes telephone logs, substance messages, granular determination information and different idiosyncratic instrumentality information of unsuspecting victims whose Android phones and tablets were compromised by a fleet of near-identical stalkerware apps, including TheTruthSpy, Copy9, MxSpy and others.

These Android apps are planted by idiosyncratic with carnal entree to a person’s instrumentality and are designed to enactment hidden connected their location screens but volition continuously and silently upload the phone’s contents without the owner’s knowledge.

Months aft we published our investigation uncovering the stalkerware operation, a root provided TechCrunch with tens of gigabytes of information dumped from the stakerware’s servers. The cache contains the stalkerware operation’s halfway database, which includes elaborate records connected each Android instrumentality that was compromised by immoderate of the stalkerware apps successful TheTruthSpy’s web since aboriginal 2019 (though immoderate records day earlier) and what instrumentality information was stolen.

Given that victims had nary thought that their instrumentality information was stolen, TechCrunch extracted each unsocial instrumentality identifier from the leaked database and built a lookup tool to let anyone to cheque if their instrumentality was compromised by immoderate of the stalkerware apps up to April 2022, which is erstwhile the information was dumped.

TechCrunch has since analyzed the remainder of the database. Using mapping bundle for geospatial analysis, we plotted hundreds of thousands of determination information points from the database to recognize its scale. Our investigation shows TheTruthSpy’s web is enormous, with victims connected each continent and successful astir each country. But stalkerware similar TheTruthSpy operates successful a ineligible grey country that makes it hard for authorities astir the satellite to combat, contempt the increasing menace it poses to victims.

First, a connection astir the data. The database is astir 34 gigabytes successful size and consists of metadata, specified arsenic times and dates, arsenic good arsenic text-based content, similar telephone logs, substance messages and determination information — adjacent names of Wi-Fi networks that a instrumentality connected to and what was copied and pasted from the phone’s clipboard, including passwords and two-factor authentication codes. The database did not incorporate media, images, videos oregon telephone recordings taken from victims’ devices, but alternatively logged accusation astir each file, specified arsenic erstwhile a photograph oregon video was taken, and erstwhile calls were recorded and for however long, allowing america to find however overmuch contented was exfiltrated from victims’ devices and when. Each compromised instrumentality uploaded a varying magnitude of information depending connected however agelong their devices were compromised and disposable web coverage.

TechCrunch examined the information spanning March 4 to April 14, 2022, oregon six weeks of the astir caller information stored successful the database astatine the clip it was leaked. It’s imaginable that TheTruthSpy’s servers lone clasp immoderate data, specified arsenic telephone logs and determination data, for a fewer weeks, but different content, similar photos and substance messages, for longer.

This is what we found.

The database has astir 360,000 unsocial instrumentality identifiers, including IMEI numbers for phones and advertizing IDs for tablets. This fig represents however galore devices were compromised by the cognition to day and astir however galore radical are affected. The database besides contains the email addresses of each idiosyncratic who signed up to usage 1 of the galore TheTruthSpy and clone stalkerware apps with the volition of planting them connected a victim’s device, oregon astir 337,000 users. That’s due to the fact that immoderate devices whitethorn person been compromised much than erstwhile (or by different app successful the stalkerware network), and immoderate users person much than 1 compromised device.

About 9,400 caller devices were compromised during the six-week span, our investigation shows, amounting to hundreds of caller devices each day.

The database stored 608,966 determination information points during that aforesaid six-week period. We plotted the information and created a clip lapse to amusement the cumulative dispersed of known compromised devices astir the world. We did this to recognize however wide-scale TheTruthSpy’s cognition is. The animation is zoomed retired to the satellite level to support individuals’ privacy, but the information is highly granular and shows victims astatine proscription hubs, places of worship and different delicate locations.

By breakdown, the United States ranked archetypal with the astir determination information points (278,861) of immoderate different state during the six-week span. India had the 2nd astir determination information points (77,425), Indonesia 3rd (42,701), Argentina 4th (19,015) and the United Kingdom (12,801) fifth.

Canada, Nepal, Israel, Ghana and Tanzania were besides included successful the apical 10 countries by measurement of determination data.

The database contained a full of 1.2 cardinal substance messages, including the recipient’s interaction name, and 4.42 cardinal telephone logs during the six-week span, including elaborate records of who called whom, for however long, and their contact’s sanction and telephone number.

TechCrunch has seen grounds that information was apt collected from the phones of children.

These stalkerware apps besides recorded the contents of thousands of calls during the six weeks, the information shows. The database contains 179,055 entries of telephone signaling files that are stored connected different TheTruthSpy server. Our investigation correlated records with the dates and times of telephone recordings with determination information stored elsewhere successful the database to find wherever the calls were recorded. We focused connected U.S. states that person stricter telephone telephone signaling laws, which necessitate that much than 1 idiosyncratic (or each person) connected the enactment hold that the telephone tin beryllium recorded oregon autumn foul of authorities wiretapping laws. Most U.S. states person statutes that necessitate astatine slightest 1 idiosyncratic consents to the recording, but stalkerware by quality is designed to enactment without the victim’s cognition astatine all.

We recovered grounds that 164 compromised devices successful 11 states recorded thousands of calls implicit the six-week span without the cognition of instrumentality owners. Most of the devices were located successful densely populated states similar California and Illinois.

The database besides contained 473,211 records of photos and videos uploaded from compromised phones during the six weeks, including screenshots, photos received from messaging apps and saved to the camera roll, and filenames, which tin uncover accusation astir the file. The database besides contained 454,641 records of information siphoned from the user’s keyboard, known arsenic a keylogger, which included delicate credentials and codes pasted from password managers and different apps. It besides includes 231,550 records of networks that each instrumentality connected to, specified arsenic the Wi-Fi web names of hotels, workplaces, apartments, airports and different guessable locations.

TheTruthSpy’s cognition is the latest successful a agelong enactment of stalkerware apps to exposure victims’ information due to the fact that of security flaws that subsequently pb to a breach.

While the possession of stalkerware apps is not illegal, utilizing it to grounds calls and backstage conversations of radical without their consent is amerciable nether national wiretapping laws and galore authorities laws. But portion it is illegal to merchantability telephone monitoring apps for the sole crushed of signaling backstage messages, galore stalkerware apps are sold nether the guise of kid monitoring software, yet are often abused to spy connected the phones of unwitting spouses and home partners.

Much of the effort against stalkerware is led by cybersecurity companies and antivirus vendors moving to artifact unwanted malware from users’ devices. The Coalition Against Stalkerware, which launched successful 2019, shares resources and samples of known stalkerware truthful accusation astir caller and emerging threats tin beryllium shared with different cybersecurity companies and automatically blocked astatine the device-level. The coalition’s website has more connected what tech companies tin bash to observe and artifact stalkerware.

But lone a fistful of stalkerware operators, specified arsenic Retina X and SpyFone, person faced penalties from national regulators similar the Federal Trade Commission (FTC) for enabling wide-scale surveillance, which has relied connected utilizing caller ineligible approaches to bring charges citing mediocre cybersecurity practices and information breaches that autumn much intimately wrong their regulatory purview.

When reached for remark by TechCrunch up of publication, a spokesperson for the FTC said the bureau does not remark connected whether it is investigating a peculiar matter.

If you oregon idiosyncratic you cognize needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential enactment to victims of home maltreatment and violence. If you are successful an exigency situation, telephone 911. The Coalition Against Stalkerware besides has resources if you deliberation your telephone has been compromised by spyware. You tin interaction this newsman connected Signal and WhatsApp astatine +1 646-755-8849 oregon zack.whittaker@techcrunch.com by email.