Another mobile stalking app has been hacked, endangering both its customers and the victims that they spy on. According to Motherboard, an anonymous hacker gained access to servers at TheTruthSpy, a company that advertises software for jealous partners to track each other.
TheTruthSpy sells an iOS and Android app that enables someone to spy on someone else’s phone. The software is not available on official app stores and has to be installed on a jailbroken iPhone or via an alternative source on an Android phone. It should be installed onto “the phone they own and have proper consent to monitor,” according to the company’s website, which also advertises it for catching cheating spouses and has a section titled “how to hack a cell phone”. Hmm.
The site’s painfully-worded blurb reads thus:
If you are not able to make sure that whether your spouse is cheating on you or not, you can use a spying application to remove your doubts. Taking the help of spy apps, you can collect evidence against your spouse.
The software lets people track the location of a victim’s phone, view their call logs (including deleted ones) and record calls, monitor instant messages, SMS texts and browsing histories, and even eavesdrop on the victim wherever they are.
Exposing the keys to the kingdom
The hacker, who contacted Motherboard using the initials LM, reverse engineered the Android app and found a vulnerability that they used to access the company’s media server. There, they were able to access a list of unique customer IDs along with audio files.
They used the IDs as parameters in web queries, which returned the customers’ usernames and passwords in plaintext. A quick script enabled them to slurp 10,000 login credentials. This gave them access to pictures, audio recordings, location information and text messages from the spying victims’ phones. That’s a stalker’s dream, and puts thousands of people at risk.
The hack also affects the people doing the spying, too, because even in 2018, many people still reuse their passwords across multiple services. That enabled the hacker to break into email and PayPal accounts, among other things.
Motherboard verified the whole thing by checking to see if the accounts already existed. It found that half of them were still active, all of which goes to show that TheTruthSpy could use a competent coder, in addition to a decent copy-editor. The hacker has since lost access to the compromised accounts after TheTruthSpy updated its servers, the news outlet reported.
This isn’t the first spyware company to be hacked. Retina-X shuttered its app after being hit earlier this year.
Mobile spyware links to domestic abuse
TheTruthSpy also touts the app as a mechanism for monitoring employees and for parental control. This is a common modus operandi for what a research team from Cornell Tech, Cornell University and New York University calls ‘intimate partner surveillance’ apps that are common tools for domestic abusers.
Abusers have been documented using these apps to stalk their current or former partners. In some cases, they can go to extremes. One woman was arrested after installing tracker software on her boyfriend’s phone so that she could have him killed.