A security vulnerability in a pair of phone-monitoring apps is exposing the personal data of millions of people who have the apps unwittingly installed on their devices, according to a security researcher who found the flaw.
The bug allows anyone to access the personal data — messages, photos, call logs, and more — exfiltrated from any phone or tablet compromised by Cocospy and Spyic, two differently branded mobile stalkerware apps that share largely the same source code. The bug also exposes the email addresses of the people who signed up to Cocospy and Spyic with the intention of planting the app on someone’s device to covertly monitor them.
Much like other kinds of spyware, products like Cocospy and Spyic are designed to remain hidden on a victim’s device while covertly and continually uploading their device’s data to a dashboard visible by the person who planted the app. By nature of how stealthy spyware can be, the majority of phone owners are likely unaware that their devices have been compromised.
The operators of Cocospy and Spyic did not return TechCrunch’s request for comment, nor have they fixed the bug at the time of publishing.
The bug is relatively simple to exploit. As such, TechCrunch is not publishing specific details of the vulnerability so as to not help bad actors exploit it and further expose the sensitive personal data of individuals whose devices have already been compromised by Cocospy and Spyic.
The security researcher who found the bug told TechCrunch that it allows anyone to access the email address of the person who signed up for either of the two phone-monitoring apps.
The researcher collected 1.81 million email addresses of Cocospy customers and 880,167 email addresses of Spyic customers by exploiting the bug to scrape the data from the apps’ servers. The researcher provided the cache of email addresses to Troy Hunt, who runs data breach notification service Have I Been Pwned.
Hunt told TechCrunch that he loaded a combined total of 2.65 million unique email addresses registered with Cocospy and Spyic to Have I Been Pwned, after he removed duplicate email addresses that appeared in both batches of data. Hunt said that as with previous spyware-related data breaches, the Cocospy and Spyic cache is marked as “sensitive,” in Have I Been Pwned, which means that only the person with an affected email address can search to see if their information is in there.
Cocospy and Spyic are the latest in a long list of surveillance products that have experienced security mishaps in recent years, often as a result of bugs or poor security practices. By TechCrunch’s running count, Cocospy and Spyic are now among the 23 known surveillance operations since 2017 that have been hacked, breached, or otherwise exposed customers’ and victims’ highly sensitive data online.
Phone-monitoring apps like Cocospy and Spyic are typically sold as parental control or employee-monitoring apps but are often referred to as stalkerware (or spouseware), as some of these products expressly promote their apps online as a means of spying on a person’s spouse or romantic partner without their knowledge, which is illegal. Even in the case of mobile surveillance apps that are not explicitly marketed for nefarious activity, often the customers still use these apps for ostensibly illegal purposes.
... continue reading