consumer spyware The operation, called TheTruthSpy, continues to target thousands of people whose Android devices have been unknowingly compromised by the mobile surveillance app, especially due to a simple security flaw that the operator failed to fix. poses significant security and privacy risks.
Now, two groups of hackers have independently discovered a flaw that allows mass access to data on victims' stolen mobile devices directly from TheTruthSpy's servers.
Switzerland-based hacker Maia Arson Krimiu said in a blog post that the hacker collectives Gigidsec and Bytemeklu identified and exploited the flaw in December 2023. Krimiu said he was provided a cache of TheTruthSpy's victim data by Bytemekrew, and also his stack of TheTruthSpy software.
spyware search tool
Here you can check if your Android smartphone or tablet has been compromised.
In a Telegram post, SiegedSec and ByteMeCrew said that the leaked data is of a highly sensitive nature and will not be made public.
Crimew provided some of the compromised TheTruthSpy data to TechCrunch for verification and analysis. This included the unique device IMEI numbers and advertising IDs of tens of thousands of Android smartphones recently compromised by TheTruthSpy.
TechCrunch verified that the new data is genuine by checking some IMEI numbers and advertising IDs against a previous list of devices known to have been compromised by TheTruthSpy discovered in a previous TechCrunch investigation. It was confirmed.
The latest batch of data includes Android device identifiers for all phones and tablets compromised by TheTruthSpy through December 2023. Data shows that TheTruthSpy continues to actively spy on a large population of victims across Europe, India, Indonesia, the United States, and the United States. UK, etc.
TechCrunch has added the latest unique identifiers (approximately 50,000 new Android devices) to its free spyware search tool that lets you check if your Android device has been compromised by TheTruthSpy.
TheTruthSpy security bug leaks victim's device data
At one time, TheTruthSpy was one of the most prolific apps that facilitated covert surveillance of mobile devices.
TheTruthSpy is one of a family of near-identical Android spyware apps, including Copy9 and iSpyoo, that are secretly implanted on a person's device, usually by someone who knows their passcode. These apps are called “stalkerware” or “spouseware” because of their ability to illegally track and monitor people (often spouses) without their knowledge.
Apps like TheTruthSpy are designed to stay hidden from the home screen, making it difficult to identify and remove them, while also providing a dashboard that allows abusers to view the contents of a victim's phone. Continue to upload to.
But while TheTruthSpy touted its powerful monitoring capabilities, the spyware operation paid little attention to the security of the data it was stealing.
As part of our February 2022 Consumer Spyware App Investigation, TechCrunch found that TheTruthSpy and its clone apps share a common vulnerability that exposes victims' phone data stored on TheTruthSpy's servers. I discovered that there is. This bug is very easy to exploit, as it allows unrestricted remote access to all data collected from the victim's Android device, including text messages, photos, call recordings, and precise real-time location data. The damage will be especially great.
However, the operators behind TheTruthSpy did not fix the bug, leaving victims at risk of further data compromise. Only limited information about the bug, known as CVE-2022-0732, has since been made public, but TechCrunch continues to withhold details about the bug due to the ongoing risk it poses to victims.
Given the simplicity of this bug, it was only a matter of time before it was publicly exploited.
TheTruthSpy links with Vietnam-based startup 1Byte
This is the latest in a series of security incidents involving TheTruthSpy and, by extension, hundreds of thousands of people whose devices have been compromised and their data stolen.
In June 2022, a source provided TechCrunch with leaked data containing records of every Android device ever compromised by TheTruthSpy. With no way to alert victims (and no possibility of alerting abusers), TechCrunch built a spyware search tool that anyone can use to see for themselves if their device has been compromised.
This search tool looks for matches to a list of IMEI numbers and advertising IDs known to have been compromised by TheTruthSpy and its clone apps. TechCrunch also has a guide on how to remove his TheTruthSpy spyware if it is safe to do so.
However, TheTruthSpy's poor security practices and leaked servers also led to the exposure of the real-world identities of the developers behind the operation, who had gone to great lengths to hide their identities.
TechCrunch later discovered that a Vietnam-based startup called 1Byte was behind TheTruthSpy. Our investigation shows that 1Byte conducted a spyware campaign by funneling customer payments into Stripe and PayPal accounts set up as fake U.S. citizens using fake U.S. passports, social security numbers, and other falsified documents. It turned out that he had been making millions of dollars in revenue over the years.
Our investigation revealed that the false identities were linked to Vietnamese bank accounts operated by 1Byte employees and its director Van Thieu. At its peak, TheTruthSpy received more than $2 million in payments from customers.
Following recent inquiries from TechCrunch, PayPal and Stripe have suspended the spyware maker's accounts, as well as 1Byte, which hosts the infrastructure for the spyware operation and stores vast banks of victims' stolen phone data. So was the US-based web hosting company I was using.
After a US web host launched TheTruthSpy from its network, the spyware operation is now hosted on servers in Moldova by a web host called AlexHost run by Alexandru Scutaru, who claims a policy of ignoring US copyright takedown requests. .
Although TheTruthSpy has been hobbled and degraded, it still actively facilitates the surveillance of thousands of people, including Americans.
TheTruthSpy threatens the security and privacy of past and present victims as long as it operates online. Not only because of this spyware's ability to invade an individual's digital life, but also because TheTruthSpy cannot prevent the stolen data from leaking onto the internet.
Read more on TechCrunch: