TechCrunch learned that consumer-grade spyware operations, called Spyx, were hit by a data breach last year. The violation reveals that Spyx and two other related mobile apps have records of around 2 million people at the time of the violation, including thousands of Apple users.
The data breach dates back to June 2024, but has not been reported previously, and there is no indication that Spyx operators have notified customers or Spyware subjects.
The SPYX family of mobile spyware is now known to have exposed or exposed victim or user data in the 25th mobile surveillance operation or other ways since 2017 when it is now known to have experienced a data breaches, indicating that the consumer-grade spyware industry continues to multiply and puts people's personal data at risk.
This violation also provides a rare perspective on how Stalkerware, like Spyx, can target Apple customers.
Troy Hunt running a data breach notification site has received a copy of the data that I was pwned and compromised in the form of two text files.
Hunt said that the majority of email addresses are associated with SPYX. The cache also contains less than 300,000 email addresses associated with two almost identical clones of the SPYX app called MSAFELY and SPYPHONE.
Hunt said about 40% of my email addresses are already PWNed.
Similar to previous spyware violations, Hunt marked a data breach on SPYX. I was pwled as “sensitive.”
The operator behind Spyx did not ask an email from TechCrunch about the violation. I've returned a message saying that the WhatsApp number listed on the SPYX website is not registered with the messaging app.
Different spyware, different violations
Spyx is billed as mobile surveillance software for Android and Apple devices to grant control of children's mobile phones.
Surveillance malware, like Spyx, also passes the term Stalkerware (and spouse's clothing). This may explicitly advertise the product as a way for operators to spy on their spouse or domestic partner. Even if the operator does not explicitly promote this illegal use, the Spyware app still shares many of the same stealth data steel features.
Consumer grade spyware, like Stalkerware, usually works in one of two ways:
Apps that run on Android devices, including SPYX, are usually downloaded from outside the official Google Play app store, allowing victims' devices (usually knowledge of passcodes, to weaken their security settings and plant spyware.
Because Apple has more stringent rules about which apps are in the App Store and can run on iPhones and iPads, Stalkerware usually taps on a copy of a backup of a device found in iCloud, Apple's cloud storage service. With a person's iCloud credentials, Stalkerware can continuously download the latest victim backups directly from Apple's servers. iCloud Backup stores most of a person's device data, including messages, photos, and app data.
According to Hunt, one of the two files in the compromised cache was mentioned in iCloud by its filename and contained around 17,000 different sets of usernames and passwords for around 17,000 plain text Apple accounts.
Since the iCloud entitlement for the compromised cache was clearly part of an Apple customer, Hunt attempted to verify the reliability of the data by contacting the subscriber who PWNeed the subscriber whose Apple account email address and password were found in the data. Hunt said several people confirmed that the information he provided was accurate.
Given the possible ongoing risk to victims whose account credentials may still be valid, Hunt provided a list of iCloud credentials that violated Apple prior to publication. Apple did not comment when TechCrunch reached it.
As for the remaining email addresses and passwords found in the compromised text file, it was not very clear whether these were working credentials for services other than SPYX and its cloned apps.
Meanwhile, Google has reduced its Chrome extension linked to the SPYX campaign.
“The Chrome Web Store and Google Play Store policies clearly prohibit malicious code, spyware and stalkerware. If you find a violation, take appropriate action. If users suspect that their Google account has compromised, they should take the recommended steps immediately.
How to find Spyx
TechCrunch has a spyware removal guide for Android users that can help you identify and remove popular types of phone monitoring apps. Don't forget to make a safety plan, given that turning off the app could warn the planter.
For Android users, Google Play Protect switching is a useful security feature that helps protect against Android malware, including unwanted phone monitoring apps. If the app is not enabled yet, you can enable Google Play from the app settings.
Your Google account is much more protected with two-factor authentication, which will help you better protect your account and data from intrusions, and let you know what steps to take if your Google account is compromised.
iPhone and iPad users can view and delete devices from unrecognized accounts. Your Apple account should use a long, unique password (ideally stored in the password manager) and make sure your account has two-factor authentication turned on. You also need to change your iPhone or iPad PassCode if you think someone may have physically compromised your device.
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) provides secret support to victims of domestic abuse and violence 24/7. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.