A little-known phone surveillance operation called Spyzie has compromised over 500,000 Android devices and thousands of iPhones and iPads, according to data shared by security researchers.
Most affected devices owners may not know that their phone data is corrupted.
Security researchers told TechCrunch that Spyzie is vulnerable to the same bug as Cocospy and Spyic, two nearly identical but different branded stalkerware apps that share the same source code and publish data for over 2 million people, as reported last week. This bug allows anyone to access phone data, including messages, photos, location data, and more extracted from any device compromised by three apps.
The bug will also publish the email addresses of each customer who signed up for Spyzie to compromise someone else's device, researchers said.
The researchers used the bug to collect 518,643 unique email addresses for Spyzie customers and provide TechCrunch and Troy Hunt with a cache of email addresses.
This latest leak shows that even lesser known businesses like Spyzie, consumer phone surveillance apps that are increasingly popular in civil society have little online presence and are largely forbidden by Google from running advertising in search results.
Collectively, Cocospy, Spyic and Spyzie are used by over 3 million customers.
The leak also shows that flaws in Stalkerware apps are becoming increasingly common, putting both customer and victim data at risk. Even for parents who want to monitor their children using these apps, it is legal, putting their child's data at the risk of hackers.
In our count, Spyzie was the 24th stalkerware operation since 2017, and other security has led to hacking or leaking or exposing the victim's highly sensitive data.
The Spyzie operator has not returned a request for TechCrunch's comment. At the time of writing, the bug has not been fixed yet.
Planted Android apps and stolen Apple credentials
Apps like Spyzie, or Cocospy or Spyic, are designed to remain hidden from your home screen, making it difficult for victims to identify the app. Meanwhile, the app continuously uploads content from the victim's device to a spyware server, allowing access to those who planted the app.
A copy of the data that security researchers share with TechCrunch indicates that the majority of affected Spyzie victims are the owners of Android devices, and that they usually need to physically access their phones to plant the Spyzie app.
This is one reason why these apps are usually used in the context of an abusive relationship.
The data also shows that Spyzie is being used to compromise at least 4,900 iPhones and iPads.
Because Apple has more stringent rules about which apps can run on iPhones and iPads, Stalkerware usually taps victims' device data stored in iCloud, Apple's cloud storage service, stored on Apple's Cloud Storage Service Icloud, rather than on the device itself.
Some of the earliest compromised Apple devices owners date back to late February 2020, and as recently as July 2024, is shown by leaked Spyzie Records.
How to remove Spyzie Stalkerware
Like Cocospy and Spyic, individual victims of Spyzie's surveillance could not be identified from the scraped data.
However, there are things you can do to see if your phone has been compromised by Spyzie.
For Android users: Even if Spyzie is hidden from view, you can usually dial ✱✱001 on the Android phone app's keypad and then dial the call button. If Spyzie is installed, it will appear on the screen.
It is a backdoor feature built into the app, allowing those who planted the app on the victim's phone to regain access. In this case, it can also be used by the victim to check if the app is installed.
TechCrunch has a general Android spyware removal guide that will help you identify and remove common types of phone stalkerware and turn on settings to protect your Android devices.
You also need to have a safety plan in place, as you can warn those who planted it.
For iPhone and iPad users: Spyzie relies on the use of the victim's Apple account username and password to access the data stored in your Icloud account. Your Apple account must use two-factor authentication. This is a key protection against account hacks and is the main way for Stalkerware to target your data. You will also need to check and delete the device from an unrecognized Apple account.
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) provides secret support to victims of domestic abuse and violence 24/7. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.