Security researchers who discovered the flaws say the security vulnerability of a pair of mobile phone surveillance apps exposes the personal data of millions of people who unconsciously install apps on their devices.
This bug allows anyone to access personal data, such as messages, photos, and call logs. Any phone or tablet compromised by Cocospy and Spyic, can be accessed from two different brands of mobile stalkerware apps, where two different brands of mobile stalkerware apps share almost the same source code. The bug is also intended to publish the email addresses of people who signed up for Cocospy and Spyic and secretly monitor them to plant the app on someone's device.
Like other types of spyware, products like Cocospy and Spyic remain hidden in the victim's device, secretly uploading device data to a dashboard that allows the person who planted the app to see It is designed to be. Due to the nature of how stealth spyware exists, it is possible that most phone owners are unaware that their devices are compromised.
Cocospy and Spyic operators did not return requests for TechCrunch's comment and did not fix any bugs when published.
Bugs are relatively easy to use. Thus, TechCrunch provides specific details of the vulnerability so that bad actors don't help them to exploit it and release more sensitive personal data of individuals already compromised by Cocossie and Spychic. It has not been published.
A security researcher who discovered the bug told TechCrunch that anyone could access the email address of someone who signed up for one of the two phone monitoring apps.
Researchers collected 1.81 million email addresses and 880,167 Spyic customers' email addresses by using the bug to rub data from the app's servers. Researchers provided a cache of email addresses to Troy Hunt, which runs the data breach notification service.
Hunt told TechCrunch that after deleting duplicate email addresses that were shown in both data batches, it then loaded Cocospy and Spyic a total of 2.65 million unique email addresses registered with Cocospy and Spyic. Hunt said Cocospi and spy caches are marked as “sensitive,” similar to previous spyware-related data breaches. There.
Cocospy and Spyic are the latest list of long lists of surveillance products that have experienced security disasters in recent years as a result of bugs and poor security practices. With TechCrunch's running count, Cocospy and Spyic are one of 23 known surveillance practices since 2017 that have published highly sensitive data online from hacks, violations, or customers and victims.
Phone monitoring apps such as Cocospy and Spyic are usually sold as parental control or employee monitoring apps, but some of these products are promoted online online as a way to spy on a person's spouse. It is called Stalkerware (or spouse wear). Or a romantic partner with no illegal knowledge. Even in the case of mobile surveillance apps that are not explicitly sold due to explicitly negative activities, customers still use these apps for surface illegal purposes.
Stalkerware apps are banned from the app store, so they are usually downloaded directly from the Stalkerware provider. As a result, Stalkerware apps usually need to plant physical access to someone's Android device, often with prior knowledge of the victim's device passcode. For iPhones and iPads, Stalkerware allows you to tap on the data of the person's device stored in Apple's cloud storage service iCloud. This requires using the stolen Apple account credentials.
Chinese ties stalker wear
Little is known about these two spyware operations, such as who runs Cocospy and Spyic. Stalkerware operators often try to avoid public attention given the reputation and legal risks associated with carrying out surveillance operations.
Cocospy and Spyic were released in 2018 and 2019, respectively. Just from the number of registered users, Cocospy is one of the largest known stalkerware operations currently.
Security researchers Vangelis Stykas and Felipe Solferini, who analyzed several stalkerware families as part of their 2022 research project, have taken the operation of Cocospy and Spyic to 711.icu, a mobile app developer associated with 711.icu. I found evidence to link it.
This week, TechCrunch installed Cocospy and Spyic apps on virtual devices (which allows you to run your apps in a secure sandbox without providing one of the SPY services). Both Stalkerware apps are available for Android. It pretends to be an unexplained “system services” app. This appears to avoid detection by blending it with Android's built-in app.
I used a network analysis tool to watch the data coming and going to the app to understand how spyware operations work, what data is being shared, and where the server is.
Traffic analysis revealed that apps are sending data from virtual devices through CloudFlare, a network security provider that obfuscates the true real world locations of Spyware operations and web hosts. However, in web traffic, two Stalkerware apps are uploading victim data, such as photos, to a cloud storage server hosted by Amazon Web Services.
Neither Amazon nor CloudFlare responded to TechCrunch inquiries regarding Stalkerware operations.
The analysis showed that while using the app, the server responds occasionally with Chinese status or error messages, suggesting that the app is developed by people with a Nexus in China.
What you can do to remove Stalkerware
Email addresses removed from Cocospy and Spyic can be used by anyone who planted the app to determine whether information (and victim data) has been compromised. However, the data does not contain sufficient identifiable information to notify individuals whose mobile phone is being compromised.
However, there are things you can do to see if your phone is compromised by Cocospy and Spyic. Like most Stalkerware, both of these apps rely on people who deliberately weaken the security settings of their Android devices and plant the app. Alternatively, on an iPhone or iPad, you can access someone's Apple account with knowledge of their username and password.
Both Cocospy and Spyic try to hide as apps with a general appearance called “system services,” but there is a way to find them.
With Cocospy and Spyic, you will usually enter ✱✱001✱ in the Android phone app's keypad, then press the “Recall” button to display the Stalkerware app on the screen if it is installed. This is a feature built into Cocospi and Spices to allow those who planted the app on the victim's device to regain access. In this case, this feature can also be used by victims to determine whether the app is installed or not.
You can also check the installed apps via the Apps menu in the Android Settings menu, even if the apps are not visible.
Cocospy and Spyic Stalkerware apps disguised as “System Services” apps. Image credit: TechCrunch
TechCrunch has a general Android spyware removal guide to help you identify and remove common types of phone stalkerware. Don't forget to make a safety plan, given that turning off your spyware could warn anyone who planted it.
For Android users, switching Google Play Protect is a useful protection method that can protect against malicious Android apps, including Stalkerware. If it is not enabled, you can enable it from the Google Play Settings menu.
Also, if you are an iPhone and iPad user and think it may be compromised, make sure your Apple account uses a long, unique password (ideally stored in your password manager). Please check and make sure your account has two-factor authentication enabled. You will also need to check and delete your device from an account you don't recognize.
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) is secretly available to victims of domestic abuse and violence 24/7 We provide support for. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.
Please contact Zack Whittaker safely via the +1 signal at 646-755-8849 and WhatsApp. You can also securely share documents with TechCrunch via SecureDrop.