TechCrunch has confirmed that stalkerware makers with multiple data leaks and violation history have a critical security vulnerability that allows anyone to take over their user account and steal sensitive personal data from victims.
Independent security researcher Swarang Wade has discovered the vulnerability. This allows anyone to reset the password for users of the Stalkerware app. Given the nature of TheTruthspy, it is possible that many customers are manipulating it without the consent of the target, who doesn't know that phone data is being sucked up by someone else.
This fundamental flaw once again shows that consumer spyware manufacturers such as Thetruthspy and many of their competitors are unreliable with anyone's data. These surveillance apps often promote illegal spying by abusive romantic partners, as well as have tinsel security practices that expose both the personal data of both the victim and the perpetrator.
So far, TechCrunch has counted at least 26 spyware operations that have been leaked, exposed or otherwise emitted in recent years. In our count, this is at least the fourth security progression that includes TheTruthspy.
TechCrunch confirmed the vulnerability by providing researchers with usernames for multiple test accounts. The researchers quickly changed the account password. Wade attempted to warn the owner of Thetruthspy of the defect, but he received no reply.
When contacted by TechCrunch, Spyware Operation Director Van (Vardy) Thieu said he “lost” the source code and could not fix the bug.
As announced, vulnerabilities still exist, pose a great risk to thousands of people whose phones are thought to be unconsciously compromised by Thetruthspy spyware.
Given the risks to the general public, it is not a more detailed explanation of the vulnerability to avoid helping malicious actors.
A brief history of many security flaws in Thetruthspy
Thetruthspy is a prolific spyware operation with roots dating back almost ten years ago. For some time, the Spyware network has been one of the largest known phone monitoring operations on the web.
Thetruthspy was developed by 1Byte Software, a Vietnam-based spyware manufacturer. Thetruthspy is one of a fleet of identical Android spyware apps with a variety of brandings, including Copy9 and subsequently obsolete brands Ispyoo, Mxspy and more. The Spyware app shares the same backend dashboard that Thetruthspy customers use to access victims' stolen phone data.
Therefore, the security bug in ThetruthSpy also affects customers and victims of brands or white-ravle spyware apps that rely on the underlying code of Thetruthspy.
As part of a 2021 Stalkerware industry research, TechCrunch discovered that The Truthspy has a security bug that makes it publicize the personal data of 400,000 victims to anyone on the internet. The exposed data included the victim's most personal information, including private messages, photos, call logs, and historical location data.
TechCrunch later received a cache of files from Thetruthspy's server and exposed the internal mechanisms of spyware operations. The file also contained a list of all Android devices that were compromised by Thetruthspy or one of its companion apps. The list of devices did not contain enough information to personally identify each victim, but TechCrunch was able to build a spyware lookup tool to help potential victims check if a phone was found on the list.
Subsequent reports based on hundreds of leaked documents from 1Byte's servers sent to TechCrunch revealed that TheTruthspy relies on large-scale money laundering operations using forged documents and false identity for skirt restrictions set by credit card processors on Spyware operations. The scheme allowed Thetruthspy to pour millions of illegal customer payments into operator-controlled bank accounts around the world.
In late 2023, Thetruthspy had another data breaches, releasing personal data to another 50,000 new victims. TechCrunch sent a copy of this data and added the updated record to the lookup tool.
Thetruthspy, which still publishes data, will rebrand to PhonePranental
As it stands, some of Thetruthspy's operations have fallen down, while others have been rebranded to escape review scrutiny. Thetruthspy is still in existence today and retains many of its buggy source code and vulnerable backend dashboards while rebranding as a new spyware app called PhonePhaneRental.
Thieu remains involved in developing telephone surveillance software, as well as continuing promotion of surveillance.
According to a recent analysis of Thetruthspy's current web-facing infrastructure using public internet records, this operation continues to rely on a software stack called the JFramework (formerly known as the JEXPA framework).
In an email, Thieu said he is rebuilding his apps from scratch, including a new phone monitoring app called MyPhones.App. The network analytics tests TechCrunch performed rely on the JFramework of the backend operations, which is the same system MyPhones.App is used in Thetruthspy.
TechCrunch has an expert on how to identify and remove Stalkerware from your phone.
Like other Stalkerware operators, Thetruthspy remains a threat to victims whose phones are being compromised by the app, as it continues to prove that these operations cannot keep the victims' data safe as well as for the highly sensitive data they steal.
–
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) provides secret support to victims of domestic abuse and violence 24/7. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.