Featured Article

Hackers uncover new TheTruthSpy stalkerware victims: Is your Android device compromised?

TechCrunch adds 50,000 new Android device identifiers to spyware lookup tool

Comment

eyes on a blue background with a phone featured prominently with location markers falling out of it, suggestive of a leak
Image Credits: Bryce Durbin / TechCrunch

A consumer-grade spyware operation called TheTruthSpy poses an ongoing security and privacy risk to thousands of people whose Android devices are unknowingly compromised with its mobile surveillance apps, not least due to a simple security flaw that its operators never fixed.

Now, two hacking groups have independently found the flaw that allows the mass access of victims’ stolen mobile device data directly from TheTruthSpy’s servers.

Switzerland-based hacker maia arson crimew said in a blog post that the hacking groups SiegedSec and ByteMeCrew identified and exploited the flaw in December 2023. Crimew, who was given a cache of TheTruthSpy’s victim data from ByteMeCrew, also described finding several new security vulnerabilities in TheTruthSpy’s software stack.

SPYWARE LOOKUP TOOL

You can check to see if your Android phone or tablet was compromised here.

In a post on Telegram, SiegedSec and ByteMeCrew said they are not publicly releasing the breached data, given its highly sensitive nature.

Crimew provided TechCrunch with some of the breached TheTruthSpy data for verification and analysis, which included the unique device IMEI numbers and advertising IDs of tens of thousands of Android phones recently compromised by TheTruthSpy.

TechCrunch verified the new data is authentic by matching some of the IMEI numbers and advertising IDs against a list of previous devices known to be compromised by TheTruthSpy as discovered during an earlier TechCrunch investigation.

The latest batch of data includes the Android device identifiers of every phone and tablet compromised by TheTruthSpy up to and including December 2023. The data shows TheTruthSpy continues to actively spy on large clusters of victims across Europe, India, Indonesia, the United States, the United Kingdom and elsewhere.

TechCrunch has added the latest unique identifiers — about 50,000 new Android devices — to our free spyware lookup tool that lets you check if your Android device was compromised by TheTruthSpy.

Security bug in TheTruthSpy exposed victims’ device data

For a time, TheTruthSpy was one of the most prolific apps for facilitating secret mobile device surveillance.

TheTruthSpy is one of a fleet of near-identical Android spyware apps, including Copy9 and iSpyoo and others, which are stealthily planted on a person’s device by someone typically with knowledge of their passcode. These apps are called “stalkerware,” or “spouseware,” for their ability to illegally track and monitor people, often spouses, without their knowledge.

Apps like TheTruthSpy are designed to stay hidden on home screens, making these apps difficult to identify and remove, all the while continuously uploading the contents of a victim’s phone to a dashboard viewable by the abuser.

But while TheTruthSpy touted its powerful surveillance capabilities, the spyware operation paid little attention to the security of the data it was stealing.

As part of an investigation into consumer-grade spyware apps in February 2022, TechCrunch discovered that TheTruthSpy and its clone apps share a common vulnerability that exposes the victim’s phone data stored on TheTruthSpy’s servers. The bug is particularly damaging because it is extremely easy to exploit, and grants unfettered remote access to all of the data collected from a victim’s Android device, including their text messages, photos, call recordings and precise real-time location data.

But the operators behind TheTruthSpy never fixed the bug, leaving its victims exposed to having their data further compromised. Only limited information about the bug, known as CVE-2022-0732, was subsequently disclosed, and TechCrunch continues to withhold details of the bug due to the ongoing risk it poses to victims.

Given the simplicity of the bug, its public exploitation was only a matter of time.

TheTruthSpy linked to Vietnam-based startup, 1Byte

This is the latest in a streak of security incidents involving TheTruthSpy, and by extension the hundreds of thousands of people whose devices have been compromised and had their data stolen.

In June 2022, a source provided TechCrunch with leaked data containing records of every Android device ever compromised by TheTruthSpy. With no way to alert victims (and without potentially alerting their abusers), TechCrunch built a spyware lookup tool to allow anyone to check for themselves if their devices were compromised.

The lookup tool looks for matches against a list of IMEI numbers and advertising IDs known to have been compromised by TheTruthSpy and its clone apps. TechCrunch also has a guide on how to remove TheTruthSpy spyware — if it is safe to do so.

But TheTruthSpy’s poor security practices and leaky servers also helped to expose the real-world identities of the developers behind the operation, who had taken considerable efforts to conceal their identities.

TechCrunch later found that a Vietnam-based startup called 1Byte is behind TheTruthSpy. Our investigation found that 1Byte made millions of dollars over the years in proceeds from its spyware operation by funneling customer payments into Stripe and PayPal accounts set up under false American identities using fake U.S. passports, Social Security numbers and other forged documents.

Our investigation found that the false identities were linked to bank accounts in Vietnam run by 1Byte employees and its director, Van Thieu. At its peak, TheTruthSpy made over $2 million in customer payments.

PayPal and Stripe suspended the spyware maker’s accounts following recent inquiries from TechCrunch, as did the U.S.-based web hosting companies that 1Byte used to host the spyware operation’s infrastructure and store the vast banks of victims’ stolen phone data.

After the U.S. web hosts booted TheTruthSpy from their networks, the spyware operation is now hosted on servers in Moldova by a web host called AlexHost, run by Alexandru Scutaru, which claims a policy of ignoring U.S. copyright takedown requests.

Though hobbled and degraded, TheTruthSpy still actively facilitates surveillance on thousands of people, including Americans.

For as long as it remains online and operational, TheTruthSpy will threaten the security and privacy of its victims, past and present. Not just because of the spyware’s ability to invade a person’s digital life, but because TheTruthSpy cannot keep the data it steals from spilling onto the internet.

Read more on TechCrunch:

https://techcrunch.com/2022/02/22/remove-android-spyware/

More TechCrunch

To give AI-focused women academics and others their well-deserved — and overdue — time in the spotlight, TechCrunch has been publishing a series of interviews focused on remarkable women who’ve contributed to…

Women in AI: Rep. Dar’shun Kendrick wants to pass more AI legislation

We took the pulse of emerging fund managers about what it’s been like for them during these post-ZERP, venture-capital-winter years.

A reckoning is coming for emerging venture funds, and that, VCs say, is a good thing

It’s been a busy weekend for union organizing efforts at U.S. Apple stores, with the union at one store voting to authorize a strike, while workers at another store voted…

Workers at a Maryland Apple store authorize strike

Alora Baby is not just aiming to manufacture baby cribs in an environmentally friendly way but is attempting to overhaul the whole lifecycle of a product

Alora Baby aims to push baby gear away from the ‘landfill economy’

Bumble founder and executive chair Whitney Wolfe Herd raised eyebrows this week with her comments about how AI might change the dating experience. During an onstage interview, Bloomberg’s Emily Chang…

Go on, let bots date other bots

Welcome to Week in Review: TechCrunch’s newsletter recapping the week’s biggest news. This week Apple unveiled new iPad models at its Let Loose event, including a new 13-inch display for…

Why Apple’s ‘Crush’ ad is so misguided

The U.K. Safety Institute, the U.K.’s recently established AI safety body, has released a toolset designed to “strengthen AI safety” by making it easier for industry, research organizations and academia…

U.K. agency releases tools to test AI model safety

AI startup Runway’s second annual AI Film Festival showcased movies that incorporated AI tech in some fashion, from backgrounds to animations.

At the AI Film Festival, humanity triumphed over tech

Rachel Coldicutt is the founder of Careful Industries, which researches the social impact technology has on society.

Women in AI: Rachel Coldicutt researches how technology impacts society

SAP Chief Sustainability Officer Sophia Mendelsohn wants to incentivize companies to be green because it’s profitable, not just because it’s right.

SAP’s chief sustainability officer isn’t interested in getting your company to do the right thing

Here’s what one insider said happened in the days leading up to the layoffs.

Tesla’s profitable Supercharger network is in limbo after Musk axed the entire team

StrictlyVC events deliver exclusive insider content from the Silicon Valley & Global VC scene while creating meaningful connections over cocktails and canapés with leading investors, entrepreneurs and executives. And TechCrunch…

Meesho, a leading e-commerce startup in India, has secured $275 million in a new funding round.

Meesho, an Indian social commerce platform with 150M transacting users, raises $275M

Some Indian government websites have allowed scammers to plant advertisements capable of redirecting visitors to online betting platforms. TechCrunch discovered around four dozen “gov.in” website links associated with Indian states,…

Scammers found planting online betting ads on Indian government websites

Around 550 employees across autonomous vehicle company Motional have been laid off, according to information taken from WARN notice filings and sources at the company.  Earlier this week, TechCrunch reported…

Motional cut about 550 employees, around 40%, in recent restructuring, sources say

The company is describing the event as “a chance to demo some ChatGPT and GPT-4 updates.”

OpenAI’s ChatGPT announcement: What we know so far

The deck included some redacted numbers, but there was still enough data to get a good picture.

Pitch Deck Teardown: Cloudsmith’s $15M Series A deck

Unlike ChatGPT, Claude did not become a new App Store hit.

Anthropic’s Claude sees tepid reception on iOS compared with ChatGPT’s debut

Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. Look,…

Startups Weekly: Trouble in EV land and Peloton is circling the drain

Scarcely five months after its founding, hard tech startup Layup Parts has landed a $9 million round of financing led by Founders Fund to transform composites manufacturing. Lux Capital and Haystack…

Founders Fund leads financing of composites startup Layup Parts

AI startup Anthropic is changing its policies to allow minors to use its generative AI systems — in certain circumstances, at least.  Announced in a post on the company’s official…

Anthropic now lets kids use its AI tech — within limits

Zeekr’s market hype is noteworthy and may indicate that investors see value in the high-quality, low-price offerings of Chinese automakers.

The buzziest EV IPO of the year is a Chinese automaker

Venture capital has been hit hard by souring macroeconomic conditions over the past few years and it’s not yet clear how the market downturn affected VC fund performance. But recent…

VC fund performance is down sharply — but it may have already hit its lowest point

The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced an online company portal and scraped customer data, including physical addresses, directly from Dell’s…

Threat actor says he scraped 49M Dell customer addresses before the company found out

The social network has announced an updated version of its app that lets you offer feedback about its algorithmic feed so you can better customize it.

Bluesky now lets you personalize main Discover feed using new controls

Microsoft will launch its own mobile game store in July, the company announced at the Bloomberg Technology Summit on Thursday. Xbox president Sarah Bond shared that the company plans to…

Microsoft is launching its mobile game store in July

Smart ring maker Oura is launching two new features focused on heart health, the company announced on Friday. The first claims to help users get an idea of their cardiovascular…

Oura launches two new heart health features

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI considers allowing AI porn

Garena is quietly developing new India-themed games even though Free Fire, its biggest title, has still not made a comeback to the country.

Garena is quietly making India-themed games even as Free Fire’s relaunch remains doubtful

The U.S.’ NHTSA has opened a fourth investigation into the Fisker Ocean SUV, spurred by multiple claims of “inadvertent Automatic Emergency Braking.”

Fisker Ocean faces fourth federal safety probe