Image Credits: Bryce Durbin / TechCrunch
A TechCrunch investigation in February 2022 revealed that a fleet of consumer-grade spyware apps, including TheTruthSpy, share a common security vulnerability that is exposing the personal data of hundreds of thousands of Android users.
Our investigation found victims in virtually every country, with large clusters in the United States, Europe, Brazil, Indonesia and India. But the stealthy nature of the spyware means that most victims will have no idea that their device was compromised unless they know where on their device to look.
Then, in June, a source provided TechCrunch with a cache of files dumped from the servers of TheTruthSpy’s internal network.
The cache included a list of every Android device that was compromised by any of the spyware apps in TheTruthSpy’s network, including Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, GuestSpy and FoneTracker. Other than their names, these apps are almost identical and all communicate with the same server infrastructure.
The list contains either the IMEI number or unique advertising ID associated with every compromised device up to April 2022, which is presumably when the data was dumped from the spyware’s internal network. TechCrunch verified the authenticity of the list by matching known IMEIs from burner and virtual devices we used as part of our investigation into the spyware network.
Using this list of compromised devices, TechCrunch built a spyware lookup tool to let you check to see if your Android device was compromised by TheTruthSpy apps, and to provide resources for removing the spyware from your device.
How does the spyware lookup tool work?
Before you start, it’s important to have a safety plan in place. The Coalition Against Stalkerware and the National Network to End Domestic Violence offer advice and guidance for victims and survivors of stalkerware.
This is how you get started with the tool.
1. First, find a device you know to be safe, like the phone of a trusted friend or a computer in a public library.
2. Visit this same webpage from that trusted device.
3. Enter the IMEI number or device advertising ID of the device you suspect to be compromised into the lookup tool. You may want to check both.
This is how you find them:
- An IMEI number is a 14-15 digit number that is unique to your cell phone. From your phone’s dial pad, type in ✱#06# and your IMEI number (sometimes called an MEID) should appear on your screen. You may need to hit the call button on some phone models.
- Your device’s advertising ID can be found in Settings > Google > Ads, though some Android versions may differ slightly. Advertising IDs vary but are typically either 16 or 32 characters and are a mix of letters and numbers.
If you have reset or deleted, or if your advertising ID has otherwise changed since the spyware was installed, this tool may not identify your device as compromised.
If the spyware lookup tool returns a “match,” it means that IMEI number or device advertising ID was found in the leaked list and the corresponding device was compromised by one of TheTruthSpy spyware apps on or before April 2022.
If you get a “likely match,” it means your IMEI number or device advertising ID matched a record in the list but that the entry may have contained extraneous data, such as the name of the device’s manufacturer. This result means the corresponding device was probably compromised by one of TheTruthSpy apps but that you must confirm by checking for signs that the spyware is installed.
If “no match” is found, it means there is no record matching that device in the leaked list of compromised devices. This does not automatically mean the device is free from spyware. Your device may have been compromised by the spyware after April 2022, or may have been targeted by a different kind of spyware.
What do I do now?
To confirm if an Android device is currently compromised, you must look for signs that the spyware is installed. This guide explains how to search for evidence that your phone was compromised by spyware and how to remove it from your phone.
Because the spyware is designed to be stealthy, please keep in mind that removing the spyware will likely alert the person who planted it, which could lead to an unsafe situation. The Coalition Against Stalkerware and the National Network to End Domestic Violence offer support, guidance and resources on how to create a safety plan.
Other questions:
What does this spyware lookup tool do?
This lookup tool allows you to check if your Android device was compromised by any of TheTruthSpy apps prior to April 2022.
TechCrunch obtained a list containing the IMEI number or the unique device advertising ID collected from every compromised device. Every cellular-connected phone or tablet has a unique IMEI number hardcoded into the device’s hardware, while advertising IDs are baked into the device’s software and can be easily reset and changed by the user.
Once the spyware installs, it sends one of the phone’s identifiers back to its servers, just like many other apps do for permitted reasons like advertising, though Google largely restricted developers from accessing IMEI numbers from 2019 in favor of the more user-controllable advertising IDs.
This lookup tool does not store submitted IMEI numbers or advertising IDs, and therefore no data is shared or sold.
Why did TechCrunch build a spyware lookup tool?
The list does not contain enough information for TechCrunch to personally identify or notify individual device owners. Even if it did, we couldn’t contact victims for fear of also notifying the person who planted the spyware and creating a dangerous situation.
A phone can store some of a person’s most personal and sensitive information. No member of civil society should ever be subject to such invasive surveillance without their knowledge or consent. By offering this tool, anyone can check if this spyware compromised their Android device at any time or any place when it is safe.
The lookup tool cannot tell you if your device is currently compromised. It can only tell you if there is a match for a device identifier found in the leaked list, indicating that device was likely compromised some time before April 2022.
What can this spyware do?
Consumer-grade spyware apps are often pitched as child monitoring apps, but these apps also go by the name “stalkerware” or “spouseware” for their ability to track and monitor other people, like spouses and domestic partners, without their consent.
Apps like TheTruthSpy are downloaded and installed by someone with physical access to a person’s phone and are designed to stay hidden from home screens, but will silently and continually upload call logs, text messages, photos, browsing histories, call recordings and real-time location data from the phone without the owner’s knowledge.
What is the security vulnerability?
The nine known spyware apps in TheTruthSpy’s network share the same infrastructure, but because of shoddy coding, they also share the same security vulnerability. The flaw, known officially as CVE-2022-0732, is simple to abuse and allows anyone to remotely gain almost unfettered access to a victim’s device data.
With no expectation that the vulnerability would be fixed, TechCrunch published details about the network to help victims identify and remove the spyware if it is safe to do so.
The legal stuff
If you use this spyware lookup tool, TechCrunch will collect your IMEI number or advertising ID and your IP address for the sole purpose of helping you identify if your device was compromised by this spyware. IMEI numbers and advertising IDs are not stored, sold, or shared with any third-parties and are deleted once you receive the spyware lookup tool results. IP addresses are briefly stored to limit automated requests only. TechCrunch is not liable for any loss or damage to your device or data and offers no guarantees about the accuracy of the results. You use this tool at your own risk.
Read more:
- Behind the stalkerware network spilling the private phone data of hundreds of thousands
- Your Android phone could have stalkerware, here’s how to remove it
Cybersecurity 101: