Inside TheTruthSpy, the stalkerware network spying on thousands • TechCrunch

Big cache of leaked data reveals the inner workings of a stalkerware operation that is spying on hundreds of thousands of people around the world, including Americans.

The leaked data includes call logs, text messages, granular location data and other personal device data of unsuspecting victims whose Android phones and tablets were compromised by an array of similar stalkerware apps, including TheTruthSpy, Copy9, MxSpy and others.

These Android apps are installed by someone who has physical access to a person’s device and are designed to stay hidden on their home screens but will continuously and silently load the phone’s content without the owner’s knowledge.


You can check to see if your Android phone or tablet has been jailbroken here.

Months after we published our investigation exposing stalkerware operations, a source provided TechCrunch with tens of gigabytes of data dumped from stalkerware servers. The archive contains a database of stalkerware activity, which includes detailed records of all Android devices compromised by any stalkerware applications in TheTruthSpy network since early 2019 (although some records date earlier) and which device data was stolen.

Since the victims didn’t know their device data was stolen, TechCrunch extracted all the unique device identifiers from the leaked database and created a lookup tool to allow anyone to check if their device was compromised by one of the stalkerware apps until April 2022, which is when data is dumped there.

TechCrunch has since analyzed the entire database. We use mapping software for geospatial analysis, organizing hundreds of thousands of geographic data points from databases to understand their scale. Our analysis shows that TheTruthSpy’s network is very large, with victims on every continent and almost every country. But stalkerware like TheTruthSpy operates in a legal gray area that makes it difficult for authorities around the world to combat it, despite the growing threat it poses to victims.

First, a word about data. The database is approximately 34 gigabytes in size and contains metadata, such as times and dates, as well as text-based content, such as call logs, text messages and location data — even the names of the Wi-Fi networks the device is connected to as well. what was copied and pasted to the phone’s clipboard, including passwords and two-factor authentication codes. The database did not contain media, photos, videos or phone recordings taken from the victims’ devices, but instead logged information about each file, such as when the photo or video was taken, and when and for how long the calls were recorded, allowing us to determine how much content was extracted from the victims’ devices and when. Each compromised device uploaded a varying amount of data depending on how long their device was compromised and network availability.

Lire Aussi :  New wrist-worn device can assess functional impact of chronic pain

TechCrunch examined data from March 4 to April 14, 2022, or the most recent six weeks of data stored on the database at the time of the leak. It is possible that TheTruthSpy servers only store certain data, such as call logs and location data, for a few weeks, but other content, such as photos and messages, for longer.

This is what we found.

This map shows six weeks of cumulative geographic data plotted on a map of North America. The geographic data is extremely granular and shows victims in major cities, urban areas and travel along major transportation routes. Photo credits: TechCrunch

The database has about 360,000 unique device identifiers, including IMEI numbers for phones and advertising IDs for tablets. This number represents how many devices have been compromised as a result of the operation so far and how many people have been affected. The database also contains the email addresses of everyone who signed up to use one of TheTruthSpy’s many apps and stalkerware clones for the purpose of planting it on a victim’s device, or about 337,000 users. That’s because some devices may have been compromised more than once (or by another app in the stalkerware network), and some users have more than one compromised device.

About 9,400 new devices were compromised during the six-week period, our analysis shows, which amounts to hundreds of new devices each day.

The database stored 608,966 location data points during that six-week period. We created a data plot and created a time lapse to show the increasing prevalence of known compromised devices worldwide. We did this to understand how extensive TheTruthSpy’s work is. Animations have been scaled back to protect the privacy of individuals, but the data is extremely granular and shows victims in transit, places of worship and other sensitive areas.

Lire Aussi :  Review - GRID Legends (Meta Quest 2)

By classification, the United States ranked first with the most geographic data points (278,861) of any other country during the six-week period. India had the second number of geographical data (77,425), Indonesia third (42,701), Argentina fourth (19,015) and United Kingdom (12,801) fifth.

Canada, Nepal, Israel, Ghana and Tanzania are also included in the top 10 countries by volume of geographic data.

This map shows the total number of places counted by country. The US had the most geographic data at 278,861 during the six-week period, followed by India, Indonesia, and Argentina, which makes sense given its large geographic area and population. Photo credits: TechCrunch

The database contains a total of 1.2 million text messages, including the recipient’s name, and 4.42 million phone call records over a six-week period, including records detailing who called whom, for how long, and the contact’s name and phone number.

TechCrunch has seen evidence that data may have been collected from children’s phones.

These stalkerware apps also recorded the content of thousands of phone calls over a six-week period, the data shows. The database contains 179,055 entries of call recording files stored on another TheTruthSpy server. Our analysis correlated the records with the dates and times of the call recordings with location data stored elsewhere in the database to determine where the calls were recorded. We focus on US states that have strict phone call recording laws, requiring more than one person (or everyone) on the line to agree that the call can be recorded or it violates the state’s wiretapping laws. Most US states have laws that require at least one person’s consent for recording, but stalkerware is by nature designed to operate without the victim’s knowledge.

We found evidence that 164 compromised devices in 11 states recorded thousands of phone calls over a six-week period without the device owners’ knowledge. Most devices are available in populous states like California and Illinois.

TechCrunch identified 164 different devices that recorded the victim’s phone calls over a six-week period and were located in states where wiretapping laws are among the strictest in the United States. California led with 76 devices, followed by Pennsylvania with 17 devices, Washington with 16 devices and Illinois with 14 devices. Photo credits: TechCrunch

The database also has 473,211 records of photos and videos uploaded to the compromised phones over a six-week period, including screenshots, images found in messaging apps and saved to the camera roll, and file names, which can reveal information about the file. The database also has 454,641 records of data taken from a user’s keyboard, known as a keylogger, which includes sensitive information and codes attached to password managers and other applications. It also includes 231,550 records of the networks each device is connected to, such as the Wi-Fi network names of hotels, workplaces, apartments, airports and other unpredictable places.

Lire Aussi :  Why the Math Around Adaptive AI is Painful

TheTruthSpy operation is the latest in a long line of stalkerware apps to expose victims’ data due to security flaws that lead to breaches.

Although the availability of stalkerware applications is illegal, using them to record private phone calls and conversations of people without their consent is illegal under federal wiretapping laws and many state laws. But although it is illegal to sell phone monitoring applications for the sole reason of recording private messages, many stalkerware applications are sold under the guise of child monitoring software, yet they are often abused to spy on the phones of spouses and housemates.

Much of the effort to combat stalkerware is led by cybersecurity companies and antivirus vendors who work to block unwanted malware from users’ devices. The Coalition Against Stalkerware, launched in 2019, shares resources and samples of known stalkerware so that information about new and emerging threats can be shared with other cybersecurity companies and automatically blocked at the device level. The coalition’s website has more on what tech companies can do to detect and block stalkerware.

But a number of stalkerware operators, such as Retina X and SpyFone, have faced fines from regulators such as the Federal Trade Commission (FTC) for allowing extensive surveillance, relying on the use of novel legal methods to bring lawsuits citing cybersecurity. processes and data breaches that are closely related to their management.

When TechCrunch was reached for comment ahead of publication, an FTC spokesperson said the agency does not say whether it is investigating a specific matter.

If you or someone you know needs help, the National Domestic Abuse Hotline (1-800-799-7233) provides free, confidential 24/7 support for victims of domestic abuse and violence. If you are in an emergency, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or [email protected] by email.


Leave a Reply

Your email address will not be published.

Related Articles

Back to top button