A consumer-grade adware operation referred to as TheTruthSpy poses an ongoing safety and privateness danger to 1000’s of individuals whose Android units are unknowingly compromised with its cellular surveillance apps, not least as a result of a easy safety flaw that its operators by no means fastened.

Now, two hacking teams have independently discovered the flaw that permits the mass entry of victims’ stolen cellular gadget knowledge straight from TheTruthSpy’s servers.

Switzerland-based hacker maia arson crimew stated in a weblog submit that the hacking teams SiegedSec and ByteMeCrew recognized and exploited the flaw in December 2023. Crimew, who was given a cache of TheTruthSpy’s sufferer knowledge from ByteMeCrew, additionally described discovering a number of new safety vulnerabilities in TheTruthSpy’s software program stack.

In a submit on Telegram, SiegedSec and ByteMeCrew stated they don’t seem to be publicly releasing the breached knowledge, given its extremely delicate nature.

Crimew offered TechCrunch with among the breached TheTruthSpy knowledge for verification and evaluation, which included the distinctive gadget IMEI numbers and promoting IDs of tens of 1000’s of Android telephones lately compromised by TheTruthSpy.

TechCrunch verified the brand new knowledge is genuine by matching among the IMEI numbers and promoting IDs towards a listing of earlier units identified to be compromised by TheTruthSpy as found throughout an earlier TechCrunch investigation.

The most recent batch of information consists of the Android gadget identifiers of each cellphone and pill compromised by TheTruthSpy as much as and together with December 2023. The info reveals TheTruthSpy continues to actively spy on giant clusters of victims throughout Europe, India, Indonesia, america, the UK and elsewhere.

TechCrunch has added the newest distinctive identifiers — about 50,000 new Android units — to our free adware lookup device that permits you to verify in case your Android gadget was compromised by TheTruthSpy.

Safety bug in TheTruthSpy uncovered victims’ gadget knowledge

For a time, TheTruthSpy was one of the crucial prolific apps for facilitating secret cellular gadget surveillance.

TheTruthSpy is considered one of a fleet of near-identical Android adware apps, together with Copy9 and iSpyoo and others, that are stealthily planted on an individual’s gadget by somebody sometimes with data of their passcode. These apps are referred to as “stalkerware,” or “spouseware,” for his or her capability to illegally observe and monitor individuals, usually spouses, with out their data.

Apps like TheTruthSpy are designed to remain hidden on dwelling screens, making these apps troublesome to establish and take away, all of the whereas repeatedly importing the contents of a sufferer’s cellphone to a dashboard viewable by the abuser.

However whereas TheTruthSpy touted its highly effective surveillance capabilities, the adware operation paid little consideration to the safety of the info it was stealing.

As a part of an investigation into consumer-grade adware apps in February 2022, TechCrunch found that TheTruthSpy and its clone apps share a typical vulnerability that exposes the sufferer’s cellphone knowledge saved on TheTruthSpy’s servers. The bug is especially damaging as a result of this can be very simple to use, and grants unfettered distant entry to the entire knowledge collected from a sufferer’s Android gadget, together with their textual content messages, pictures, name recordings and exact real-time location knowledge.

However the operators behind TheTruthSpy by no means fastened the bug, leaving its victims uncovered to having their knowledge additional compromised. Solely restricted details about the bug, often called CVE-2022-0732, was subsequently disclosed, and TechCrunch continues to withhold particulars of the bug because of the ongoing danger it poses to victims.

Given the simplicity of the bug, its public exploitation was solely a matter of time.

TheTruthSpy linked to Vietnam-based startup, 1Byte

That is the newest in a streak of safety incidents involving TheTruthSpy, and by extension the a whole bunch of 1000’s of individuals whose units have been compromised and had their knowledge stolen.

In June 2022, a supply offered TechCrunch with leaked knowledge containing data of each Android gadget ever compromised by TheTruthSpy. With no method to alert victims (and with out probably alerting their abusers), TechCrunch constructed a adware lookup device to permit anybody to verify for themselves if their units had been compromised.

The lookup device seems to be for matches towards a listing of IMEI numbers and promoting IDs identified to have been compromised by TheTruthSpy and its clone apps. TechCrunch additionally has a information on the way to take away TheTruthSpy adware — whether it is protected to take action.

However TheTruthSpy’s poor safety practices and leaky servers additionally helped to show the real-world identities of the builders behind the operation, who had taken appreciable efforts to hide their identities.

TechCrunch later discovered {that a} Vietnam-based startup referred to as 1Byte is behind TheTruthSpy. Our investigation discovered that 1Byte made tens of millions of {dollars} through the years in proceeds from its adware operation by funneling buyer funds into Stripe and PayPal accounts arrange below false American identities utilizing faux U.S. passports, Social Safety numbers and different solid paperwork.

Our investigation discovered that the false identities had been linked to financial institution accounts in Vietnam run by 1Byte staff and its director, Van Thieu. At its peak, TheTruthSpy remodeled $2 million in buyer funds.

PayPal and Stripe suspended the adware maker’s accounts following current inquiries from TechCrunch, as did the U.S.-based internet hosting corporations that 1Byte used to host the adware operation’s infrastructure and retailer the huge banks of victims’ stolen cellphone knowledge.

After the U.S. net hosts booted TheTruthSpy from their networks, the adware operation is now hosted on servers in Moldova by an internet host referred to as AlexHost, run by Alexandru Scutaru, which claims a coverage of ignoring U.S. copyright takedown requests.

Although hobbled and degraded, TheTruthSpy nonetheless actively facilitates surveillance on 1000’s of individuals, together with Individuals.

For so long as it stays on-line and operational, TheTruthSpy will threaten the safety and privateness of its victims, previous and current. Not simply due to the adware’s capability to invade an individual’s digital life, however as a result of TheTruthSpy can’t preserve the info it steals from spilling onto the web.

Learn extra on TechCrunch: