Hackers uncover new TheTruthSpy stalkerware victims: Is your Android gadget compromised?

A consumer-grade spy ware operation known as TheTruthSpy poses an ongoing safety and privateness danger to hundreds of individuals whose Android gadgets are unknowingly compromised with its cell surveillance apps, not least resulting from a easy safety flaw that its operators by no means fastened.

Now, two hacking teams have independently discovered the flaw that enables the mass entry of victims’ stolen cell gadget information straight from TheTruthSpy’s servers.

Switzerland-based hacker maia arson crimew stated in a weblog submit that the hacking teams SiegedSec and ByteMeCrew recognized and exploited the flaw in December 2023. Crimew, who was given a cache of TheTruthSpy’s sufferer information from ByteMeCrew, additionally described discovering a number of new safety vulnerabilities in TheTruthSpy’s software program stack.


You possibly can test to see in case your Android telephone or pill was compromised right here.

In a submit on Telegram, SiegedSec and ByteMeCrew stated they aren’t publicly releasing the breached information given its extremely delicate nature.

Crimew offered TechCrunch with a few of the breached TheTruthSpy information for verification and evaluation, which included the distinctive gadget IMEI numbers and promoting IDs of tens of hundreds of Android telephones not too long ago compromised by TheTruthSpy.

TechCrunch verified the brand new information is genuine by matching a few of the IMEI numbers and promoting IDs in opposition to a listing of earlier gadgets identified to be compromised by TheTruthSpy as found throughout an earlier TechCrunch investigation.

The newest batch of knowledge contains the Android gadget identifiers of each telephone and pill compromised by TheTruthSpy as much as and together with December 2023. The information exhibits TheTruthSpy continues to actively spy on massive clusters of victims throughout Europe, India, Indonesia, the US, the UK, and elsewhere.

TechCrunch has added the most recent distinctive identifiers — about 50,000 new Android gadgets — to our free spy ware lookup software that permits you to test in case your Android gadget was compromised by TheTruthSpy.

Safety bug in TheTruthSpy uncovered victims’ gadget information

For a time, TheTruthSpy was probably the most prolific apps for facilitating secret cell gadget surveillance.

TheTruthSpy is certainly one of a fleet of near-identical Android spy ware apps, together with Copy9 and iSpyoo and others, that are stealthily planted on an individual’s gadget by somebody usually with data of their passcode. These apps are known as “stalkerware,” or “spouseware,” for his or her skill to illegally observe and monitor folks, usually spouses, with out their data.

Apps like TheTruthSpy are designed to remain hidden on house screens, making these apps tough to determine and take away, all of the whereas repeatedly importing the contents of a sufferer’s telephone to a dashboard viewable by the abuser.

However whereas TheTruthSpy touted its highly effective surveillance capabilities, the spy ware operation paid little consideration to the safety of the info it was stealing.

As a part of an investigation into consumer-grade spy ware apps in February 2022, TechCrunch found that TheTruthSpy and its clone apps share a standard vulnerability that exposes the sufferer’s telephone information saved on TheTruthSpy’s servers. The bug is especially damaging as a result of this can be very straightforward to use, and grants unfettered distant entry to all the information collected from a sufferer’s Android gadget, together with their textual content messages, photographs, name recordings, and exact real-time location information.

However the operators behind TheTruthSpy by no means fastened the bug, leaving its victims uncovered to having their information additional compromised. Solely restricted details about the bug, often called CVE-2022-0732, was subsequently disclosed, and TechCrunch continues to withhold particulars of the bug because of the ongoing danger it poses to victims.

Given the simplicity of the bug, its public exploitation was solely a matter of time.

TheTruthSpy linked to Vietnam-based startup, 1Byte

That is the most recent in a streak of safety incidents involving TheTruthSpy, and by extension the a whole lot of hundreds of individuals whose gadgets have been compromised and had their information stolen.

In June 2022, a supply offered TechCrunch with leaked information containing data of each Android gadget ever compromised by TheTruthSpy. With no option to alert victims (and with out probably alerting their abusers), TechCrunch constructed a spy ware lookup software to permit anybody to test for themselves if their gadgets have been compromised.

The lookup software seems to be for matches in opposition to a listing of IMEI numbers and promoting IDs identified to have been compromised by TheTruthSpy and its clone apps. TechCrunch additionally has a information on take away TheTruthSpy spy ware — whether it is protected to take action.

However TheTruthSpy’s poor safety practices and leaky servers additionally helped to show the real-world identities of the builders behind the operation, who had taken appreciable efforts to hide their identities.

TechCrunch later discovered {that a} Vietnam-based startup known as 1Byte is behind TheTruthSpy. Our investigation discovered that 1Byte made hundreds of thousands of {dollars} over time in proceeds from its spy ware operation by funneling buyer funds into Stripe and PayPal accounts arrange underneath false American identities utilizing faux U.S. passports, Social Safety numbers and different solid paperwork.

Our investigation discovered that the false identities have been linked to financial institution accounts in Vietnam run by 1Byte workers and its director, Van Thieu. At its peak, TheTruthSpy remodeled $2 million in buyer funds.

PayPal and Stripe suspended the spy ware maker’s accounts following current inquiries from TechCrunch, as did the U.S.-based internet hosting firms that 1Byte used to host the spy ware operation’s infrastructure and retailer the huge banks of victims’ stolen telephone information.

After the U.S. net hosts booted TheTruthSpy from their networks, the spy ware operation is now hosted on servers in Moldova by an internet host known as AlexHost, run by Alexandru Scutaru, which claims a coverage of ignoring U.S. copyright takedown requests.

Although hobbled and degraded, TheTruthSpy nonetheless actively facilitates surveillance on hundreds of individuals, together with People.

For so long as it stays on-line and operational, TheTruthSpy will threaten the safety and privateness of its victims, previous and current. Not simply due to the spy ware’s skill to invade an individual’s digital life, however as a result of TheTruthSpy can not hold the info it steals from spilling onto the web.

Learn extra on TechCrunch:

Leave a Comment