A consumer-grade adware operation known as TheTruthSpy poses an ongoing safety and privateness threat to 1000’s of individuals whose Android units are unknowingly compromised with its cell surveillance apps, not least on account of a easy safety flaw that its operators by no means mounted.
Now, two hacking teams have independently discovered the flaw that enables the mass entry of victims’ stolen cell gadget information immediately from TheTruthSpy’s servers.
Switzerland-based hacker maia arson crimew mentioned in a weblog put up that the hacking teams SiegedSec and ByteMeCrew recognized and exploited the flaw in December 2023. Crimew, who was given a cache of TheTruthSpy’s sufferer information from ByteMeCrew, additionally described discovering a number of new safety vulnerabilities in TheTruthSpy’s software program stack.
SPYWARE LOOKUP TOOL
You possibly can examine to see in case your Android cellphone or pill was compromised right here.
Crimew offered TechCrunch with a few of the breached TheTruthSpy information for verification and evaluation, which included the distinctive gadget IMEI numbers and promoting IDs of tens of 1000’s of Android telephones just lately compromised by TheTruthSpy. TechCrunch verified the brand new information is genuine by matching a few of the IMEI numbers and promoting IDs in opposition to an inventory of earlier units recognized to be compromised by TheTruthSpy as found throughout an earlier TechCrunch investigation.
The most recent batch of information contains the Android gadget identifiers of each cellphone and pill compromised by TheTruthSpy as much as and together with December 2023. The information reveals TheTruthSpy continues to actively spy on massive clusters of victims throughout Europe, India, Indonesia, the US, the UK, and elsewhere.
TechCrunch has added the most recent distinctive identifiers — about 50,000 new Android units — to our free adware lookup instrument that allows you to examine in case your Android gadget was compromised by TheTruthSpy.
Safety bug in TheTruthSpy uncovered victims’ gadget information
For a time, TheTruthSpy was probably the most prolific apps for facilitating secret cell gadget surveillance.
TheTruthSpy is one among a fleet of near-identical Android adware apps, together with Copy9 and iSpyoo and others, that are stealthily planted on an individual’s gadget by somebody usually with data of their passcode. These apps are known as “stalkerware,” or “spouseware,” for his or her means to illegally monitor and monitor folks, typically spouses, with out their data.
Apps like TheTruthSpy are designed to remain hidden on dwelling screens, making these apps troublesome to determine and take away, all of the whereas constantly importing the contents of a sufferer’s cellphone to a dashboard viewable by the abuser.
However whereas TheTruthSpy touted its highly effective surveillance capabilities, the adware operation paid little consideration to the safety of the information it was stealing.
As a part of an investigation into consumer-grade adware apps in February 2022, TechCrunch found that TheTruthSpy and its clone apps share a typical vulnerability that exposes the sufferer’s cellphone information saved on TheTruthSpy’s servers. The bug is especially damaging as a result of this can be very straightforward to use, and grants unfettered distant entry to all the information collected from a sufferer’s Android gadget, together with their textual content messages, images, name recordings, and exact real-time location information.
However the operators behind TheTruthSpy by no means mounted the bug, leaving its victims uncovered to having their information additional compromised. Solely restricted details about the bug, often called CVE-2022-0732, was subsequently disclosed, and TechCrunch continues to withhold particulars of the bug as a result of ongoing threat it poses to victims.
Given the simplicity of the bug, its public exploitation was solely a matter of time.
TheTruthSpy linked to Vietnam-based startup, 1Byte
That is the most recent in a streak of safety incidents involving TheTruthSpy, and by extension the lots of of 1000’s of individuals whose units have been compromised and had their information stolen.
In June 2022, a supply offered TechCrunch with leaked information containing data of each Android gadget ever compromised by TheTruthSpy. With no approach to alert victims (and with out probably alerting their abusers), TechCrunch constructed a adware lookup instrument to permit anybody to examine for themselves if their units have been compromised.
The lookup instrument seems for matches in opposition to an inventory of IMEI numbers and promoting IDs recognized to have been compromised by TheTruthSpy and its clone apps. TechCrunch additionally has a information on how one can take away TheTruthSpy adware — whether it is secure to take action.
However TheTruthSpy’s poor safety practices and leaky servers additionally helped to show the real-world identities of the builders behind the operation, who had taken appreciable efforts to hide their identities.
TechCrunch later discovered {that a} Vietnam-based startup known as 1Byte is behind TheTruthSpy. Our investigation discovered that 1Byte made tens of millions of {dollars} through the years in proceeds from its adware operation by funneling buyer funds into Stripe and PayPal accounts arrange underneath false American identities utilizing faux U.S. passports, Social Safety numbers and different cast paperwork.
Our investigation discovered that the false identities have been linked to financial institution accounts in Vietnam run by 1Byte staff and its director, Van Thieu. At its peak, TheTruthSpy remodeled $2 million in buyer funds.
PayPal and Stripe suspended the adware maker’s accounts following current inquiries from TechCrunch, as did the U.S.-based internet hosting firms that 1Byte used to host the adware operation’s infrastructure and retailer the huge banks of victims’ stolen cellphone information.
After the U.S. net hosts booted TheTruthSpy from their networks, the adware operation is now hosted on servers in Moldova by an internet host known as AlexHost, run by Alexandru Scutaru, which claims a coverage of ignoring U.S. copyright takedown requests.
Although hobbled and degraded, TheTruthSpy nonetheless actively facilitates surveillance on 1000’s of individuals, together with Individuals.
For so long as it stays on-line and operational, TheTruthSpy will threaten the safety and privateness of its victims, previous and current. Not simply due to the adware’s means to invade an individual’s digital life, however as a result of TheTruthSpy can not maintain the information it steals from spilling onto the web.
Learn extra on TechCrunch: