A security researcher has discovered a security issue in two phone-monitoring applications that expose the personal information of millions of users who have the apps installed on their devices without their knowledge.
Anyone can view the personal information—messages, images, call logs, and more—that has been exfiltrated from any phone or tablet that has been infected by Cocospy and Spyic, two mobile stalkerware programs with different names but essentially the same source code. Additionally, the vulnerability makes the email addresses of those who registered for Cocospy and Spyic visible in order to install the program on a user’s smartphone and secretly monitor them.
Products like Cocospy and Spyic, like other types of spyware, are made to stay undetected on a victim’s device while secretly and continuously transferring the data from that device to a dashboard that the person who planted the software can see. Because spyware can be so covert, most phone owners probably don’t realize their handsets have been compromised.
At the time of publication, neither the Cocospy nor Spyic operators responded to TechCrunch’s request for comment, nor did they address the issue.
The security researcher who found the bug told TechCrunch that it allows anyone to access the email address of the person who signed up for either of the two phone-monitoring apps.
The researcher collected 1.81 million email addresses of Cocospy customers and 880,167 email addresses of Spyic customers by exploiting the bug to scrape the data from the apps’ servers. The researcher provided the cache of email addresses to Troy Hunt, who runs data breach notification service Have I Been Pwned.
Spyic and Cocospy are the most current in a long line of surveillance technologies that have had security lapses in recent years, frequently due to bugs or inadequate security procedures. According to TechCrunch’s running tally, Cocospy and Spyic are now two of 23 known surveillance businesses that have had their highly sensitive customer and victim data compromised, hacked, or otherwise made public online since 2017.
Usually marketed as employee or parental control apps, phone monitoring apps like Cocospy and Spyic are also known as stalkerware (or spouseware) because some of these products specifically advertise their apps online as ways to spy on someone’s spouse or romantic partner without that person’s knowledge, which is against the law.
Stalkerware programs are typically downloaded straight from the stalkerware distributor because they are prohibited via app stores. Because of this, stalkerware apps typically need physical access to an Android device in order to be installed, frequently with the victim’s device passcode already known. Stalkerware can access data on iPhones and iPads that are saved in iCloud, Apple’s cloud storage service, by utilizing the user’s stolen Apple account credentials.
