Stalking the stalkers
This is a post on the talk we are currently giving (10th of December 2022) on Bsides London with Felipe Solferini.
Stalkerware (or spouseware) is a growing threat amongst modern days. A lot of reports were made of abusers that were using this kind of applications to track and monitor their spouses. This is a post expanding on the talk we are currently giving (10th of December 2022) on BSides London with Felipe Solferini.
TL:DR
We looked at some stalkerware networks (families) and found out that a lot of them were not secure. We took a deeper dive in there and identified that around 2 million devices were being monitored at some point in the past decade from 7 different families.
Quick intro
In this post you are going to read about the 5-month journey that we had on exposing multiple stalkerware family companies and what was the underlying issue that lead to full or partial data exposure of all their customer data. You are not going to find the zero-days that were used as this would be giving access to data of really vulnerable people. We also want to define what stalkerware is. Any application that could be installed and hidden from the user and transmitted data (pictures, call data etc) is considered stalkerware, even if they use the pretext of monitoring teenagers.
Toolset
The following tools greatly helped in this research:
- Burp Suite
- Jadx Decompiler
- Apklab.io
- Mullvad
- A small droplet on DigitalOcean
- Our little cancerous android phone (which ended up having installed more or less 6 different stalkerware applications at some point).
- Revolut
- Shodan.io
The procedure that was followed was try to find a demo account and see if we could find any exploitation from that (with no installation at all). The if we could download the APK we would try to decompile it and find any sensitive information. If this was not the case, APKLab would run it in its sandbox and we would parse the output to see if there was anything juicy in there (sometimes the C2 for the mobile application was different than the control panel). And finally if all else failed we installed it on our android phones and tried to live find vulnerabilities. On certain families that had no demo but were deemed interesting enough, we used Revolut temporary cards to pay and create accounts.
The results were really depressing. We were able to acquire really sensitive information on all networks. Following is a list of some of the vulnerabilities that were found:
- SQL injections
- Remote command execution
- Leaking private keys (amazon, alibaba and azure)
- Leaking S3 keys
- Insecure direct object reference
- Broken authentication
Stalkerware Families
The following list is unfortunately not a complete list of all the stalkerware that there is out there. It is probably not even a complete list of the network members of each family, as they have a variety of marketing plans and resellers networks that are just getting a cut for sellling their products and getting to the parent companies on some of the cases we made assumptions and we even failed to find the parent company. The word family in here is loosely used to define a group of sites that is sharing a common codebase and/or a database. This means that there is a reseller that is selling the "product" and many people that resell it under their own brand.
| Name | User Count | Company |
|---|---|---|
| The Truth Spy | 230,000 | 1BYTE |
| XNSPY | 60,000 | Konext |
| Cocospy | 20,000 | 711.icu |
| Mobistealth | 125,000 | <unknown> |
| Spymaster Pro | 8,000 | Netzens |
| SpyTrac | 1,300,000 | Support King |
| PcTattletale | 70,000 | Bryan Flemming |
Why go after so many ?
As with previous research we like to attack (and prove security problems) on an industry as a whole. Even worse, an industry which is evil. We also got some kind of motivation from Eva's tweet.
If you are a security researcher and you want to know what you can do about stalkerware, here is my recommendation:
— Eva (@evacide) October 27, 2022
1. TTS (The Truth Spy)
Already exploited more than once and TechCrunch had a great article on this. Probably one of the biggest resellers in the market. Their current database has approximately 230,000 users and have the following list of websites.
- https://secondclone.com
- https://thetruthspy.com
- https://fonetracker.com
- https://copy9.com
- https://mxspy.com/
- http://thespyapp.com
- https://ispyoo.com/
- https://mobilespyonline.com/
- https://exactspy.com/
- https://mobidad.app
- https://guestspy.com
- https://innoaspy.com
From their database we can also see the association of each website with a shell company but it all drains down to 1BYTE as their developer and reseller.
2. XNSPY
A big enough network (approximately 60,000 users) that seems to be actively marketed and handled Konext. Application and network seemed to be actively developed right now.
The website of the stalkerware is :
3. Cocospy
Trickiest of every other network to identify its originating company as the vulnerability we found did not allow us to fully dump a database. After a lot of digging and some luck we have strong indication that the company behind this network is 711.icu. The following websites are part of this network:
4. Mobistealth
A massive network of over 125,000 devices that seems to be around for more than 10 years (Installations are going back to 2009). The company ownership are yet to be determined. The network was also compromised in 2018 as we can see here.
You can access it on the following url:
5. Spymaster Pro
Speaking on networks that were compromised in 2018 (same article), Spymaster Pro seems to be dying down as a network. It has 8,000 devices (approximately 300 active in the past month). Company behind it is Netzens as they proudly state in their admin panel.
You can access it on the following url:
6. SpyTrac
This was a network that we randomly found and seemed to be really new (~1 year). Imagine our surprise when we found out that it had over 1.3 milion devices registered. When we started digging we found out that the company behind it was Support King. If that does not ring a bell to you I am happy for you as you have never looked at stalkerware before. Support King was fined via the FTC and ordered to remove everything and not work with this industry any more. Well... it seems they did not listen and rebranded everything as SpyTrac. The functionality that this panel and app have is by far the most complete of all, together with its huge userbase it's probably one of the scariest resellers of all.
You can access it on the following url:
7. PcTattletale
Even though it has an Android application, it is mostly known for its PC application that can be used to snoop on a spouse's computer. The application was not handling security at all, so it was possible to leak all the information about its approximately 60,000 users.
You can access it on the following url:
Prevention
If you or someone you know needs help , reach out to you national Domestic Violence Hotline that should provide help 24/7. If you are in an emergency situation call your nation police number.The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware.
(Not) Honorable mention:
If you do some OSINT on all the website you are going to see that most of them are behind Cloudflare. This means that their far from secure code was just protected by a really good WAF. We found ways to bypass this (mostly with Shodan finding actual IPs) but it's worth mentioning that for Cloudflare (and for Amazon, Azure and other reputable hosting providers) spouseware is within their acceptable ToS.
Thanks:
We would like to thank both Eva Galperin who greatly helps into getting more visibility into the huge stalkerware problem and Zack Whittaker who helped with OSINT searching and morally as this kind of research is really stressfull due to its nature. Last but not least we would like to help GoLang expert George Lavdanis who created a properly scalable parsing solution to make millions of requests without having to wait for years.