Stalkerware apps go dark after data breach

A stalkerware company that recently leaked millions of users’ personal information online has taken all of its assets offline without any explanation. Now Malwarebytes has learned that the company has taken down other apps too.

Back in February, news emerged of a stalkerware app compromise. Reporters at Techcrunch revealed a vulnerability in three such apps: Spyzie, Cocospy, and Spyic. The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them. It also gave up approximately 3.2 million email addresses entered by the customers that bought and installed these apps on their targets’ devices.

The bug was so easy to exploit that Techcrunch and the researcher involved wouldn’t divulge it, to protect the compromised details.

Now, the apps have gone dark. Techcrunch revealed that the software has stopped working, and the websites advertising it have disappeared. The spyware’s Amazon Web Services storage has also been deleted. The publication speculated that the apps, which were branded separately but looked nearly identical, were possibly shut down to avoid legal repercussions over the data leak.

Stalkerware apps are designed to hide themselves once installed on a person’s phone. They collect data including the location of the device, messages sent by the user, and their contacts.

Spyzie’s web site, now no longer available, marketed the software as a tool to keep an eye on your kids. It advertised itself as “100% hidden and invisible so you never get caught”. It also offered to collect their browser history, WhatsApp messages (including deleted ones), Facebook messages, and call logs. Spyzie claimed to have over a million users in more than 190 countries.

These aren’t the only three apps that the same organization took down. According to archived records of the Spyzie site, it was operated by FamiSoft Limited. That company also produced another app targeting kids called Teensafe (its website is also now down). Other apps now taken down that the company claimed to have operated include Spyier, Neatspy, Fonemonitor, Spyine, and Minspy.

Stalkerware is typically installed by those with direct access to a user’s phone or computer, and typically doesn’t need you to root or jailbreak the device. Spyzie targeted both Android and iPhone platforms. While frequently marketed as a way to keep children safe, theses are also frequently used by abusive partners or ex-partners, as explained by the Federal Trade Commission. The Coalition against Stalkerware, of which Malwabytes is a founding member, offers advice on what to do if you’re being targeted by a stalker.

There have been several instances over the years of stalkerware apps leaking data. It’s especially pernicious because in many cases it isn’t just the email addresses of the stalkerware’s customers that is compromised; it’s the personal details of the people whose phones are being spied upon.

Those people may often not be aware that they’re being surveilled, or might have been forced to install the software against their wishes. They are victimized twice: once when an individual invades their privacy, and twice when crummy infrastructure exposes their information more widely. If a customer really is using such software as a way of protecting their children, they might want to reconsider their choices.

Are you a victim of domestic abuse, or are you worried that someone else is? If you’re in the US, you can contact the National Domestic Abuse Hotline. If you’re in the UK, the government has a useful resource page to help victims and the charity Refuge operates a hotline.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.