[ad_1]
Consumer spyware The operation called TheTruthSpy poses an ongoing security and privacy risk for thousands of people whose Android devices are unknowingly compromised by its mobile surveillance apps, including because of a simple security flaw that its operators never corrected.
Today, two groups of hackers independently discovered the flaw that allows mass access to data from victims’ stolen mobile devices directly from TheTruthSpy servers.
Hacker based in Switzerland Maia declared arson in blog post that hacking groups SiegedSec and ByteMeCrew identified and exploited the flaw in December 2023. Crimew, which received a cache of TheTruthSpy victim data from ByteMeCrew, also describes the discovery of several new security vulnerabilities in the TheTruthSpy software stack.
SPYWARE SEARCH TOOL
You can check if your Android phone or tablet has been compromised here.
Crimew provided TechCrunch with some of the breached TheTruthSpy data for verification and analysis, which included the unique device IMEI numbers and advertising IDs of tens of thousands of Android phones recently compromised by TheTruthSpy. TechCrunch verified that the new data is authentic by matching some of the IMEI numbers and advertising IDs with a list of previous devices known to be compromised by TheTruthSpy like discovered during a previous TechCrunch investigation.
The latest batch of data includes the Android device identifiers of every phone and tablet compromised by TheTruthSpy up to and including December 2023. Data shows that TheTruthSpy continues to actively spy on large groups of victims in Europe, India, Indonesia, USA, USA. UK and elsewhere.
TechCrunch added the latest unique identifiers (around 50,000 new Android devices) to our free spyware finder that lets you check if your Android device has been compromised by TheTruthSpy.
Security bug in TheTruthSpy exposed victims’ device data
For a while, TheTruthSpy was one of the most prolific apps for facilitating covert mobile device monitoring.
TheTruthSpy is part of a fleet of nearly identical Android spyware apps, including Copy9 and iSpyoo and others, that are stealthily installed on a person’s device by someone usually knowing their passcode. These apps are called “stalkerware” or “spuseware” because of their ability to illegally track and monitor people, often spouses, without their knowledge.
Apps like TheTruthSpy are designed to stay hidden on home screens, making these apps difficult to use. identify and deleteall in continuously upload the contents of a victim’s phone to a dashboard visible to the attacker.
But while TheTruthSpy touted its powerful surveillance capabilities, the spyware operation paid little attention to the security of the data it stole.
As part of an investigation into consumer spyware apps in February 2022, TechCrunch discovered that TheTruthSpy and its clone apps share a common vulnerability which exposes the victim’s phone data stored on TheTruthSpy servers. The bug is particularly damaging because it is extremely easy to exploit and grants unlimited remote access to all data collected on a victim’s Android device, including their text messages, photos, call records, and precise real-time location data.
But the operators behind TheTruthSpy never fixed the bug, putting victims at risk of having their data even more compromised. Only limited information about the bug, known as CVE-2022-0732was subsequently disclosed, and TechCrunch continues to conceal details of the bug due to the ongoing risk it poses to victims.
Given the simplicity of the bug, its public exploitation was only a matter of time.
TheTruthSpy linked to Vietnam-based startup 1Byte
This is the latest in a series of security incidents involving TheTruthSpy and, by extension, hundreds of thousands of people whose devices were compromised and their data stolen.
In June 2022, a source provided TechCrunch with leaked data containing records of every Android device ever compromised by TheTruthSpy. Without any way to alert victims (and without potentially alerting their attackers), TechCrunch built a spyware search tool to allow anyone to check for themselves if their devices have been compromised.
The search tool looks for matches with a list of IMEI numbers and advertising IDs known to have been compromised by TheTruthSpy and its clone apps. TechCrunch also a guide on how to remove TheTruthSpy spyware – if it is safe to do so.
But TheTruthSpy’s poor security practices and server leaks also helped reveal the real identities of the developers behind the operation, who had gone to considerable lengths to conceal their identities.
TechCrunch later discovered that a Vietnam-based startup called 1Byte was behind TheTruthSpy. Our investigation revealed that 1Byte has made millions of dollars over the years from revenue from its spyware operations. by funneling customer payments into Stripe and PayPal accounts created under false U.S. identities using fake U.S. passports, social security numbers, and other fake documents.
Our investigation revealed that the fake identities were linked to bank accounts in Vietnam managed by 1Byte employees and its director, Van Thieu. At its peak, TheTruthSpy made over $2 million in customer payments.
PayPal and Stripe have suspended the spyware maker’s accounts following recent investigations by TechCrunch, as have the US-based web hosting companies that 1Byte used to host the spyware operation’s infrastructure and store victims’ vast banks of stolen phone data.
After US web hosts booted TheTruthSpy from their networks, the spyware operation is now hosted on servers in Moldova by a host called AlexHost, run by Alexandru Scutaru, which claims a policy of ignoring requests to U.S. copyright removal.
Although hampered and degraded, TheTruthSpy still actively facilitates the surveillance of thousands of people, including Americans.
As long as it remains online and operational, TheTruthSpy will threaten the security and privacy of its victims, past and present. Not only because of the spyware’s ability to invade a person’s digital life, but also because TheTruthSpy cannot prevent the data it steals from spreading across the Internet.
Read more on TechCrunch:
[ad_2]