A consumer-grade spyware and adware operation known as TheTruthSpy poses an ongoing safety and privateness threat to 1000’s of individuals whose Android gadgets are unknowingly compromised with its cell surveillance apps, not least because of a easy safety flaw that its operators by no means mounted.
Now, two hacking teams have independently discovered the flaw that permits the mass entry of victims’ stolen cell gadget knowledge instantly from TheTruthSpy’s servers.
Switzerland-based hacker maia arson crimew mentioned in a weblog publish that the hacking teams SiegedSec and ByteMeCrew recognized and exploited the flaw in December 2023. Crimew, who was given a cache of TheTruthSpy’s sufferer knowledge from ByteMeCrew, additionally described discovering a number of new safety vulnerabilities in TheTruthSpy’s software program stack.
SPYWARE LOOKUP TOOL
You possibly can examine to see in case your Android telephone or pill was compromised right here.
In a publish on Telegram, SiegedSec and ByteMeCrew mentioned they don’t seem to be publicly releasing the breached knowledge, given its extremely delicate nature.
Crimew offered TechCrunch with a number of the breached TheTruthSpy knowledge for verification and evaluation, which included the distinctive gadget IMEI numbers and promoting IDs of tens of 1000’s of Android telephones not too long ago compromised by TheTruthSpy.
TechCrunch verified the brand new knowledge is genuine by matching a number of the IMEI numbers and promoting IDs towards an inventory of earlier gadgets identified to be compromised by TheTruthSpy as found throughout an earlier TechCrunch investigation.
The newest batch of knowledge consists of the Android gadget identifiers of each telephone and pill compromised by TheTruthSpy as much as and together with December 2023. The info reveals TheTruthSpy continues to actively spy on giant clusters of victims throughout Europe, India, Indonesia, the US, the UK and elsewhere.
TechCrunch has added the newest distinctive identifiers — about 50,000 new Android gadgets — to our free spyware and adware lookup instrument that allows you to examine in case your Android gadget was compromised by TheTruthSpy.
Safety bug in TheTruthSpy uncovered victims’ gadget knowledge
For a time, TheTruthSpy was one of the crucial prolific apps for facilitating secret cell gadget surveillance.
TheTruthSpy is considered one of a fleet of near-identical Android spyware and adware apps, together with Copy9 and iSpyoo and others, that are stealthily planted on an individual’s gadget by somebody usually with information of their passcode. These apps are known as “stalkerware,” or “spouseware,” for his or her skill to illegally observe and monitor individuals, typically spouses, with out their information.
Apps like TheTruthSpy are designed to remain hidden on residence screens, making these apps tough to determine and take away, all of the whereas constantly importing the contents of a sufferer’s telephone to a dashboard viewable by the abuser.
However whereas TheTruthSpy touted its highly effective surveillance capabilities, the spyware and adware operation paid little consideration to the safety of the information it was stealing.
As a part of an investigation into consumer-grade spyware and adware apps in February 2022, TechCrunch found that TheTruthSpy and its clone apps share a typical vulnerability that exposes the sufferer’s telephone knowledge saved on TheTruthSpy’s servers. The bug is especially damaging as a result of this can be very straightforward to use, and grants unfettered distant entry to all the knowledge collected from a sufferer’s Android gadget, together with their textual content messages, pictures, name recordings and exact real-time location knowledge.
However the operators behind TheTruthSpy by no means mounted the bug, leaving its victims uncovered to having their knowledge additional compromised. Solely restricted details about the bug, often called CVE-2022-0732, was subsequently disclosed, and TechCrunch continues to withhold particulars of the bug as a result of ongoing threat it poses to victims.
Given the simplicity of the bug, its public exploitation was solely a matter of time.
TheTruthSpy linked to Vietnam-based startup, 1Byte
That is the newest in a streak of safety incidents involving TheTruthSpy, and by extension the a whole lot of 1000’s of individuals whose gadgets have been compromised and had their knowledge stolen.
In June 2022, a supply offered TechCrunch with leaked knowledge containing information of each Android gadget ever compromised by TheTruthSpy. With no strategy to alert victims (and with out doubtlessly alerting their abusers), TechCrunch constructed a spyware and adware lookup instrument to permit anybody to examine for themselves if their gadgets had been compromised.
The lookup instrument seems to be for matches towards an inventory of IMEI numbers and promoting IDs identified to have been compromised by TheTruthSpy and its clone apps. TechCrunch additionally has a information on methods to take away TheTruthSpy spyware and adware — whether it is secure to take action.
However TheTruthSpy’s poor safety practices and leaky servers additionally helped to show the real-world identities of the builders behind the operation, who had taken appreciable efforts to hide their identities.
TechCrunch later discovered {that a} Vietnam-based startup known as 1Byte is behind TheTruthSpy. Our investigation discovered that 1Byte made thousands and thousands of {dollars} over time in proceeds from its spyware and adware operation by funneling buyer funds into Stripe and PayPal accounts arrange underneath false American identities utilizing faux U.S. passports, Social Safety numbers and different cast paperwork.
Our investigation discovered that the false identities had been linked to financial institution accounts in Vietnam run by 1Byte workers and its director, Van Thieu. At its peak, TheTruthSpy revamped $2 million in buyer funds.
PayPal and Stripe suspended the spyware and adware maker’s accounts following current inquiries from TechCrunch, as did the U.S.-based internet hosting firms that 1Byte used to host the spyware and adware operation’s infrastructure and retailer the huge banks of victims’ stolen telephone knowledge.
After the U.S. net hosts booted TheTruthSpy from their networks, the spyware and adware operation is now hosted on servers in Moldova by an online host known as AlexHost, run by Alexandru Scutaru, which claims a coverage of ignoring U.S. copyright takedown requests.
Although hobbled and degraded, TheTruthSpy nonetheless actively facilitates surveillance on 1000’s of individuals, together with Individuals.
For so long as it stays on-line and operational, TheTruthSpy will threaten the safety and privateness of its victims, previous and current. Not simply due to the spyware and adware’s skill to invade an individual’s digital life, however as a result of TheTruthSpy can’t preserve the information it steals from spilling onto the web.
Learn extra on TechCrunch:
