Huge hideout The leaked data reveals the inner workings of Operation Stalkerware that spies on hundreds of thousands of people around the world, including Americans.
The leaked data includes call logs, text messages, precise location data and other personal device data of unsuspecting victims whose Android phones and tablets were hacked by a fleet of near-identical Stalkerware applications, including TheTruthSpy, Copy9, MxSpy and others.
These Android apps are implanted by a person with physical access to a person’s device, and are designed to remain hidden on their home screens but will constantly and silently download the phone’s contents without the owner’s knowledge.
Spyware Search Tool
You can check to see if your Android phone or tablet has been hacked over here.
Months after publishing our investigation that exposed Operation Stalkerware, a TechCrunch source provided tens of gigabytes of data dumped from Stakerware’s servers. The cache contains the core database of the Stalkerware process, which includes detailed logs on every Android device that has been hacked by any stalkerware apps in the TheTruthSpy network since early 2019 (although some logs go back to earlier) and device data that was stolen .
Since the victims had no idea that their device’s data had been stolen, TechCrunch extracted every unique device ID from the leaked database and built a search tool to allow anyone to check if their device had been compromised by any stalkerware applications until April 2022, which when Data dumping.
TechCrunch has since analyzed the rest of the database. Using mapping software for geospatial analysis, we mapped hundreds of thousands of location data points from the database to understand their size. Our analysis shows that TheTruthSpy network is enormous, with victims on every continent and in nearly every country. But stalking programs like TheTruthSpy operate in a legal gray area that makes it difficult for authorities around the world to combat them, despite the growing threat they pose to victims.
First, a word about the data. The database is about 34 GB in size and consists of metadata, such as times and dates, as well as text-based content, such as call logs, text messages, and location data – even the names of the Wi-Fi networks the device is connected to and what’s copied and pasted from the phone’s clipboard, Including passwords and two-factor authentication codes. The database did not contain media, photos, videos, or call recordings taken from victims’ devices, but instead recorded information about each file, such as when a photo or video was taken, when and for how long the calls were recorded, allowing us to determine How much content was leaked from victims’ devices and when. Each hacked device uploaded a varying amount of data depending on how long their device was hacked and the available network coverage.
TechCrunch examined data from March 4 to April 14, 2022, or six weeks of the most recent data stored in the database at the time of the leak. It is possible for TheTruthSpy servers to keep only some data, such as call logs and location data, for a few weeks, but other content, such as photos and text messages, for a longer period.
This is what we found.
The database contains about 360 thousand unique identifiers for devices, including IMEI numbers for phones and advertising identifiers for tablets. This number represents the number of devices compromised through the process so far and the number of people affected. The database also contains the email addresses of everyone who signed up to use one of the many TheTruthSpy applications and clone stalkerware with the intention of implanting it on the victim’s machine, or about 337,000 users. That’s because some devices may have been hacked more than once (or by another app in the Stalkerware network), and some users have more than one hacked device.
About 9,400 new devices were hacked during the six-week period, our analysis shows, amounting to hundreds of new devices every day.
The database stored 608,966 site data points over the same six-week period. We plotted the data and created a time-lapse to show the cumulative spread of known compromised devices around the world. We did this to understand how broad the process of TheTruthSpy is. The animation has been minimized to a global level to protect individuals’ privacy, but the data is highly accurate and shows victims in transportation hubs, places of worship and other sensitive sites.
By breakdown, the United States ranked first with more location data points (278,861) than any other country during the six-week period. India ranked second in terms of the number of location data points (77,425), Indonesia ranked third (42,701), Argentina fourth (19015) and the United Kingdom (12,801) fifth.
Canada, Nepal, Israel, Ghana and Tanzania are also included in the top ten countries by volume of location data.
The database contained a total of 1.2 million text messages, including the recipient’s contact name, and 4.42 million call records during the six-week period, including detailed records of who called whom, for how long, the contact’s name and phone number.
TechCrunch has seen evidence that data is likely to be collected from children’s phones.
The data showed that these stalkerware apps also recorded the contents of thousands of calls over the six weeks. The database contains 179.055 entries for call log files that are stored on another TheTruthSpy server. Our analysis correlates the records with the dates and times of call recordings with location data stored elsewhere in the database to determine where the calls were recorded. We focused on US states that have stricter phone call recording laws, which require that more than one person (or everyone) on the line agree that the call can be recorded or be in violation of government wiretapping laws. Most US states have laws that require at least one person to consent to registration, but stalkerware is inherently designed to operate without the victim’s knowledge whatsoever.
We found evidence that 164 hacked devices in 11 states recorded thousands of calls over a six-week period without the device’s owners knowing. Most of the devices were located in densely populated states such as California and Illinois.
The database also contained 473,211 records of photos and videos uploaded from hacked phones during the six weeks, including screenshots, photos received from messaging apps and saved in the camera roll, and file names, which could reveal information about the file. The database also contained 454,641 records of data pulled from a user’s keyboard, known as a keylogger, which included sensitive credentials and tokens pasted from password managers and other applications. It also includes 231,550 records of the networks each device is connected to, such as the Wi-Fi names of hotels, workplaces, apartments, airports, and other guessable locations.
Operation TheTruthSpy is the latest in a long line of stalkerware applications to expose victims’ data due to security flaws that later lead to a breach.
While it’s not illegal to own stalkerware, using it to record people’s private calls and conversations without their consent is illegal under federal and many state wiretapping laws. But while it is illegal to sell phone monitoring apps for the sole reason of recording private messages, many Stalkerware apps are sold under the guise of baby monitoring software, yet they are often misused to spy on the phones of domestic spouses and partners.
Cybersecurity companies and antivirus software vendors are leading a lot of efforts against stalkers that work to block unwanted malware from users’ devices. The Alliance Against Stalkerware, launched in 2019, shares resources and samples of known stalkers so that information about new and emerging threats can be shared with other cybersecurity companies and automatically blocked at the device level. The Alliance website has more about what tech companies can do to detect and block stalkers.
But only a few stalking software operators, such as Retina X and SpyFone, have faced penalties from federal regulators such as the Federal Trade Commission (FTC) to enable widespread surveillance, which has relied on using new legal methods to bring charges due to poor cybersecurity. practices and data breaches that fall closely within its regulatory purview.
When TechCrunch reached for comment prior to publication, an FTC spokesperson said the agency does not comment on whether it is investigating a particular matter.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential, 24/7 support for victims of domestic and domestic violence. If you’re in an emergency, call 911. The Alliance Against Stalkerware also has resources if you think your phone has been hacked by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or [email protected] via email.