TheTruthSpy, a popular piece of stalkerware that markets itself to customers who want to surreptitiously monitor the communications of their spouses, is exposing a wealth of data from phones that have the malware installed, including photos of children, pets, and others related to babies.
The news is the latest in a long series of data breaches, exposures, and hacks affecting stalkerware, whose products are often used by abusive partners or which expose sensitive data of children. While the use of stalkerware is already an invasion of privacy by the person who installs it on the victim's phone, the invasion is made worse by the fact that many of the companies who market and sell this software have poor cybersecurity practices and further expose the data on people's phones to hackers or the general public. The Federal Trade Commission has previously acted against companies after Motherboard reported that they exposed the data of children.
The images from TruthSpy Motherboard obtained include a young boy looking straight at a camera, a photo taken of what appears to be a baby’s soiled diaper, an image of a pet cat, and other images clearly taken inside someone's home. These images were available to anyone who visited a particular URL on TheTruthSpy’s website.
Do you know anything else about stalkerware or know of another stalkerware breach? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Last week a tipster provided Motherboard with a link to a Tor onion service that hosted a selection of data taken from TheTruthSpy. A readme file included in the data dump included the specific URL that the images were available from on TheTruthSpy’s website. Motherboard verified that as of Wednesday, the images were still available for download. The released data also included a selection of apparent GPS locations of victims’ phones.
Once installed on a victim’s phone, TheTruthSpy is able to intercept phone calls, siphon photos, read WhatsApp messages, track the phone’s GPS location, and much more. These photos are then uploaded to TheTruthSpy’s servers where the user of the stalkerware can log in via a dashboard and view the collected material.
“If you feel like your spouse is cheating on you, you need to spy on their phone. If they are mostly chatting, you can spy on the text messages to secretly read them. You have to use the TheTruthSpy Spying App with a text message spy feature. It will give you all the information from the phone,” a 2021 blog post on TheTruthSpy’s website reads.
TheTruthSpy is part of a network of stalkerware apps that all use infrastructure maintained by a Vietnam-based company called 1Byte. As TechCrunch reported in February, 1Byte is exposing the data of an entire fleet of stalkerware apps. TheTruthSpy data that Motherboard obtained appears to be related to that underlying vulnerability.
This isn’t even the first time that TheTruthSpy data has been hacked or had data exposed. In 2018, a hacker told Motherboard they gained access to the company’s servers and that there were over 10,000 TheTruthSpy customers.
TheTruthSpy did not respond to a request for comment.
In 2019, the FTC banned stalkerware company Retina-X and its owner James N. Johns Jr. from making any further mobile monitoring products unless they took steps to ensure the software was only used for legitimate purposes. The move came after Motherboard reported that Retina-X was hacked, twice.
The FTC said at the time that Retina-X and Johns violated the FTC Act's prohibition against unfair and deceptive practices, as well as the Children's Online Privacy Protection Act (COPPA), which requires companies to protect the data of under 13 year olds.