A stalkerware company that’s designed to let customers spy on their spouses’s, children's, or employees' devices is exposing victims’ data, allowing anyone on the internet to see screenshots of phones simply by visiting a specific URL.
The news highlights the continuing lax security practices that many stalkerware companies use; not only do these companies sometimes market their tools specifically for illegal surveillance, but the targets are re-victimized by these breaches. In recent years the Federal Trade Commission (FTC) has acted against stalkerware companies for exposing victim data.
The stalkerware company, called pcTattleTale, offers the malware for Windows computers and Android phones.
"Discover their secret online lives right from your phone or computer," a Facebook post from pcTattleTale reads. "pcTattletale is a popular keylogger and montoring [sic] app that you can use to see what you [sic] kids, spouse, or employees are doing online."
Do you work for a stalkerware company? Do you know about any other data breaches of stalkerware companies? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
Security researcher Jo Coscia showed Motherboard that pcTattleTale uploads victim data to an AWS server that requires no authentication to view specific images. Coscia said they found this by using a trial version of the stalkerware. Motherboard also downloaded a copy of the trial version of pcTattleTale and verified Coscia's findings.
The URL for images that pcTattleTale captures is constructed with the device ID—a code given by pcTattleTale to the infected device that appears to be sequentially generated—the date, and a timestamp. Theoretically, an attacker may be able to churn through different URL combinations to discover images uploaded by other infected devices. Coscia provided Motherboard with the URL for one image uploaded by their test device. Motherboard was then able to use a simple script Coscia provided to quickly discover other URLs for images that the test device had also uploaded. Motherboard never encountered any rate limiting, which would prevent a script from quickly and automatically churning through requests to the server that provide more data. Such a script can be used to surface all the images captured from a specific device, and theoretically could discover new devices altogether.
In practice the range of variables in the URL to brute force, and in particular the timestamp which is down to the second, may make it troublesome for an attacker to discover more exposed victim devices. But pcTattleTale's decision to not require any authentication on victim images does make it a possibility.
Coscia said they used the free trial version of pcTattleTale when discovering the issue. In promotional emails, pcTattleTale said it would delete users' data after the free trial expired. But Coscia found the screenshots were still accessible after their free trial period ended.
"Last week you put the pcTattletale free trial on your computer. It has recorded loads of things for you to see. But... All those recordings are marked to be deleted later today. I want to give you one last chance to sign in and activate your free trial," the email, that Coscia shared with Motherboard, reads. "After today pcTattletale will stop recording and all recorded data will be deleted forever."
pcTattleTale’s owner Bryan Fleming told Motherboard in an email that "Yes it does delete the data. I keep it there a little longer. A lot of people accidentally delete their devices and let the trial expire... Then of course they need the screen shots back."
In one video online, Fleming said he built the code for pcTattleTale in 2003 over the better part of a year before launching it. Then he rewrote the code base when he bought out his business partner in 2012, he added. At one point Fleming complains about his server crashing because more and more people are using the service. Later on he says that pcTattleTale receives about 40,000 unique visitors a month.
"The market's good, you know," he said.
"To catch a cheating spouse using an android phone you will need to know their pass-code and have access to the phone for about 5 minutes. The best time to do this is when they are sleeping," one guide on the company's website reads. Another separate post from the company tells users how to trick their spouse into handing over their iCloud password.
In marketing posts, pcTattleTale is explicit about its intention to remain hidden from an unsuspecting victim who has likely not given consent to be monitored. In one guide, the company says how to stop the infected phone displaying the app on the home screen. In another, pcTattleTale explains how to "turn off Android's Pesky Chromecast Icon," which can signal to a victim that their activity is being monitored.
"If your device is running a newer version of Android (7 or newer) make sure to turn off notifications and icons. Otherwise they will find pcTattletale and stop it from working," the company tells new users in a welcome email, according to Motherboard's tests.
In Motherboard's test, after installation and setup the pcTattleTale application hid itself from the home screen, making it harder for an ordinary user to detect the malware.
pcTattleTale also gives users advice to get antivirus software to not interfere with the spyware's operations.
"Norton 360 will definitely not like pcTattletale recording your workstations," one June Facebook post from the company reads, before giving instructions on how to try and get the antivirus software to ignore pcTattletale. Another Facebook post gives tips on how to circumvent other antivirus software made by Sophos.
The FTC declined to comment specifically on whether the agency has considered or is investigating pcTattleTale. The agency instead pointed to an earlier quote from San Levine, acting director of the FTC's Bureau of Consumer Protection, regarding the FTC's recent enforcement against another stalkerware vendor called SpyFone. In that case, the FTC banned SpyFone and its CEO Scott Zuckerman from working in the surveillance business at all.
"SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information," Levine said. "The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security. This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy."
Subscribe to our cybersecurity podcast, CYBER.