This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
It just keeps happening. A hacker has targeted a company selling Android spyware marketed to monitor children, employees, and previously romantic partners.
This data breach is the latest in an ever increasing list of vigilante hackers focusing on the consumer spyware industry, some parts of which have been linked to illegal stalking and spying by abusive partners.
“These spy apps should be out of market, most people spy on girls and [their] data image […] always sensitive,” the hacker wrote in a message to an intermediary who then shared it with Motherboard. “No one have rights to do that and same these apps and provider making money by doing this.”
The targeted company is SpyHuman, an India-based firm which offers software to monitor Android devices. According to the company’s website, once installed on a device an attacker has physical access to, SpyHuman’s software can intercept phone calls and text messages, track GPS locations, read WhatsApp and Facebook messages, and remotely turn on the device’s microphone. All of the collected data is then presented in a dashboard for the user to view.
At the time of writing, SpyHuman’s website focuses on employee and children monitoring, and does not explicitly mention one of the most popular uses for surveillance software—tracking partners, spouses, or lovers, often illegally and without consent. However, several review websites and social media posts do push the app for such purposes, and archives of particular SpyHuman pages include phrases such as “know if your partner is cheating on you,” and suggests monitoring your husband’s texts in case he is having an affair.
The stolen data itself includes the content of apparent text messages and call metadata—the phone number an infected device dialled or received a call from, and for how long and on what date—exfiltrated by SpyHuman’s malware. Motherboard obtained a sample of stolen data through the hacker’s intermediary, French security researcher Baptiste Robert.
Robert, who goes by the handle @fs0c131y, said he verified the vulnerability and that over 440,000,000 call details were available via the site.
The stolen data itself includes the content of apparent text messages and call metadata.
The intermediary also shared a video filmed by the hacker, in which they demonstrate how to exploit a basic security issue in the site to obtain the customer data. After logging in to SpyHuman—users can make a free account—the hacker shows an empty screen where SMS logs will appear once collected by the malware. Then, the hacker makes a particular change to the URL, revealing a stream of other user’s SMS messages.
“U at home or out,” one of the messages reads. “Can I call you later?” reads another. Some of the messages are in Hindi, and related searches to the company provided by Google include “spy human in hindi."
Motherboard did not find specific evidence of what sort of people the software was used to monitor, be those children, employees, or spouses.
Included in the video are two email addresses seemingly belonging to customers. To verify that this video was indeed filmed on the SpyHuman site, Motherboard attempted to sign up to SpyHuman’s site with those email addresses. This failed, because the email address had already been registered to SpyHuman.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
In an email SpyHuman confirmed the stolen data belonged to its site.
“We deeply care about our customers and the privacy of our customers' data. After your email, we immediately took actions to secure our system,” the company wrote.
As for curbing abuse of its product, Spy Human wrote that “As a precaution, at an initial stage of our app installation, we always ask users that for what purposes they are installing this app in the target device. If they select child or employee monitoring then our app stays hidden and operate in stealth mode. Otherwise, it will create visible Icon so that one can know that such app is installed on his/her devices.” However, someone intending to spy on their partner or spouse could theoretically just select the option to hide the software on the target device.
Last year, Motherboard obtained data from two other consumer spyware companies, Flexispy and Retina-X. At the time of the breach, FlexiSpy described the incident as “false news.” After one hacker repeatedly wiped the servers of Retina-X, the company decided to shut down its surveillance software completely this March.
In February, another hacker provided Motherboard with data from Mobistealth and Spy Master Pro, two other companies in the same industry. Some of Mobistealth’s customers included employees from the FBI, ICE, and the DHS.
Update: This piece has been updated to include extra information from Baptiste Robert.