This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
Dozens of employees from US federal law enforcement agencies and the armed forces have bought smartphone malware that can, in some cases, intercept Facebook messages, track GPS locations, and remotely activate a device’s microphone, according to a large cache of data stolen by a hacker and obtained by Motherboard.
The news highlights the popularity of consumer spyware not just among the general population, but also with members of the US government.
The spyware company in question is Mobistealth, which sells its products to monitor children and employees, but has also marketed malware to spy on spouses suspected of having an affair. Some label the malware as spouseware or stalkerware. Users need to have physical access to the Android or jailbroken iPhone device to install the software.
“If they are secretly having an affair with someone, then you will definitely come to know about it after going through their messages, be it SMS, iMessage, WhatsApp, Viber, LINE, Kik, or even Skype,” a Mobistealth blog post reads.
Contained in the Mobistealth data are customer accounts linked to email addresses from the FBI, DHS, TSA, ICE, and several different branches of the military. It’s not clear whether the individuals paid for the malware themselves or through their respective organizations.
But at least 40 of the Mobistealth accounts were connected to the US Army.
Chris Grey, the chief of public affairs for U.S. Army Criminal Investigation Command (CID), told Motherboard in an email “we take allegations of criminal hacking and wiretapping incidents very seriously, and anyone with knowledge of Army personnel involved with or impacted by this activity should immediately notify Army CID.” He added he was not aware of any investigations involving this particular piece of software. U.S. military wings were also implicated in a recent data leak of Anon-IB, showing Army IP addresses were linked to posts on the revenge porn site.
The hacker behind the breach told Motherboard, in sum, that hacking Mobistealth as well as another spyware company they targeted was relatively easy. That brings up all sorts of questions not only about why officials purchased the malware, but the potential consequences of buying sensitive tools from such vulnerable companies, especially while using their own government email addresses. Data showing an official bought a piece of malware for potentially illegal purposes could leave them open to blackmail. In the reverse, another spyware company data breach previously obtained by Motherboard showed the malware had been deployed on a law enforcement officer’s phone, exposing photos related to live investigations of suspects.
The FBI and DHS declined to comment, and the TSA did not provide a response in time for publication. None of the law enforcement or military Mobistealth customers responded to a request for comment.
It is difficult to determine why each individual user purchased malware from Mobistealth. It may have been used in an official capacity for their job, to monitor their children, or perhaps it was used illegally.
It’s possible to cross reference different parts of the hacked data to see what type of phone each customer wanted to monitor. For example, taking the IMEI—a unique number given to each phone—that an FBI account is linked to, and searching for it in another database, shows the official bought software to surveill a BlackBerry phone. Army members monitored a selection of Android and iPhone devices.
While not talking about any individual in particular, Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society, told Motherboard that “Cops abuse their romantic partners at much higher rates than the general population. So a member of law enforcement could buy this software for purposes of intimate partner abuse while having a convenient cover story of needing it for his job.”
Relying on data from another hacked spyware company, Motherboard previously reported that an officer from London’s Metropolitan Police Service (MPS) purchased powerful malware. Motherboard has since filed a formal complaint with a UK police oversight body asking for an independent investigation into the purchase, but the MPS has refused to look into the case.
The hacker who targeted Mobistealth said they saw that article, “and thought well if they aren't going to admit it, then lets find more police/gov/mil that use this kind of software and screw with them as well."