TheTruthSpy is at it again. A security researcher has discovered a flaw in the Android-based stalkerware that allows anyone to compromise any record in the system.
TheTruthSpy stalkerware is designed to be installed surreptitiously on a victim’s Android phone. It then monitors that phone’s activities and sends the information it gathers back to a central server. On Monday, TechCrunch revealed—not for the first time—that the servers are vulnerable to attack. It found that anyone can reset the password of any account on the app, meaning they could hijack anyone’s data.
The security researcher, Swarang Wade, demonstrated the vulnerability to TechCrunch by changing the passwords on several tests accounts. The publication isn’t revealing exactly how it was done, to prevent anyone from abusing the flaw.
TheTruthSpy gathers a lot of data about its victims. It provides the person who installed it with information about what calls or texts were made or received on the victim’s phone, and its location (harvested from the GPS), along with activities associated with messaging apps and files.
This isn’t the first time that TheTruthSpy has suffered from security issues:
This would all be very bad if people using the app knew that they were doing so, and that their personal usage data was stored online. But many of them are oblivious to the fact.
TheTruthSpy’s vendor, Vietnam-based 1Byte Software, warns that people must obtain consent before installing the app on someone else’s phone. However it also specifically advertises ‘stealth mode’, which makes it “completely invisible to users on phones/tablets where it’s installed.”
The software’s website touts its ability to spy on phone users as a way for parents to monitor and protect their children. That raises its own ethical questions, especially given the multiple data leaks. But that isn’t its only use. Abusers will use apps like these to monitor their current or ex-partners, or other stalking targets.
Once a victim has this installed on their phone without their knowledge, the installer can monitor their photos, social media interactions, emails, and internet browsing history. It will also record audio and log keystrokes without them being aware.
Van (Vardy) Thieu, owner of 1Byte Software, told TechCrunch that its source code was lost. He claimed to be building a new version from scratch, although TechCrunch’s reporters found that it was using the same vulnerable software library as the older version.
The software’s multiple bugs demonstrate just how dangerous it is to put this – or indeed any stalkerware app – on someone’s phone. The operators of these apps are often difficult to track down and hold accountable for their security issues.
How to check if you have stalkerware on your phone
What can you do if you suspect your phone might be infected with stalkerware? We think TechCrunch’s guide deserves a mention here, as does The Coalition Against Stalkerware, of which Malwarebytes is a founding member. The latter includes per-country links to organizations that help victims of domestic violence.
It is good to keep in mind however that by removing any stalkerware-type app, you will alert the person spying on you that you know the app is there.
Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.
- Open Malwarebytes on your Android.
- Open the app’s dashboard
- Tap Scan now
- It may take a few minutes to scan your device.
If malware is detected you can act on it in the following ways:
- Uninstall. The threat will be deleted from your device.
- Ignore Always. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
- Ignore Once: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
Source link
