A New Security Flaw In Thetruthspy Phone Spyware Is Putting Victims At Risk

A stalkerware shaper pinch a history of aggregate information leaks and breaches now has a captious information vulnerability that allows anyone to return complete immoderate personification relationship and bargain their victim’s delicate individual data, TechCrunch has confirmed.

Independent information interrogator Swarang Wade recovered nan vulnerability, which allows anyone to reset nan password of immoderate personification of nan stalkerware app TheTruthSpy and its galore companion Android spyware apps, starring to nan hijacking of immoderate relationship connected nan platform. Given nan quality of TheTruthSpy, it’s apt that galore of its customers are operating it without nan consent of their targets, who are unaware that their telephone information is being siphoned disconnected to personification else. 

This basal flaw shows, erstwhile again, that makers of user spyware specified arsenic TheTruthSpy — and its galore competitors — cannot beryllium trusted pinch anyone’s data. These surveillance apps not only facilitate forbidden spying, often by abusive romanticist partners, but they besides person shoddy information practices that expose nan individual information of some victims and perpetrators. 

To date, TechCrunch has counted at slightest 26 spyware operations that’ve leaked, exposed, aliases different spilled data successful caller years. By our count, this is astatine slightest nan 4th information lapse involving TheTruthSpy.

TechCrunch verified nan vulnerability by providing nan interrogator pinch nan username of respective trial accounts. The interrogator quickly changed nan passwords connected nan accounts. Wade attempted to interaction nan proprietor of TheTruthSpy to alert him of nan flaw, but he did not person immoderate response.

When contacted by TechCrunch, nan spyware operation’s head Van (Vardy) Thieu said he “lost” nan root codification and cannot hole nan bug.

As of publication, nan vulnerability still exists and presents a important consequence to nan thousands of group whose phones are believed to beryllium unknowingly compromised by TheTruthSpy’s spyware. 

Given nan consequence to nan wide public, we’re not describing nan vulnerability successful much item truthful arsenic to not assistance malicious actors. 

A little history of TheTruthSpy’s galore information flaws

TheTruthSpy is simply a prolific spyware cognition pinch roots that spell backmost almost a decade. For a time, nan spyware web was 1 of nan largest known telephone surveillance operations connected nan web. 

TheTruthSpy is developed by 1Byte Software, a Vietnam-based spyware maker tally by Thieu, its director. TheTruthSpy is 1 of a fleet of near-identical Android spyware apps pinch different branding, including Copy9, and since-defunct brands iSpyoo, MxSpy, and others. The spyware apps stock nan aforesaid back-end dashboards that TheTruthSpy’s customers usage to entree their victim’s stolen telephone data.

As such, nan information bugs successful TheTruthSpy besides impact customers and victims of immoderate branded aliases whitelabeled spyware app that relies connected TheTruthSpy’s underlying code.

As portion of an investigation into nan stalkerware manufacture successful 2021, TechCrunch recovered that TheTruthSpy had a information bug that was exposing nan backstage information of its 400,000 victims to anyone connected nan internet. The exposed information included nan victims’ astir individual information, including their backstage messages, photos, telephone logs, and their humanities location data.

TechCrunch later received a cache of files from TheTruthSpy’s servers, exposing nan soul workings of nan spyware operation. The files besides contained a database of each Android instrumentality compromised by TheTruthSpy aliases 1 of its companion apps. While nan database of devices did not incorporate capable accusation to personally place each victim, it allowed TechCrunch to build a spyware lookup instrumentality for immoderate imaginable unfortunate to check whether their telephone was recovered successful nan list.

Our consequent reporting, based connected hundreds of leaked documents from 1Byte’s servers sent to TechCrunch, revealed that TheTruthSpy relied connected a monolithic money-laundering operation that utilized forged documents and mendacious identities to skirt restrictions put successful spot by in installments paper processors connected spyware operations. The strategy allowed TheTruthSpy to chimney millions of dollars of illicit customer payments into slope accounts astir nan world controlled by its operators.

In precocious 2023, TheTruthSpy had different information breach, exposing nan private information connected different 50,000 caller victims. TechCrunch was sent a transcript of this data, and we added nan updated records to our lookup tool. 

TheTruthSpy, still exposing data, rebrands to PhoneParental

As it stands, immoderate of TheTruthSpy’s operations coiled down, and different parts rebranded to flight reputational scrutiny. TheTruthSpy still exists today, and it has kept overmuch of its buggy root codification and susceptible back-end dashboards while rebranding arsenic a caller spyware app called PhoneParental.

Thieu continues to beryllium progressive successful nan improvement of telephone monitoring software, arsenic good arsenic nan ongoing facilitation of surveillance.

According to a caller study of TheTruthSpy’s existent web-facing infrastructure utilizing nationalist net records, nan cognition continues to trust connected a package stack developed by Thieu called nan JFramework (previously known as nan Jexpa Framework), which TheTruthSpy and its different spyware apps trust connected to stock information backmost to its servers.

In an email, Thieu said he was rebuilding nan apps from scratch, including a caller telephone monitoring app called MyPhones.app. A web study trial performed by TechCrunch shows MyPhones.app relies connected nan JFramework for its back-end operations, nan aforesaid strategy utilized by TheTruthSpy.

TechCrunch has an explainer connected how to place and region stalkerware from your phone. 

TheTruthSpy, overmuch for illustration different stalkerware operators, remains a threat to nan victims whose phones are compromised by its apps, not conscionable because of nan highly delicate information that they steal, but because these operations continually beryllium that they cannot support their victim’s information safe.

—

If you aliases personification you cognize needs help, nan National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of home maltreatment and violence. If you are successful an emergency situation, telephone 911. The Coalition Against Stalkerware has resources if you deliberation your telephone has been compromised by spyware.