Full Report
The trio of spyware apps — hacked earlier this year — no longer work.
Analysis Summary
# Incident Report: Mass Exposure of Stalkerware User Data and Subsequent Shutdown
## Executive Summary
Three popular, near-identical stalkerware applications (Cocospy, Spyic, and Spyzie) were found to be security flawed, exposing the personal data of millions of device owners. A security researcher exploited this flaw, leading to the scraping of 3.2 million customer sign-up emails. Following public exposure, the operational components of these surveillance services—websites and cloud storage—were immediately deactivated.
## Incident Details
- Discovery Date: February [Year Not Specified, implies earlier this year] (When security researcher identified the flaw)
- Incident Date: February [Year Not Specified] (Disclosure of the vulnerability and data scraping)
- Affected Organization: Cocospy, Spyic, Spyzie (Providers of the surveillance software)
- Sector: Consumer Software/Surveillance Technology
- Geography: Global (Affecting users whose phones were targeted and customers who purchased the software)
## Timeline of Events
### Initial Access
- Date/Time: February [Year Not Specified]
- Vector: Software Vulnerability / Poor Security Practices
- Details: A security flaw generic to the three near-identical applications allowed unauthenticated access to stored personal data and user sign-up information.
### Lateral Movement
- **Data Scrape:** A security researcher exploited the vulnerability, leading to the scraping of 3.2 million email addresses belonging to users who signed up for the spyware services.
### Data Exfiltration/Impact
- **Victim Data Exposure:** The apps allowed the operator to access victims' messages, photos, call logs, and real-time location data.
- **Customer Data Exposure:** 3.2 million customer email addresses were exposed and turned over to the data breach notification site Have I Been Pwned.
### Detection & Response
- **Detection:** February [Year Not Specified], when a security researcher reported the vulnerability to TechCrunch.
- **Response (By Operators/Host):** Following reporting, the apps went offline, websites disappeared, and associated Amazon-hosted cloud storage was deleted, suggesting a forced or voluntary operational shutdown.
## Attack Methodology
- Initial Access: Exploitation of a shared, critical security flaw within the stalkerware code base.
- Persistence: The nature of stalkerware relies on remaining hidden on the victim's device (often masked as "System Service") to maintain access.
- Privilege Escalation: Not explicitly detailed, but the applications' foundational purpose allows deep system access to harvest sensitive data.
- Defense Evasion: The apps were designed to stay hidden from device home screens, evading immediate user detection.
- Credential Access: Not primary, as the flaw exposed data directly rather than requiring credential theft from the target.
- Discovery: The researcher performed external discovery by analyzing the publicly available functionality of the three apps.
- Lateral Movement: N/A (The breach was vertical, exploiting a central flaw to access centralized data repositories or configurations).
- Collection: Messages, photos, call logs, and real-time location data from targeted phones.
- Exfiltration: The researcher exfiltrated 3.2 million sign-up emails via the exposed system/database before the service shut down.
- Impact: Wide-scale privacy violation for millions of end-users and exposure of consumers who purchased the spying services.
## Impact Assessment
- Financial: Undetermined, but significant potential for litigation and lost business revenue due to subsequent shutdown.
- Data Breach: Exposure of victims' sensitive communications, location history, and media. Exposure of 3.2 million customer emails.
- Operational: Complete cessation of services for Cocospy, Spyic, and Spyzie.
- Reputational: Severe reputational damage, leading to the shuttering of the operations, as is common in the stalkerware sector after significant breaches.
## Indicators of Compromise
- **Network indicators:** (No specific IPs/URLs provided for defanging, as the services went offline)
- **File indicators:** Malicious application often disguised as **"System Service"** on Android.
- **Behavioral indicators:** Unsolicited monitoring and capture of SMS, location, photos, and call logs.
## Response Actions
- **Containment (by Researcher/Platform):** The researcher notified TechCrunch, leading to public disclosure.
- **Eradication (by Host/Operators):** Amazon-hosted cloud storage was deleted; websites disappeared, and apps became non-operational.
- **Recovery (by Victims):** Victims were advised to check for the app by dialing `✱✱001✱✱` on their Android phone keypad and pressing call, which reveals the hidden app for manual deletion.
## Lessons Learned
- Shoddy coding and poor security practices are endemic in the consumer-grade phone surveillance market ("stalkerware").
- Complete transparency in security flaws can lead to immediate operational shutdowns in businesses relying on secrecy and non-detection.
- Relying on web hosts like Amazon for storing sensitive, potentially illegally obtained data carries high risk, as these can be shut down post-breach.
## Recommendations
- Users should immediately check Android devices for the hidden app by dialing `✱✱001✱✱` and deleting any application named "System Service" if found.
- Users who suspect they are being monitored should contact the National Domestic Violence Hotline for support.
- Service providers must rigorously audit security controls, especially concerning data storage, given that 25+ such operations have been breached since 2017.