Full Report
A bug in the Android and iPhone monitoring operations allows anyone to access private data exfiltrated from a victim's device. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Vulnerability: Data Exposure in Cocospy and Spyic Phone Monitoring Applications
## CVE Details
- CVE ID: Not specified in the source material.
- CVSS Score: Not specified in the source material.
- CWE: Likely related to Insecure Direct Object Reference (IDOR) or general insecure API design, allowing unauthorized data access.
## Affected Systems
- Products: Cocospy and Spyic (Mobile monitoring/stalkerware apps sharing source code).
- Versions: All versions where the described access mechanism is functional (No specific version indicated, affects servers/backend infrastructure).
- Configurations: Any environment where data exfiltrated from compromised devices is stored on the vendor's servers and accessible via the flawed mechanism.
## Vulnerability Description
A significant security flaw exists in the backend infrastructure of the mobile monitoring applications Cocospy and Spyic. This bug allows any unauthenticated individual to access sensitive personal data exfiltrated from victim devices, including messages, photos, and call logs. Furthermore, the vulnerability exposes the email addresses of the customers who purchased and installed these monitoring apps to spy on others on the vendor's servers.
## Exploitation
- Status: Exploited in the wild (A researcher successfully collected over 2.65 million registered user email addresses).
- Complexity: Low (Described as "relatively simple to exploit").
- Attack Vector: Network (Attacking the remote servers holding the exfiltrated data).
## Impact
- Confidentiality: High (Exposure of victim device data and customer PII/emails).
- Integrity: Unknown (No data tampering mentioned, but unauthorized access occurred).
- Availability: Low (The vulnerability primarily exposed data, not service availability).
## Remediation
### Patches
- No official patches or fixes were released at the time of the article's publishing.
### Workarounds
- Users concerned about data exposure should cease using these applications immediately.
- For victims whose devices may be compromised:
- **Android:** Enable Google Play Protect. Attempt to reveal the hidden application by dialing `✱✱001✱✱` and pressing the call button (this is a built-in feature for legitimate users to access the app, which can also expose its presence to the victim). Check the installed apps list under Android Settings.
- **iPhone/iPad:** Ensure long, unique Apple ID passwords are in use, enable Two-Factor Authentication (2FA), and review/remove unfamiliar devices logged into the Apple account.
## Detection
- **Indicators of Compromise:** Victims should be suspicious of excessive battery drain or unusual network activity on their devices.
- **Detection Methods and Tools:**
- On Android, use the dial code `✱✱001✱✱` + call to attempt to reveal the hidden "System Service" app installed by Cocospy/Spyic.
- Review the list of installed applications via the Android Settings menu.
- Check Apple ID device lists against unfamiliar entries.
- Victims whose emails were exposed may find them listed in the sensitive breach data on Have I Been Pwned, searchable only by the affected email address owner.
## References
- [Vendor advisories]: None available at the time of reporting.
- [Relevant links - defanged]:
- Coalition Against Stalkerware resources: hXXps://stopstalkerware.org/
- General Android spyware removal guide: hXXps://techcrunch.com/2022/02/22/remove-android-spyware/
- Have I Been Pwned FAQ regarding sensitive breaches: hXXps://haveibeenpwned.com/FAQs#SensitiveBreach