A stalkerware-type app that boasts “the best free phone spying software on the market,” has exposed the data it snooped on from the phones it was installed in. The data exposed by TheTruthSpy included GPS locations and photos on victims’ phones, and images of children and babies.
This news, first reported by Motherboard, is the latest in a lengthening list of spyware brands breached due to their poor cybersecurity hygiene. And TheTruthSpy is hardly the first of its kind to put kids’ data at risk.
The images exposed by TheTruthSpy were available to anyone who visited a particular URL on TheTruthSpy’s website. The photos included those of a young boy looking at the camera, a baby’s soiled diaper, a pet cat, and photos of the inside of someone’s home.
TheTruthSpy can be downloaded from the Google Play and Apple App stores. According to its website, it has 15+ features, including monitoring multiple communication apps, recording ambient voice, siphoning of photos, keylogging, and managing spying activities via a control panel. Any data retrieved from the target’s device is then uploaded to TheTruthSpy’s server, where clients can log in and view all collected data.
TheTruthSpy is maintained by 1Byte, a Vietnam-based company that handles multiple stalkerware-type apps. According to a Techcrunch exposé back in February, 1Byte was found exposing data from apps it manages due to a vulnerability in the app. It appears TheTruthSpy is suffering from the same flaw.
Stalkerware is malicious in that it surreptitiously runs in the background while spying on people, usually without their knowledge.
Unlike other malware, it is also publicly available. Anyone with the means and intent can buy and use TheTruthSpy—all they need to do is download and install it onto target phones.
Not its first rodeo
This is the second time TheTruthSpy has had its data exposed. In 2018, a hacker going by the initials L.M. revealed to Motherboard his exploits in successfully infiltrating the stalkerware-type app’s servers to steal client data, and then later on losing it after it updated its servers.
“They take care about how to spy, and not take care about how they secure the attackers’ and victims’ privacy,” L.M. said at that time, criticizing TheTruthSpy for being untrue to its clients.