February 13, 2024 By Pieter Arntz
In 2022, we published an article about how photographs of children taken by a stalkerware-type app were found exposed on the internet because of poor cybersecurity practices by the app vendor.
The stalkerware-type app involved, TheTruthSpy, has shown once again that the way in which it handles captured data shows no respect to its customers. And even less for the victims it’s monitoring.
TheTruthSpy markets itself as a tool that can be placed in the hands of employers who want to keep tabs on employees in the workplace, or in the hands of parents who want to look after their kids. But it can just as easily be placed in the hands of stalkers, abusive partners, or someone who just wants to get a leg up in their divorce proceedings.
Stalkerware-type applications like TheTruthSpy typically get installed secretly, by a person with access to the victim’s phone. For that reason, by design, the apps stay hidden from the device owner, while giving the attacker complete access.
Boasting “more than 15 spying features,” it can track a target’s location; reveal their browser history; record their calls; read their SMS messages; spy on their WhatsApp, Facebook, SnapChat and Viber messages; log what they type; and record what they say.
That alone is bad enough, but the app seems to have a persistent problem with security. In 2022, tech publication TechCrunch discovered that TheTruthSpy and other spyware apps share a common Insecure Direct Object Reference (IDOR) vulnerability, CVE-2022-0732. The publications described the bug as “extremely easy to exploit, and grants unfettered remote access to all of the data collected from a victim’s Android device.”
The bug was never fixed, and yesterday, stalkerware researcher maia arson crimew, revealed that it was stumbled upon again by two different hacking groups.
When members of the two hacking groups looked into TruthSpy last december while searching for stalkerware to hack, they independently stumbled upon the same IDOR vulnerability
The good news is that both groups, SiegedSec and ByteMeCrew, said in a Telegram post that they are not publicly releasing the breached data, given its highly sensitive nature. They provided enough data to enable TechCrunch to verify that it is authentic though, by matching IMEI numbers (numbers that uniquely identify phones) and advertising IDs against a list of previous known-to-be compromised devices.
Which means that by installing TheTruthSpy—and a whole fleet of clone apps including Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy—you are not just spying on someone, you are also potentially exposing their data for anyone to find.
The data reportedly shows that TheTruthSpy continues to actively spy on large clusters of victims across Europe, India, Indonesia, the United States, the United Kingdom and elsewhere.
