Spyware Apps: The Next Frontier for Data Breaches

Spyware apps—popular with suspicious spouses but ostensibly for monitoring children—have recently become a popular target for security researchers and hackers. Many companies are being targeted not to exploit the user data, but to publicize the problems and hopefully shame the companies into action. Here’s a sampling of spyware apps whose shoddy security has been exposed just within the past few months:

• SpyHuman – Reported on July 9, 2018, a hacker showed he could easily get to the company’s data simply by changing a URL after logging into a free account on the SpyHuman website. A security researcher verified the vulnerability and said that “over 440,000,000 call details were available via the site.”
• Spyfone – Reported on August 23, 2018, a security researcher was able to access unsecured data including “several terabytes of ‘unencrypted camera photos.’”
• TheTruthSpy – Reported on Aug. 28, 2018, a hacker accessed the company’s servers and apparently had unfettered access to what he described as “more than 10,000” customer accounts until the company updated its servers.
• FamilyOrbit – Reported on August 30, 2018, the hacker claims that “[t]he company left exposed 3,836 containers on Rackspace with 281 gigabytes of pictures and videos.”
• mSpy – Reported on Sept. 4, 2018, mSpy was caught exposing the data of its users for the second time in three years. This time, a database containing millions of records was available online without any authentication, “including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months.”

Sometimes called spy or surveillance apps, these programs allow for remote monitoring of smartphone users. The general premise behind these apps is that they record and transmit data about phone usage in real time. After installing the app on the phone belonging to the user who will be monitored, the purchaser of the app (the monitor) will then be able to see how the phone is used. Depending on the particular app, the monitor may be able to see texts, photos, screenshots, websites visited, location data, and other sensitive information.

In short, these apps collect the kinds of personally identifying information that can be extremely valuable to malicious actors, and the companies that make them know, or should know, to invest in security accordingly. Instead, security appears to have been an afterthought to many spyware companies.

CaseyGerry has opened a class action investigation into FamilyOrbit and is evaluating potential claims against other spyware apps. To learn more about spyware apps and our investigation, please visit our spyware investigation page.