.png){kind=logo}
A critical security flaw in two popular phone monitoring apps, Cocospy and Spyic, has exposed the personal data of millions of unsuspecting users, according to a security researcher who discovered the bug. The breach grants unfettered access to a treasure trove of sensitive information, including messages, photos, call logs, and more, exfiltrated from devices compromised by the apps. Even worse, the bug also reveals the email addresses of those who purchased the stalkerware with the intent of secretly monitoring others.
Cocospy and Spyic, marketed as parental control or employee monitoring tools, function much like spyware. They operate stealthily in the background of a target device, continuously uploading data to a dashboard accessible only to the person who installed the app. Unaware of the hidden surveillance, most victims are completely in the dark about the compromise.
The security researcher who unearthed the bug described it as relatively simple to exploit. Out of concern for further harm, TechCrunch is withholding specific details to prevent malicious actors from capitalizing on the flaw. The researcher confirmed that the exploit allows access to the email addresses of those who signed up for the monitoring services. A staggering 1.81 million Cocospy customer emails and 880,167 Spyic customer emails were collected by the researcher.
These email addresses were then provided to Troy Hunt, the creator of the data breach notification service Have I Been Pwned. After removing duplicates, Hunt uploaded 2.65 million unique email addresses to the platform. As with previous spyware-related breaches, this data is marked as "sensitive," meaning only affected individuals can search to see if their information is included.
This incident marks yet another security failure in the world of surveillance products. Cocospy and Spyic join a growing list of at least 23 known surveillance operations since 2017 that have suffered hacks, breaches, or exposures of highly sensitive customer and victim data. This recurring pattern highlights the inherent risks associated with such invasive technologies.
Often referred to as stalkerware or spouseware, these apps are frequently used for illegal and unethical purposes, such as spying on romantic partners without their knowledge or consent. While marketed for legitimate uses, the reality is that many customers employ them for illicit activities.
Stalkerware apps are typically banned from mainstream app stores and must be downloaded directly from the provider's website. Installation often requires physical access to the target device and knowledge of the passcode. On iPhones and iPads, stalkerware can exploit iCloud access using stolen Apple credentials.
While the identities of those behind Cocospy and Spyic remain shrouded in secrecy, researchers have uncovered potential links to 711.icu, a now-defunct China-based mobile app developer, in 2022. Analysis of the apps revealed Chinese language snippets in server responses, further suggesting a connection to China.
While the exposed email addresses can help those who planted the apps determine if their information was compromised, it doesn't identify the victims. However, individuals can take steps to check their own devices.
Cocospy and Spyic often require users to weaken their Android security settings for installation. While they attempt to disguise themselves as a generic “System Service” app, they can be detected. Dialing ✱✱001✱✱ on an Android phone and pressing "call" might reveal the app if it’s installed. Users can also manually check their installed apps in the Android Settings menu.
Some apps offer a comprehensive Android spyware removal guide to help identify and eliminate common stalkerware. Enabling Google Play Protect can also provide an additional layer of defense against malicious apps. iPhone users should ensure strong, unique passwords for their Apple accounts, enable two-factor authentication, and review connected devices.
The Cocospy and Spyic breach serves as a stark reminder of the pervasive dangers of stalkerware and the vulnerability it creates for millions. The ease with which this security flaw was exploited underscores the urgent need for stronger security practices within the surveillance software industry. As technology advances, so too must our vigilance in protecting personal data from those who would misuse it. This incident highlights the ethical and legal minefield surrounding these types of apps and the potential for abuse they create. It's a call to action for increased awareness and proactive measures to safeguard privacy in an increasingly interconnected world.
