A stalkerware maker with a history of multiple data leaks and breaches now has a critical security vulnerability that allows anyone to take over any user account and steal their victim’s sensitive personal data, TechCrunch has confirmed.
Independent security researcher Swarang Wade found the vulnerability, which allows anyone to reset the password of any user of the stalkerware app TheTruthSpy and its many companion Android spyware apps, leading to the hijacking of any account on the platform. Given the nature of TheTruthSpy, it’s likely that many of its customers are operating it without the consent of their targets, who are unaware that their phone data is being siphoned off to somebody else.
This basic flaw shows, once again, that makers of consumer spyware such as TheTruthSpy — and its many competitors — cannot be trusted with anyone’s data. These surveillance apps not only facilitate illegal spying, often by abusive romantic partners, but they also have shoddy security practices that expose the personal data of both victims and perpetrators.
To date, TechCrunch has counted at least 26 spyware operations that’ve leaked, exposed, or otherwise spilled data in recent years. By our count, this is at least the fourth security lapse involving TheTruthSpy.
TechCrunch verified the vulnerability by providing the researcher with the username of several test accounts. The researcher quickly changed the passwords on the accounts. Wade attempted to contact the owner of TheTruthSpy to alert him of the flaw, but he did not receive any response.
When contacted by TechCrunch, the spyware operation’s director Van (Vardy) Thieu said he “lost” the source code and cannot fix the bug.
As of publication, the vulnerability still exists and presents a significant risk to the thousands of people whose phones are believed to be unknowingly compromised by TheTruthSpy’s spyware.
Given the risk to the general public, we’re not describing the vulnerability in more detail so as to not aid malicious actors.
A brief history of TheTruthSpy’s many security flaws
TheTruthSpy is a prolific spyware operation with roots that go back almost a decade. For a time, the spyware network was one of the largest known phone surveillance operations on the web.
TheTruthSpy is developed by 1Byte Software, a Vietnam-based spyware maker run by Thieu, its director. TheTruthSpy is one of a fleet of near-identical Android spyware apps with different branding, including Copy9, and since-defunct brands iSpyoo, MxSpy, and others. The spyware apps share the same back-end dashboards that TheTruthSpy’s customers use to access their victim’s stolen phone data.
As such, the security bugs in TheTruthSpy also affect customers and victims of any branded or whitelabeled spyware app that relies on TheTruthSpy’s underlying code.
As part of an investigation into the stalkerware industry in 2021, TechCrunch found that TheTruthSpy had a security bug that was exposing the private data of its 400,000 victims to anyone on the internet. The exposed data included the victims’ most personal information, including their private messages, photos, call logs, and their historical location data.
TechCrunch later received a cache of files from TheTruthSpy’s servers, exposing the inner workings of the spyware operation. The files also contained a list of every Android device compromised by TheTruthSpy or one of its companion apps. While the list of devices did not contain enough information to personally identify each victim, it allowed TechCrunch to build a spyware lookup tool for any potential victim to check whether their phone was found in the list.
Our subsequent reporting, based on hundreds of leaked documents from 1Byte’s servers sent to TechCrunch, revealed that TheTruthSpy relied on a massive money-laundering operation that used forged documents and false identities to skirt restrictions put in place by credit card processors on spyware operations. The scheme allowed TheTruthSpy to funnel millions of dollars of illicit customer payments into bank accounts around the world controlled by its operators.
In late 2023, TheTruthSpy had another data breach, exposing the private data on another 50,000 new victims. TechCrunch was sent a copy of this data, and we added the updated records to our lookup tool.
TheTruthSpy, still exposing data, rebrands to PhoneParental
As it stands, some of TheTruthSpy’s operations wound down, and other parts rebranded to escape reputational scrutiny. TheTruthSpy still exists today, and it has kept much of its buggy source code and vulnerable back-end dashboards while rebranding as a new spyware app called PhoneParental.
Thieu continues to be involved in the development of phone monitoring software, as well as the ongoing facilitation of surveillance.
According to a recent analysis of TheTruthSpy’s current web-facing infrastructure using public internet records, the operation continues to rely on a software stack developed by Thieu called the JFramework (previously known as the Jexpa Framework), which TheTruthSpy and its other spyware apps rely on to share data back to its servers.
In an email, Thieu said he was rebuilding the apps from scratch, including a new phone monitoring app called MyPhones.app. A network analysis test performed by TechCrunch shows MyPhones.app relies on the JFramework for its back-end operations, the same system used by TheTruthSpy.
TechCrunch has an explainer on how to identify and remove stalkerware from your phone.
TheTruthSpy, much like other stalkerware operators, remains a threat to the victims whose phones are compromised by its apps, not just because of the highly sensitive data that they steal, but because these operations continually prove that they cannot keep their victim’s data safe.
—
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
