Stalkerware Apps Cocospy and Spyic Expose Personal Data of Millions of Users

• Spyware service Spyic and its sibling, Cocospy, suffered a data breach this month.
• Together, they exposed the sensitive data of over 2.65 million users, including pictures and call logs.
• An undisclosed bug allowed a security researcher to scrape the data from the apps’ servers.

A security flaw in the widely used phone-monitoring apps Cocospy and Spyic has exposed millions of users' personal data, allowing anyone to access sensitive data, including messages, photos, call logs, and even email addresses, from smartphones compromised by these apps.

Security researcher Troy Hunt revealed that 875,999 Spyic and 1,798,059 Cocospy breached accounts have been added to the data breach notification service Have I Been Pwned.

Stalkerware apps like Cocospy and Spyic are stealthily installed on victims' devices, often marketed for parental controls or employee monitoring, and commonly misused to covertly monitor personal devices. 

Once installed, these apps upload an alarming amount of personal data to a remote server, making it accessible to the person deploying the app. 

The current vulnerability, discovered by a security researcher, exploits poorly secured servers used by these apps, allowing external access to exfiltrated data. Alarmingly, the flaw is relatively simple to exploit, leaving millions of devices and users' information at risk.   

The servers used by the apps hinted at Chinese origins (China-based mobile app developer 711.icu) and were found to store data on a mix of Cloudflare and Amazon Web Services infrastructure. 

The operation is further complicated by the apps' efforts to appear as generic "System Service" apps on Android devices, making them harder for users to identify and remove.  

These incidents raise ethical and legal questions about the proliferation of such technology and its misuse for invasive surveillance.  

Stalkerware is banned from official app stores, such as Google Play and Apple's App Store, but continues to thrive through direct downloads. Installing these apps often requires physical access to the victim's device or stolen credentials for their cloud accounts.  

While some vendors claim the apps are for legal purposes like workplace monitoring, their capabilities are often abused in ways that violate privacy laws.