Since 2016, the Android spyware app developed in Iran has compromised 60,000 devices.
 |
A phone surveillance app named Spyhide has been discreetly gathering private phone data from tens of thousands of Android devices globally, as per new data findings.
Spyhide is a widely-used stalkerware (also known as spouseware) app that is surreptitiously installed on a victim's phone, often by someone who knows their passcode. The app is designed to remain hidden on the victim's phone's home screen, making it challenging to detect and remove. Once installed, Spyhide covertly and continuously uploads the phone's contacts, messages, photos, call logs, recordings, and real-time granular location.
Despite their stealthy nature and extensive access to a victim's phone data, stalkerware apps are notorious for being buggy and prone to spills, leaks, or other means of exposing the victims' stolen private data, highlighting the risks posed by phone surveillance apps.
Spyhide is the latest addition to the growing list of spyware operations.
A hacker based in Switzerland, known as maia arson crimew, revealed in a blog post that the spyware maker inadvertently exposed a part of its development environment, granting access to the source code of the web-based dashboard used by abusers to view their victims' stolen phone data. Exploiting a vulnerability in the dashboard's poorly coded system, crimew gained access to the back-end databases, exposing the internal workings of the secretive spyware operation and its suspected administrators.
For verification and analysis, crimew provided TechCrunch with a copy of Spyhide's text-only database.
Years' worth of pilfered phone data
Spyhide's database housed comprehensive records of approximately 60,000 compromised Android devices, spanning from 2016 to the date of exfiltration in mid-July. These records encompassed call logs, text messages, and detailed location history dating back years. Additionally, the database contained information about each file, including timestamps for when photos or videos were taken and uploaded, as well as details about recorded calls, such as their duration.
TechCrunch used an offline geospatial and mapping software to input nearly two million location data points, enabling us to visualize and comprehend the extensive global reach of the Spyhide spyware.
Our analysis revealed that Spyhide's surveillance network spans across every continent, with clusters of thousands of victims particularly prevalent in Europe and Brazil. The United States has over 3,100 compromised devices, which is a fraction of the total number of victims worldwide. However, these U.S. victims stand out as some of the most heavily surveilled on the network based on the sheer quantity of location data alone. For instance, one U.S. device compromised by Spyhide discreetly uploaded more than 100,000 location data points.
Spyhide's database also included information on 750,000 users who registered with Spyhide with the intention of installing the spyware app on a victim's device.
However, despite the large number of users, the records indicate that a significant portion of them did not proceed to compromise a phone or purchase the spyware, suggesting that while there is a substantial interest in surveillance apps, many users did not actively engage in such activities.
However, it's worth noting that while the majority of the compromised Android devices were under the control of a single user, our analysis revealed that more than 4,000 users had control over multiple compromised devices. Additionally, a smaller number of user accounts had control over dozens of compromised devices.
The data also consisted of 3.29 million text messages containing highly sensitive information, such as two-factor authentication codes and password reset links. It further included over 1.2 million call logs, providing details of the receiver's phone number and the duration of the calls, along with approximately 312,000 call recording files. Additionally, the data contained over 925,000 contact lists, which included names and phone numbers, along with records for 382,000 photos and images. Furthermore, the data contained information on nearly 6,000 ambient recordings stealthily recorded from the victim's phone microphone.
Made in Iran, hosted in Germany
Spyhide's website provides no information about the individuals behind the operation or its country of origin. It is common for spyware administrators to hide their identities due to the legal and reputational risks associated with selling spyware and facilitating surveillance.
Despite their efforts to conceal the administrator's involvement, the source code revealed the names of two Iranian developers who profit from the operation. One of the developers, Mostafa M., is listed on LinkedIn as currently based in Dubai but had previously lived in the same northeastern Iranian city as the other Spyhide developer, Mohammad A., as per registration records linked to Spyhide's domains.
The developers did not respond to multiple emails requesting comment.
Stalkerware applications like Spyhide, which explicitly promote and encourage secretive spousal surveillance, are prohibited from Google's app store. Consequently, users must download the spyware app directly from Spyhide's website.
TechCrunch installed the spyware app on a virtual device and employed a network traffic analysis tool to examine the data flowing in and out of the device. The use of a virtual device allowed us to run the app in a protected sandbox without providing any genuine data, including our location. The traffic analysis revealed that the app was transmitting data from our virtual device to a server hosted by the German web hosting company, Hetzner.
Upon being contacted for a response, Hetzner spokesperson Christian Fitz informed TechCrunch that the web host does not permit the hosting of spyware on its servers.
What you can do
Identifying Android spyware apps can be challenging as they are often disguised as regular Android apps or processes. In the case of Spyhide, it disguises itself as either a Google-themed app named "Google Settings" with a cog icon or a ringtone app called "T.Ringtone" with a musical note icon. These apps typically request permission to access a device's data, and once granted, they immediately begin sending private data to their servers. Being cautious and vigilant when granting permissions to apps is crucial to safeguarding your privacy and data.
%20(1)-Photoroom.png)