Tech Gadget Central Latest Tech News and Reviews
Tens of thousands of iPhones and Android devices, the most of whose owners are unaware that their data has been compromised, have had data taken by the little-known phone surveillance program Xnspy.
Xnspy is one of many “stalkerware” apps that are marketed for spying on a spouse or domestic partner’s devices without their consent but are actually sold under the pretense of helping parents to watch their children’s activities. According to its website, “Xnspy makes reporting and data extraction simple for you,” and “To uncover a cheating spouse, you need Xnspy on your side.”
Stalkerware apps, also known as spouseware, are covertly installed by someone with physical access to a person’s phone, circumventing the on-device security safeguards. They are particularly hard to spot because they are made to remain hidden from home screens. The contents of a person’s phone, including call history, text messages, images, browser history, and precise location information, will silently and continuously upload after these apps are installed, giving the person who planted the program access to almost all of their victim’s data.
But according to recent research, many stalkerware programs have serious security holes that expose the information that has been taken from victims’ phones. The same is true of Xnspy.
Several well-known stalkerware apps were decompiled by security researchers Vangelis Stykas and Felipe Solferini, who also examined the edges of the networks the apps sent data to. Their study, which was presented this month at BSides London, uncovered widespread and simple security issues in a number of stalkerware families, including Xnspy, such as passwords and private keys left in the code by the creators and failed or nonexistent encryption. In some instances, the weaknesses reveal the victims’ stolen data, which is now present on unsecure servers owned by someone else.
Stykas and Solferini identified the individuals behind each operation through their study, but they chose not to inform the stalkerware operators of the vulnerabilities or make the information public for concern that doing so might help malevolent hackers and worsen the effects on the victims. According to Stykas and Solferini, every vulnerability they discovered is simple to attack and has probably been around for a long time.
By taking advantage of those simple legal loopholes, others have ventured into murkier legal waters with the apparent intention of exposing stalkerware activities as a type of vigilantism. We were able to alert hundreds of victims whose devices had been infected thanks to a sizable cache of internal data that was seized from the servers of TheTruthSpy stalkerware and its affiliate apps and provided to TechCrunch earlier this year.
TechCrunch has acquired additional stalkerware data caches since our investigation into TheTruthSpy, notably from Xnspy, showing their operations and the people who benefit from the snooping.
Since 2014, Xnspy has had at least 60,000 victims, with thousands of more recent compromises being reported as recently as 2022. Owners of Android devices make up the majority of victims, but Xnspy also has data from thousands of iPhones.
Since it is simpler to install a malicious software on Android than it is on an iPhone, which has stricter limitations on which apps can be loaded and what data can be accessed, many stalkerware programs are created for Android devices. Stalkerware for iPhones taps into a device’s backup saved in Apple’s cloud storage service iCloud rather than installing a malicious program.
The stalkerware regularly downloads the most recent iCloud backup for the device from Apple’s servers without the owner’s knowledge using the victim’s iCloud credentials. The majority of a person’s device data is stored in iCloud backups, making it possible for stalkerware to steal messages, pictures, and other data. When two-factor authentication is enabled, it becomes far more difficult for hackers to access a user’s online account.
Although many of the iCloud accounts are linked to multiple devices, the data we have seen contains more than 10,000 distinct iCloud email addresses and passwords needed to access a victim’s cloud-stored data. Of that total, the data included more than 6,600 authentication tokens, many of which had already expired but had been used to actively steal victim’s device data from Apple’s cloud. Before publication, TechCrunch gave Apple the list of compromised iCloud credentials due to the potential for continued risk to victims.
We were able to access unencrypted Xnspy data. It also contained details that further revealed the identities of Xnspy’s creators.
According to its LinkedIn page, Konext is a small development startup in Lahore, Pakistan, with twelve employees. On its website, the startup claims to have developed hundreds of mobile apps and games and to specialize in “bespoke software for organizations that seek all-in-one solutions.”
Konext does not publicize the fact that it created and keeps up the Xnspy stalkerware.
A list of names, email addresses, and scrambled passwords registered only to Konext developers and personnel for accessing internal Xnspy systems was among the information reviewed by TechCrunch.
The lead systems architect at Konext, who is thought to be the main developer behind the spyware operation, is linked to the email address in the cache with the Xnspy credentials for a third-party payment processor. Other Konext developers tested the payment methods utilized by Xnspy and TrackMyFone, an Xnspy clone also created by Konext, in Lahore using credit cards registered to their own residential addresses.
The data indicates that some of Konext’s employees are based in Cyprus.
Like other stalkerware creators, Konext makes a concerted attempt to disguise its operations and protect the names of its developers from the general public. This is likely done to avoid the legal and reputational problems associated with supporting widespread covert surveillance. However, coding errors made by Konext’s own developers further establish a connection to its role in creating stalkerware.
TechCrunch discovered that Serfolet, a Cyprus-based organization that Xnspy claims administers refunds on behalf of its clients, and Konext’s website are both housed on the same dedicated server as those for TrackMyFone and Konext. The server doesn’t host any other websites.
In order to get a response, TechCrunch emailed Konext’s lead systems architect at both his Konext and Xnspy email addresses. Sal, whose Konext email address was also in the data but who declined to give us their complete name, replied to our email in its place. Sal declined to comment in a series of emails to TechCrunch, but he did not refute or deny the company’s connections to Xnspy. Sal appeared to admit his company’s involvement when queried about the quantity of infected devices, stating in one email that “the figures you cited don’t fit with what we have.” Sal didn’t elaborate when pressed for more information.
mSpy, Mobistealth, Flexispy, Family Orbit, KidsGuard, and TheTruthSpy are just a few of the several problematic stalkerware programs that have recently hacked or revealed the data of its victims.
Source: TechCrunch
