An Android tracking app sometimes used by parents and employers (along with more unsavory purposes) has been hacked, exposing some profile information along with private messages and call logs. The data breach may have been a form of hacktivism, as an anonymous attacker claimed credit but said that they had deleted the contents of the server and proceeded to dump a copy of the stolen database to the public almost immediately. While there is some private data involving victims in the dump, there is far more contact information for the app’s customers, including encrypted passwords in some cases.
Information from hacked tracking app dates back to 2013
The more legitimate uses that Krakow-based LetMeSpy lists are as a means for parents to monitor their children’s phones, or for employers to keep tabs on work phones. The less savory applications of the tracking app fall into the world of “spouseware” or “stalkerware,” which usually involve the subject being unaware of the software being on their phone.
The tracking app has been available for about 10 years now, and the company boasts of monitoring over 230,000 devices and logging over 100 million calls and text messages during that time. Security researchers that have pored through the dumped database believe that the data breach contains information from at least 13,000 devices that the app has been installed on, along with contact information for about 26,000 of its customers and location data points for about 13,400 people.
The data breach also appears to have taken the tracking app out of commission indefinitely. Security researchers report that it appears to have lost function and dropped all network traffic. The app’s developer has acknowledged that the data breach took place on June 21 and said that Polish law enforcement agencies and the country’s data protection authority (UODO) have been contacted.
The good news for potential victims of the tracking app is that while some 13,000 devices were involved in the data breach, many contained little to no data of concern as the app automatically deletes stored information after two months of inactivity. In the worst cases, the accounts may have had stored text messages that were leaked along with location data and records of calls made and received. It is not clear exactly how many people are impacted in this way, but a total of about 16,000 text messages are included.
Far more common in the data set are the hashed passwords, contact email addresses and telephone numbers of the app’s customers, the ones who would have installed the tracking app on someone else’s device. Users of both the free and subscription tiers were exposed by the data breach; subscriptions allow users to collect a greater amount of data on the people they are monitoring.
Data breach highlights the instability, shaky legal status of “stalkerware” apps
With most data breaches that have been publicly acknowledged by the app developer, one would expect that the known victims would be privately contacted. That seems unlikely in this case. “Stalkerware” apps exist in a legal gray area throughout most of the world, and a breach notification could actually put a victim in greater danger given how they tend to be used.
Stalkerware apps are technically illegal in many countries, including in the United States (where developers have faced federal charges and gone to prison for creating and distributing them at times). However, there are also technicalities that keep them available in those countries.
LetMeSpy is not available on the major app stores in the US, but anyone can access the website (hosted in Poland) which provides a free download and instructions on “sideloading” it. Both civil and criminal charges against these companies usually fizzle out because they are similarly based in foreign countries and take pains to hide the identities of developers and staff. And they can continue to market their services openly by focusing on the strictly legal aspects, such as selling them as child monitors for parents.
And though they pitch themselves as security tools, these tracking apps are often made in a slapdash way and have exploitable vulnerabilities. This is far from the first time one has suffered a data breach. In recent years apps such as Kidsguard, Xnspy and Flexispy have either been hacked or had server misconfigurations spill private information to the open internet.
Bala Kumar, Chief Product Officer of Jumio, notes that while these sorts of tracking apps are most frequently used by spouses or someone close to the target to spy on their movements, businesses should consider the possibility that they might also be used as espionage tools: “The nature of the LetMeSpy breach is especially concerning, largely because the information leaked involves sensitive data like phone messages and locations. With this kind of data in hand, malicious actors have new ammunition to unleash a variety of cyberattacks. Call logs can be manipulated for personalized phishing schemes and log-in credentials shared over the phone can be stolen for any number of account takeovers. Given the secrecy under which this spyware generally operates, many victims impacted in the aftermath of this breach will be unsuspecting.”
“Enterprises, in addition to individual consumers, should exercise caution as this situation continues to unfold. Business users, including both customers and employees, caught in the crosshairs of this incident may leave organizations vulnerable, underscoring the need to reevaluate existing verification and authentication measures. Businesses must ensure they are equipped to authenticate all of their users with the threat of leaked credentials looming,” advised Kumar.
Unfortunately, law enforcement is often not able to detect or remove tracking apps and the chances of getting a case of suspected stalking successfully investigated can be spotty. The best line of defense against these apps is an established anti-malware tool. A number that are available for free, such as Malwarebytes, can detect and potentially even remove rogue tracking apps.