It's bad enough there's some Android stalkerware out there with the not-at-all-creepy moniker LetMeSpy. Now someone's got hold of the information the app collects – such as victims' text messages and call logs – as well as the email addresses of those who sought out the software, and leaked it all.
The stolen data has been circulating online for at least a few days, we're told, and the spyware's users – those who got the app to put on someone else's device – reportedly include government workers and a ton of US college students.
The Polish developer of the app said the information was swiped in a "security incident" that happened on June 21, when someone obtained "unauthorized access" to its website's databases.
Yes, we appreciate the irony of the maker of a phone-monitoring app that boasts about secretly collecting call logs, text messages, and whereabouts while remaining "invisible to the user" admitting that someone else gained unauthorized access to their information.
Simply put, people can get a paid-for or free copy of LetMeSpy, install it on someone else's Android phone – think a partner, employee, relative, etc – have the app hide itself from view, and then collect from that device copies of their messages, logs, and other data. Now that information, accessible via LetMeSpy's website, along with details of those signing up for the software, has been exfiltrated.
"As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts," according to an alert on the LetMeSpy login page.
"In order to ensure security, all account-related functions of the website were disabled immediately after the incident was discovered," the notice continued. "They will be restored after the vulnerability exploited by the attackers is removed. Additional measures will also be taken to increase the level of data security."
The stalkerware slinger said it informed the cops and a data-protection watchdog about the privacy breach. LetMeSpy did not immediately respond to The Register's questions.
Speaking of stalking... The US Supreme Court today issued a ruling that will make it more difficult to convict people of online stalking.
In a 7-2 decision [PDF] on Tuesday, America's highest court threw out an earlier cyberstalking conviction of a man named Bill Counterman who sent hundreds of unsolicited Facebook messages to singer-songwriter Coles Whalen, even after she blocked him.
Counterman was delusional and believed he was in a romantic relationship with Whalen, who obtained a restraining order against Counterman and eventually stopped performing in public because she was afraid of him.
The Supremes' ruled that Counterman's messages, some of which told Whalen to "die" and "fuck off permanently," did not meet the "true-threat" standard, and as such are protected speech under the First Amendment.
According to the decision, written by Justice Elena Kagan: "The State must show that the defendant consciously disregarded a substantial risk that his communications would be viewed as threatening violence."
At least one security researcher, Maia Arson Crimew, said she received a link to the stolen data, and decided to take a look for part one of her new series, #FuckStalkerware.
The purloined data included call logs, messages, geolocations, IP addresses, payment logs, user IDs, email addresses, and customer account password hashes, Crimew wrote on their blog.
Around 10,000 phones were registered for the spyware, though not all of them actually were spied upon, it appears. The app seems to only work for Android 4 to 7.
Additionally, a quick scan of email domains indicates that two Malaysian and one Jordanian government worker signed up for the spyware service, along with a Broussard police officer, and an employee from a competing stalkerware product, according to Crimew.
"After a cursory glance at the dumped database and call/message logs it however doesn't appear like any of the above users have actually really used the product in any capacity," Crimew wrote. "Another concering [sic] thing i noticed however in the list of email addresses/domains is just how many US college students appear to be using stalkerware such as this, though i guess it does fit the US college culture to be spying on partners in such a manner."
For its part, LetMeSpy bills itself as a tool for parental and employee control — or even a helpful piece of software for absent-minded Android users prone to either losing or forgetting their phones. According to its "Why LetMeSpy" info on the website:
You can read all the SMS messages and view call logs even if you do not have your phone with you! You always knows [sic] the exact location of a phone - checking locations of cell phone on the map.
It does note that "phone control without your knowledge and consent may be illegal in your country," and advises that if you use the software on someone else's phone, "always inform about privacy restrictions."
But somehow we have a hard time believing that all of its users are aboveboard. ®
Source: The register