LetMeSpy, an Android application with thousands of customers that lets users spy on other smartphones, has been compromised and sensitive user data stolen, the app’s manufacturer has confirmed.
In an announcement published on the app’s website, it was said that a “security incident” happened in late June 2023 in which an unauthorized third party accessed the data of “website users”.
“As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts,” the announcement added.
The message horde collected by the hacker seem to be quite extensive. After reviewing sample data, TechCrunch noted at least 13,000 devices have had data taken, which includes “years of victims’ call logs and text messages”, dating back to 2013. Also, more than 13,000 location data points, for thousands of victims, were stolen, as well. This data suggests most victims live in the US, India, and Western Africa. Furthermore, the app’s master database was taken too, which holds data on some 26,000 customers who used the app for free, as well as email addresses of those who paid for the subscription.
But that’s not all. The researchers that first discovered the breach - a Polish security research blog called Niebezpiecznik - reached out to the app’s manufacturer for comment, and got a reply from - the attackers. Apparently, they had taken over the app maker’s domain. Indeed, the app’s website has a counter for the number of users, text messages, call logs, and locations being tracked, and all of these are now showing zeroes. Also, the majority of the site seems to be broken and non-functioning. Earlier this year, the site said it was tracking more than 236,000 devices, TechCrunch reported.
The hacker allegedly told the researchers that they deleted LetMeSpy’s databases from the servers, before leaking them online.
LetMeSpy confirmed that the breach was reported to the local law enforcement and data protection authority, but it is unclear if the app can, and will, reach out to affected customers privately.
Analysis: Why does it matter?
While spy app manufacturers advertise their products as a security measure (for example, for parents to keep track of their children), they are mostly used by spouses interested in controlling or spying on their partners, or for similar goals. As such, the apps are installed on victim devices without their knowledge and consent, which is why these apps are deemed illegal in some parts of the world.
LetMeSpy, for example, works by uploading all text messages, call logs, and location data, to the servers, without notifying the device owner. The data is then shared with the person who installed the app, on a different device. That makes the apps an ideal gateway for hackers looking to steal sensitive data, especially when they’re poorly executed and buggy (which, according to TechCrunch, is often the case).
The stolen data can be leveraged in a number of ways: the attackers can try and extort the victims for money, or they could sell the information on the black market for profit. They can also use the data in an identity theft attack, or wire fraud.
Furthermore, the threat of stalkerware increased by more than threefold over the past three years, recent figures from Avast showed. The company’s Threat Researchers department, part of the Coalition Against Stalkerware, revealed that, based on its telemetry, the possibility of encountering this form of mobile malware increased 329% since 2020.
The best way to make sure your devices aren’t sporting any stalkerware is to go through all of the apps installed on the device and make sure they all work as intended. If the phone suddenly drops in performance, or starts crashing and freezing for no apparent reason, there could be a stalkerware app hiding somewhere. Also, Avast says that if suddenly you have a new browser homepage, new icons on your desktop, or a different default search engine, it might be a good time to scan the phone.
What have others said about the data breach?
Users on Reddit were quick to point out the irony in the fact that a data stealing app has had its data stolen. “Define irony” one user stated, while another added: “I'm shocked, shocked I tell you! Next thing you know, we'll find out that Facebook isn't respecting our privacy either.”
“I'm happy to see there's a deterrent to more people creating these apps,” another added.
Among other publications, TechCrunch said spyware apps are “notoriously buggy and known for rudimentary security mistakes”, while SiliconAngle cited Ray Kelly, a fellow at Synopsys Software Integrity Group, who said mobile apps should be tested for unencrypted credentials and the leakage of personally identifiable information.
“Mobile app vendors must also test back-end systems, such as open storage buckets or application programming interface nonvalidated inputs that could lead malicious actors to carry out SQL Injection attacks and potentially steal an entire database,” Kelly added.
If you want to learn more about staying safe online, start by reading our guide on the best malware removal tools right now. Also check out how to clean up your Android device, as well as what are the best iOS antivirus apps.
- Check out the best firewalls right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.