Stalkerware Developer Found Leaking Sensitive Data From Thousands Of The Software's Victims
from the it-all-starts-with-not-giving-a-fuck-about-anyone dept
Oh, if only this were more of a surprise. Another vendor selling sketchy spyware has been discovered to be careless with its handling of all the sensitive communications and data it pulls from victims’ cell phones. (via Databreaches.net)
The company doing all the leaking is ClevGuard, which I guess is short for “clever.” It apparently isn’t. Its phone-snooping app, KidsGuard, is supposed to allow parents to monitor their children’s cell phone usage. Obviously, there are other applications for it, like monitoring the activity of spouses, ex-spouses, girlfriends/boyfriends of the current and ex- variety, employees, dissidents, journalists… just about anyone someone else wants to spy on.
The name isn’t deliberately misleading but the app disguises itself as a system update app, allowing it to hide in plain sight, untroubled by surveillance targets. The company even advertises the app’s flexibility as going beyond monitoring kids to spying on other adults.
TechCrunch obtained a copy of the Android app from Till Kottmann, a developer who reverse-engineers apps to understand how they work.
Kottmann found that the app was exfiltrating the contents of victims’ phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. It’s believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.
Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmann’s findings.
The app — in its full paid form — is pervasive. In addition to hoovering up contacts, photos, SMS message content, and location data, it provides a wealth of information about conversations occurring in WhatsApp, Viber, and Facebook Messenger. It also compromises more secure services like Snapchat and Signal by taking snapshots of conversations and relaying them to the company’s servers.
The company has since shut down access to the leaky Alibaba cloud storage bucket, but the damage may already have been done. And it’s just more evidence that companies selling malicious stalkerware care very little about the security of their customers… and even less about the security of their software’s victims.