According to TechCrunch, a stalkerware manufacturer with a track record of several data breaches and leaks has discovered a serious security flaw that enables anyone to take control of any user account and steal the private information of its victims.
The flaw, discovered by independent security researcher Swarang Wade, enables anyone to reset the password of any user of TheTruthSpy and its several companion Android spying apps, so gaining access to any account on the platform. Because of the nature of TheTruthSpy, it is probable that a large number of its clients use it without the targets’ knowledge or agreement, not realizing that their phone information is being transferred to another party.
This fundamental weakness demonstrates once more that consumer spyware producers like TheTruthSpy and its numerous rivals are unfit to handle anyone’s personal information. These surveillance applications have poor security procedures that reveal the personal information of both victims and offenders, in addition to making unlawful spying easier, frequently by violent romantic partners.
At least 26 spyware operations have leaked, exposed, or somehow spilled data in recent years, according to TechCrunch. As far as we can tell, this is TheTruthSpy’s fourth security breach.
TechCrunch gave the researcher the usernames of other test accounts in order to validate the vulnerability. The passwords on the accounts were promptly reset by the researcher. Wade tried to get in touch with TheTruthSpy’s owner to let him know about the error, but he never heard back.
Van (Vardy) Thieu, the director of the spyware operation, told TechCrunch that he was unable to repair the flaw since the source code was “lost.”
The vulnerability is still present as of this writing, and it poses a serious risk to the thousands of users whose phones are thought to have been inadvertently penetrated by TheTruthSpy’s malware.
In order to prevent aiding hostile actors, we are not providing a more detailed description of the vulnerability due to the risk to the broader public.
A Brief History Of TheTruthSpy’s Many Security Flaws
TheTruthSpy is a well-known spyware company with nearly ten years of history. The spyware network was once one of the biggest online phone surveillance networks.
TheTruthSpy is created by 1Byte Software, a spyware company based in Vietnam and directed by Thieu. A number of almost identical Android spying apps with various branding, such as Copy9 and the now-defunct brands iSpyoo, MxSpy, and others, are similar to TheTruthSpy. The back-end dashboards used by TheTruthSpy’s clients to view their victims’ stolen phone data are also shared by the spyware applications.
Customers and victims of any branded or whitelabeled spyware program that depends on TheTruthSpy’s core code are therefore also impacted by the security flaws in TheTruthSpy.
In 2021, TechCrunch conducted an investigation into the stalkerware sector and discovered that TheTruthSpy had a security flaw that was making its 400,000 victims’ personal information publicly available online. The victims’ most private information, such as their phone records, private messages, pictures, and past location information, was among the material that was made public.
Later, a cache of files from TheTruthSpy’s servers was sent to TechCrunch, revealing the inner workings of the spyware business. A list of all Android devices infiltrated by TheTruthSpy or one of its companion apps was also included in the files. Although there was not enough information on the list of devices to identify each victim by name, TechCrunch was able to create a spyware lookup tool that would enable any potential victim to see if their phone was on the list.
TheTruthSpy relied on a vast money-laundering scheme that used forged documents and false identities to get around restrictions placed on spyware operations by credit card processors, according to our subsequent reporting, which was based on hundreds of documents that were leaked from 1Byte’s servers and sent to TechCrunch. Through the plan, TheTruthSpy was able to transfer millions of dollars in illegal consumer payments into bank accounts under its operators’ control all around the world.
TheTruthSpy, still exposing data, rebrands to PhoneParental
As it stands, some of TheTruthSpy’s operations wound down, and other parts rebranded to escape reputational scrutiny. TheTruthSpy still exists today, and it has kept much of its buggy source code and vulnerable back-end dashboards while rebranding as a new spyware app called PhoneParental.
In addition to continuing to facilitate spying, Thieu is still active in the creation of phone-monitoring software.
The operation still uses a software stack created by Thieu called the JFramework (formerly known as the Jexpa Framework), which TheTruthSpy and its other spyware apps rely on to share data back to its servers, according to a recent analysis of the company’s current web-facing infrastructure using public internet records.
Thieu stated in an email that he was starting over with the apps, including a brand-new phone-monitoring program named MyPhones.app. MyPhones.app depends on the JFramework for its back-end functions, which is the same system that TheTruthSpy uses, according to a network analysis test conducted by TechCrunch.
An explanation of how to detect and get rid of stalkerware from your phone can be found on TechCrunch.
Like other stalkerware operators, TheTruthSpy continues to pose a threat to victims whose phones have been infiltrated by its apps. This is due to the fact that these operations consistently demonstrate their inability to protect their victims’ data, in addition to the extremely sensitive information they take.
Leave feedback about this