TechCrunch has published a tool that allows Android users to check whether their devices contain stalkerware from TheTruthSpy. The data comes from TheTruthSpy servers and includes imei numbers of hundreds of thousands of Android users.
TechCrunch got in early June cache files from TheTruthSpy servers containing lists of imei numbers and advertising IDs of Android devices that still contain stalkerware apps from TheTruthSpy in April. TheTruthSpy is a company that started this year via TechCrunch made headlines for selling commercially available software that can spy on smartphone and desktop computer users. The software also contained a vulnerability that allowed user information on the servers to be obtained without the need for authentication. The website’s editors then discovered that the company’s stalkerware apps had affected at least 400,000 Android users.
The stalkerware can record GPS location, photos, web history, email and chat messages, and keystrokes, among other things. TheTruthSpy released a stalkerware app under its own name, as well as under other names such as Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, GuestSpy, and FoneTracker. According to TechCrunch, these apps all communicate with the same servers and the cache files from those servers are now in the hands of the website.
TechCrunch advises interested parties not to use the tool on the potentially infected device. The check must be carried out with another device. Users then need to enter the device’s imei number or advertising ID into the online tool. It then checks for the presence of the numbers in the cache files of the TheTruthSpy servers.
If the tool indicates that an Android device is infected, the stalkerware app can be removed, according to TechCrunch, by enabling Google Play Protect and checking accessibility settings for unknown services and then uninstalling them. TechCrunch also states that device admin apps on Android should be checked and removed if necessary. Users should also check their Android app list for apps they don’t recognize.
TheTruthSpy stalkerware apps are usually stealthily installed on victims’ devices, however, the apps also contain an insecure direct object references vulnerability, or IDOR for short. This allows hackers to retrieve personal information of affected individuals from the servers without authentication. The vulnerability was labeled as CVE-2022-0732.