Spyware App Compromised Over 60,000 Android Devices to Steal Sensitive Data

Spywares are software that is used as a surveillance application to collect sensitive information from victims and send it to the person who installed the application.

These apps stealthily hide on the victim’s device which makes them difficult to detect.

Spyhide is one of the widely used spyware which can be used by someone who wants to spy on their partner. This can be done only if the person knows the passcode of the victim’s device.

However, spyware is known to leak sensitive information if they are buggy.

Spyhide Exposed

Switzerland-based hacker maia arson crime posted in his blog that the developers of Spyhide exposed a portion of the development environment that allows access to the source code of the web-based dashboard.

This web-based dashboard was vulnerable due to poor coding which allowed access to its backend databases. Crimew was able to access enormous amounts of sensitive data relating to several victims worldwide.

Thousands of Spyhide Victims

As per reports, the backend database of Spyhide consisted of around 60,000 compromised devices which date back to 2016. The database included records of call logs, text messages, and location history along with photos and image metadata. 

These data were fed into an offline geospatial and mapping software which resulted in a cluster of thousands of victims around Europe and Brazil.

There were around 3100 compromised devices in the United States which also included the most surveilled victims as per the network of location data.

One particular compromised device was found to have uploaded 100,000 data points in which all of them were located in the U.S. The database also consisted of 750,000 users who were planning to infect the spyware on another victim.

Location history map with provided data points (Source: Techcrunch)

In addition, statistical analysis also showed more than 4000 users were controlling more than one compromised device. Overall data consisted of 3.29 million text messages, 1.2 million call logs, 312k recording files, 925k contact lists, 382k photos and images, and 6000 ambient recordings.

Furthermore, the text messages from the compromised devices also consisted of highly sensitive data like Two-factor codes, password reset links, and much more. 

Iranian Developers and Hetzner (German Hosting Provider)

Most spyware administrators hide their true identity in order to avoid legal and reputational risks.

Spyhide developers also tried to hide their involvement but the source code of Spyhide pointed to the original developers Mostafa M and Mohammed A. 

One of the developers Mostafa M was found to be residing in Dubai as per his LinkedIn profile.

The other developer was found through the registration of Spyhide’s domain. Both of the developers were found to have lived in the same northeastern Iranian city. 

Spyware is banned from the Google Play store due to which the users must download them from the software’s official website. In this case, Spyhide was hosted by a German-based hosting provider Hetzner. However, the domain was seized after Hetzner reported about the spyware hosting. 

Spyware apps hide as legitimate apps like “Google Settings” or “T.Ringtone” with musical cog icons. 

Spyware apps masquerading as legitimate apps (Source: Techcrunch)

Furthermore, Techcrunch conducted research on it which reveals the data transmission and several other pieces of information.

Users are recommended to download applications only from legitimate application markets like Google Play Store or App Store. It is also recommended to install spyware detection apps like Google Play Protect which can detect spyware apps and prevent them from sending data.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.