Mobile location

Victim records deleted after spyware vendor compromised

Anonymous hackers have breached the servers of spyware app “WebDetetive, accessing the user database.

However, this doesn’t appear to be a typical compromise along the lines of stealing the data, according to Tech Crunch. Instead, it’s part of a slow move toward “spying” apps being attacked and taken down by compromise-literate folks who don’t approve of the apps business practices.

Spyware apps are installed on a potential victim’s phone without permission and lurk invisibly, collecting data and sending it back to the app operator. They’re often marketed at employers or parents, but are also used by abusive partners or ex-partners, and can be a nightmare scenario for those affected.

The hackers responsible for this attack claim to have broken into the server via “several security vulnerabilities” which allowed them to initially gain a foothold. From there they went on to exploit additional flaws in the app developer’s web dashboard, downloading all records including customer email addresses.

To be clear here, “customer” would mean the people who have decided to sign up and make use of the tool, not the victims. Indeed, TechCrunch notes that the 1.5GB cache of data related to this heist contains customer IP addresses and purchase history alongside all devices compromised by a customer, their phone model, and the data type collected.

The victims’ records had another fate in store. Namely, deletion from the network, which means the compromised mobiles can no longer upload data to the WebDetetive network. The cache of WebDetetive customer data does not include any data swiped from phones via WebDetetive.

In terms of numbers, roughly 76k devices were compromised at the time the breach happened, with somewhere in the region of 74k customer emails showing in the cache. While the breach cannot currently be independently verified, TechCrunch says it has already verified the authenticity of the stolen data.

Additionally, further investigation suggests the elusive WebDetetive may allegedly have some ties to a similar spying app allied Ownspy. TechCrunch claims WebDetetive to be a “largely repackaged” copy of OwnSpy’s software. Perhaps more tellingly, WebDetetive’s user agent refers to itself as OwnSpy while uploading dummy data to WebDetetive.

If you’re unfamiliar with the term, a user agent is how a program tries to identify itself online. If I use Chrome as a browser, then when I visit a website, it will see my Chrome user agent. If the website is mobile only, it may redirect me or refuse entry if I’m not running an identifiable mobile browser.

This isn’t the only recent attack on a mobile spying application, nor the only attack generally. A few weeks back we covered a similar incident involving a server breach attack on an app called LetMeSpy. The story largely played out the same as the above. Unknown attackers breached the server, and the company behind the app shut down a little while after.

On the surface it may sound great that someone is taking the spyware authors to task, but there is a big note of caution here. A sudden deletion or breakage of an app could have serious consequences for the person being monitored. The person who put the spyware there in the first place may assume tampering by their target which could place them in additional danger. These situations must be handled carefully, and perhaps mass deletions don’t qualify.

How to prevent spyware and stalkerware-type apps

  • Set a screen lock on your phone and don’t let anyone else access it
  • Keep your phone up-to-date. Make sure you’re always on the latest version of your phone’s software.
  • Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you’re sharing with each app on Android, so you can keep an eye on your privacy.

Coalition Against Stalkerware

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.