A TechCrunch survey in February 2022 revealed that a fleet of consumer spyware apps, including TheTruthSpy, share a common security vulnerability that exposes the personal data of hundreds of thousands of Android users.
Our investigation has found victims in virtually every country, with large groups in the United States, Europe, Brazil, Indonesia and India. But the stealthy nature of spyware means most victims will have no idea their device has been compromised. unless they know where to look on their device.
Then, in June, a source provided TechCrunch with a cache of files purged from TheTruthSpy’s internal network servers.
The cache included a list of all Android devices compromised by any of TheTruthSpy’s network spyware apps, including Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, GuestSpy, and FoneTracker. Apart from their names, these applications are almost identical and all communicate with the same server infrastructure.
The list contains either the IMEI number or the unique advertising ID associated with each compromised device up to April 2022, when the data was presumably deleted from the spyware’s internal network. TechCrunch has verified the authenticity of the listing by matching the known IMEIs of burner and virtual devices we used as part of our investigation of the spyware network.
Using this list of compromised devices, TechCrunch has created a Spyware Finder tool to help you check if your Android device has been compromised by TheTruthSpy apps and provide resources for spyware removal from your device.
How does the spyware scanner work?
Before you begin, it’s important to have a safety plan in place. The Coalition Against Harassment Software and the National Network to End Domestic Violence offer advice and guidance to victims and survivors of stalkerware.
This is how you start with the tool.
1. First, find a device you know is safe, like a trusted friend’s phone or a computer at a public library.
2. Visit that same web page from that trusted device.
3. Enter the IMEI number or Advertising ID of the device you suspect may be compromised into the search tool. You might want to check both.
Here’s how you find them:
- An IMEI number is a 14-15 digit number that is unique to your cell phone. From your phone’s dial pad, type ✱#06# and your IMEI number (sometimes called MEID) should appear on your screen. You may need to press the call button on some phone models.
- Your device’s Advertising ID can be found in Settings > Google > Ads, although some versions of Android may differ slightly. Advertising IDs vary but are usually 16 or 32 characters long and are a mix of letters and numbers.
If you have reset or deleted, or if your advertising ID has otherwise changed since the spyware was installed, this tool may not identify your device as compromised.
If the spyware scanner returns a “match”, it means that the device’s IMEI number or advertising ID was found in the leaked list and the corresponding device was compromised by one TheTruthSpy spyware apps no later than April 2022.
If you get a “probable match”, it means that your device’s IMEI number or advertising ID matches a record in the list, but the entry may contain extraneous data, such as the name of the manufacturer of the device. ‘device. This result means that the corresponding device has probably been compromised by one of TheTruthSpy apps but you need to confirm by check for signs that spyware is installed.
If “no match” is found, it means that there is no record matching this device in the leaked list of compromised devices. This does not automatically mean that the device is free from spyware. Your device may have been compromised by spyware after April 2022 or may have been targeted by another type of spyware.
What do I do now?
To confirm if an Android device is currently compromised, you should look for signs that spyware is installed. This guide explains how to find evidence that your phone has been compromised by spyware and how to remove it from your phone.
Since spyware is designed to be stealthy, please keep in mind that removing spyware will likely alert the person who installed it, which could lead to a dangerous situation. The Coalition Against Harassment Software and the National Network to End Domestic Violence offer support, advice and resources on how to create a safety plan.
What does this spyware scanner do?
This search tool allows you to check if your Android device was compromised by any of TheTruthSpy apps before April 2022.
TechCrunch obtained a list containing the device’s unique IMEI or Advertising ID collected from each compromised device. Each cellular-connected phone or tablet has a unique IMEI number hard-coded into the device’s hardware, while advertising IDs are built into the device’s software and can be easily reset and changed by the user.
Once the spyware is installed, it sends one of the phone’s identifiers back to its servers, just like many other apps do for legitimate reasons such as advertising, although Google has largely blocked developers from accessing the numbers. IMEI from 2019 in favor of more user controllable advertising IDs. .
This search tool does not store submitted IMEI numbers or advertising IDs, and therefore no data is shared or sold.
Why did TechCrunch create a spyware scanner?
The list does not contain enough information for TechCrunch to personally identify or notify individual device owners. Even if this were the case, we could not contact the victims for fear of also notifying the person who planted the spyware and creating a dangerous situation.
A phone can store some of a person’s most personal and sensitive information. No member of civil society should ever be subjected to such invasive surveillance without their knowledge or consent. By offering this tool, anyone can check if this spyware has compromised their Android device anytime or anywhere it is safe.
The search tool cannot tell you if your device is currently compromised. It can only tell you if there is a match for a device ID found in the leaked list, indicating that the device was likely compromised sometime before April 2022.
What can this spyware do?
Consumer spyware apps are often touted as child monitoring apps, but these apps are also referred to as “stalkerware” or “spouseware” for their ability to track and monitor other people, such as spouses and domestic partners, without their consent.
Apps like TheTruthSpy are downloaded and installed by someone with physical access to a person’s phone and are designed to remain hidden from home screens, but will silently and continuously download call logs, text messages, photos , browsing histories, call recordings and real-time location. phone data without the knowledge of the owner.
What is the security flaw?
The nine known spyware apps in TheTruthSpy’s network share the same infrastructure, but due to poor quality coding, they also share the same security vulnerability. The fault, officially known as the CVE-2022-0732is simple to abuse and allows anyone to remotely access data on a victim’s device almost unhindered.
Without expecting the vulnerability to be patched, TechCrunch has released network details to help victims identify and remove spyware if it is safe to do so.
The legal stuff
If you use this spyware scanner, TechCrunch will collect your IMEI number or advertising ID and your IP address for the sole purpose of helping you identify if your device has been compromised by this spyware. IMEI numbers and advertising IDs are not stored, sold or shared with third parties and are deleted once you receive the results from the Spyware Scan Tool. IP addresses are briefly stored to limit automated queries only. TechCrunch is not responsible for any loss or damage to your device or data and makes no guarantees as to the accuracy of the results. You use this tool at your own risk.