Brazilian phone spyware hacked and data from victims’ stolen devices ‘deleted’

Portuguese language spyware WebDetetive has been used to compromise over 76,000 Android phones in recent years in South America, primarily Brazil. WebDetetive is also the latest phone spyware company to be hacked in recent months.

In an undated note seen by TechCrunch, the anonymous hackers described how they found and exploited several security vulnerabilities that allowed them to compromise WebDetetive’s servers and access to its user databases. By exploiting other flaws in the spyware maker’s web dashboard – used by attackers to access their victims’ stolen phone data – hackers said they listed and downloaded all dashboard records, including each customer’s email address.

Hackers said access to the dashboard also allows them to completely remove victim devices from the spyware network, cutting off the connection at the server level to prevent the device from downloading new data. “Which we definitely did. Because we could. Because #fuckstalkerware,” the hackers wrote in the note.

The note was included in a cache containing over 1.5 GB of data extracted from the spyware’s web dashboard. This data included information about each customer, such as the IP address they connected from and purchase history. The data also listed all devices compromised by each client, the version of spyware the phone was running, and the types of data the spyware collected from the victim’s phone.

The cache did not contain the stolen content from the victims’ phones.

DDoSecrets, a nonprofit transparency collective that indexes leaked and exposed datasets in the public interest, received the WebDetetive data and shared it with TechCrunch for analysis.

In total, the data showed that WebDetetive had compromised 76,794 devices so far at the time of the breach. The data also contained 74,336 unique customer email addresses, although WebDetetive does not verify a customer’s email addresses when registering, preventing any meaningful analysis of spyware customers.

It is not known who is behind the WebDetetive flaw and the hackers did not provide any contact information. TechCrunch could not independently confirm the hackers’ claim that they removed the victims’ devices from the network, although TechCrunch verified the authenticity of the stolen data by matching a selection of device identifiers in cache it with a publicly accessible endpoint on WebDetetive’s server.

WebDetetive is a type of phone monitoring application that is installed on a person’s phone without their consent, often by someone who knows the phone’s passcode.

Once installed, the app changes its icon on the phone’s home screen, which makes the spyware difficult to detect and remove. WebDetetive then immediately begins stealthily uploading content from a person’s phone to its servers, including their messages, call logs, phone call recordings, photos, phone microphone ambient recordings, social media apps and data precise location in real time.

Despite the wide access these so-called stalkerware (or spouse software) apps have to a victim’s personal and sensitive phone data, spyware is notoriously buggy and notorious for its shoddy coding, which exposes data already stolen victims at additional risk. compromise.

WebDetetive, meet OwnSpy

Little is known about WebDetetive beyond its monitoring capabilities. It is not uncommon for spyware creators to conceal or obscure their real identities, given the reputational and legal risks associated with producing spyware and facilitating the illegal surveillance of others. WebDetetive is no different. Its website does not list who owns or operates WebDetetive.

But even though the hacked data itself reveals few clues about WebDetetive’s administrators, much of its roots can be traced back to OwnSpy, another widely used phone spy app.

TechCrunch downloaded the WebDetetive Android app from their website (since Apple and Google prohibit stalkerware apps from their app stores) and implanted the app on a virtual device, allowing us to analyze the app in an isolated sandbox without providing it with real data. like our location. We performed a network traffic analysis to understand what data was flowing in and out of the WebDetetive application, which revealed that it was a heavily repackaged copy of OwnSpy’s spyware. WebDetetive’s user agent, which it sends to the server to identify itself, still referred to itself as OwnSpy, even though it was uploading our virtual device’s dummy data to WebDetetive’s servers.

OwnSpy is developed in Spain by Mobile Innovations, a company based in Madrid and led by Antonio Calatrava. OwnSpy has been operational since at least 2010, according to its website, and claims to have 50,000 customers, although it’s unclear how many devices OwnSpy has compromised to date.

OwnSpy also operates an affiliate model, allowing others to earn a commission by promoting the app or offering “a new product to your customers” in exchange for OwnSpy sharing in the profits, according to a report. archived copy of its affiliates’ website. It is unclear what other operational links, if any, exist between OwnSpy and WebDetetive. Calatrava did not return a request for comment or provide contact information for WebDetetive administrators.

Shortly after emailing Calatrava, parts of OwnSpy’s known infrastructure were taken offline. A separate analysis of the network traffic of the OwnSpy app by TechCrunch revealed that the OwnSpy spyware app was no longer working. The WebDetetive application continues to work.

A destructive attack?

WebDetetive is the second spyware maker to be targeted by a destructive data hack in recent months. LetMeSpy, a spyware application developed by Polish developer Rafal Lidwin, has shut down following a hack that exposed and deleted victims’ stolen phone data from LetMeSpy’s servers. Lidwin declined to answer questions about the incident.

According to TechCrunch’s tally, at least a dozen spyware companies exposed, leaked, or otherwise put their victims’ stolen phone data at risk of further compromise due to shoddy coding and security vulnerabilities. easily exploitable.

TechCrunch could not contact WebDetetive administrators for comment. An email sent to WebDetetive’s support email address regarding the data breach (including whether the spyware author has backups) was not returned. It is unclear whether the spyware company will notify customers or victims of the data breach, or whether it still has the necessary data or records to do so.

Destructive attacks, though infrequent, could have unintended and dangerous consequences for spyware victims. Spyware typically alerts the attacker if the spyware app stops working or is removed from a victim’s phone, and breaking a connection without a security plan in place could put spyware victims in a dangerous situation. The Coalition Against Stalkerware, which works to support victims and survivors of stalkerware, offers resources on its website for those who suspect their phone is compromised.

How to find and remove WebDetetive

Unlike most phone monitoring apps, WebDetetive and OwnSpy do not hide their app on an Android home screen, but disguise themselves as a Wi-Fi app showcasing the Android system.

WebDetetive is relatively easy to detect. The app appears named “WiFi” and has a white wireless icon in a blue circle on a white background.

A screenshot showing the “WiFi” app, which poses as a Wi-Fi system app. However, this app is spyware in disguise. Image credits: TechCrunch

When you long press and app information is displayed, the app is actually called “Sistema”.

This “WiFi” app icon, when tapped, will actually show up as an app called “Sistema”, which is designed to look like an Android system app, but is actually WebDetetive spyware. Image credits: TechCrunch

We have a general guide that can help you remove Android spyware from your phone, if it’s safe to do so. You should make sure that Google Play Protect is enabled, as this in-device security feature can defend you against malicious Android apps. You can check its status in the Google Play settings menu.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential assistance 24/7 to victims of domestic violence and violence. If you are in an emergency, call 911. The Coalition Against Stalkerware also has resources if you suspect your phone has been compromised by spyware.