Our smartphones hold our most personal and sensitive information. The threat of privacy invasion is a constant concern. Spyhide, a stealthy phone surveillance app, has been quietly collecting private data from tens of thousands of Android devices around the globe. Developed in Iran, this stalkerware app has compromised over 60,000 devices since 2016, exposing victims to the risk of data leakage and unauthorized access to their most intimate information.
The Dark World of Stalkerware
Stalkerware, also known as spouseware, is a type of app that is surreptitiously installed on a victim’s phone, often by someone with knowledge of their passcode. These apps are designed to remain hidden on the victim’s home screen, making detection and removal difficult. Once installed, Spyhide silently and continuously uploads the victim’s contacts, messages, photos, call logs, recordings, and even their precise location in real-time.
While stalkerware apps provide broad access to a victim’s phone data, they are notorious for their buggy nature. This can lead to unintended exposure or leakage of stolen private data, further exacerbating the risks associated with phone surveillance apps.
Exposing the Secret Operation
Recently, a Swiss hacker named maia arson crimew uncovered a portion of Spyhide’s development environment, giving access to the source code of the web-based dashboard used by abusers to view stolen phone data. By exploiting vulnerabilities in the dashboard’s code, crimew gained access to the back-end databases, revealing the inner workings of this secretive spyware operation and its suspected administrators.
To verify the authenticity of the exposed data, TechCrunch analyzed a copy of Spyhide’s text-only database provided by crimew. The database contained detailed records of approximately 60,000 compromised Android devices dating back to 2016. These records included call logs, text messages, location history, photos, and more, providing a chilling glimpse into the extent of the privacy invasion.
A Global Surveillance Network
Visualizing the data points from Spyhide’s database, it becomes apparent that its surveillance network spans every continent. Clusters of thousands of victims can be found in Europe and Brazil, while the United States alone has over 3,100 compromised devices. Some U.S. victims are particularly heavily surveilled, with one device quietly uploading over 100,000 location data points.
The database also exposed the identities of 750,000 people who signed up for Spyhide with the explicit goal of installing the spyware app on another person’s device. It’s troubling that so many people have downloaded spy applications, yet most of them didn’t actually breach a phone or pay for the malware.
However, the analysis showed that over 4,000 users were in control of multiple compromised devices, and a smaller number of user accounts were linked to dozens of compromised devices. This highlights the potential for widespread abuse and the magnitude of the privacy invasion perpetrated by Spyhide.
Unveiling the Developers
The developers behind Spyhide have gone to great lengths to conceal their identities and the origins of the operation. However, the source code contained the names of two Iranian developers who profit from this illicit operation. Mostafa M., currently located in Dubai according to his LinkedIn profile, and Mohammad A., who lived in the same northeastern Iranian city as Mostafa according to registration records associated with Spyhide’s domains.
Despite attempts to obfuscate their involvement, the developers did not respond to requests for comment, leaving their motivations and intentions shrouded in secrecy.
The Web of Complicity and Hosting
Stalkerware apps like Spyhide are explicitly banned from Google’s app store due to their promotion of secret spousal surveillance. Instead, users must download the app directly from Spyhide’s website.
TechCrunch conducted an analysis by installing the Spyhide app on a virtual device and using network traffic analysis tools to understand the data flow. The analysis revealed that the app sends data from the virtual device to a server hosted by German web hosting giant, Hetzner. Christian Fitz, a spokesperson for Hetzner, stated that the web host does not permit the hosting of spyware.
Protecting Yourself from Spyhide
Detecting stalkerware apps can be challenging, as they often disguise themselves as normal-looking Android apps or processes. Spyhide, for instance, masquerades as a Google-themed app called “Google Settings” or a ringtone app named “T.Ringtone.” These apps request permission to access the device’s data and immediately begin sending private information to their servers.
To check for installed apps, navigate to the apps menu in the Settings, even if the app is hidden on the home screen.
If you suspect your device may be compromised by Spyhide or similar stalkerware, follow our general guide to remove Android spyware. However, switching off spyware may alert the person who planted it.
Enabling Google Play Protect provides an additional safeguard against malicious Android apps, including spyware. You can activate this feature through the settings menu in Google Play.
FAQ
Q: What is stalkerware?
A: Stalkerware, also known as spouseware, is a type of app that is secretly installed on a victim’s phone to monitor their activities and collect private information without their consent or knowledge.
Q: How does Spyhide work?
A: Spyhide is a stalkerware app that, once installed on a victim’s Android device, continuously uploads their contacts, messages, photos, call logs, recordings, and location data to a remote server.
Q: Can Spyhide be detected?
A: Spyhide disguises itself as legitimate apps such as “Google Settings” or “T.Ringtone.” However, users can check for installed apps through the settings menu on their Android device.
Q: Is Spyhide legal?
A: Stalkerware apps like Spyhide are explicitly banned from Google’s app store due to their promotion of secret spousal surveillance. However, they can still be downloaded from third-party websites.
Q: How can I protect my device from Spyhide?
A: To protect your device from Spyhide and other stalkerware, enable Google Play Protect and be cautious when downloading apps from unknown sources. Regularly check for any suspicious or unfamiliar apps on your device. If you suspect your device may be compromised, follow the steps to remove Android spyware.
Q: What should I do if I suspect my device has been compromised by Spyhide?
A: If you suspect your device has been compromised by Spyhide or similar stalkerware, follow our general guide to remove Android spyware. Additionally, seek help from organizations such as the National Domestic Violence Hotline and the Coalition Against Stalkerware for support and resources.
First reported on TechCrunch
