Consumer-grade spyware apps that covertly and continually monitor your private messages, photos, phone calls, and real-time location are an ongoing problem for Android users.
This guide can help you identify and remove common surveillance apps from your Android phone, including TheTruthSpy, Cocospy and Spyic, among others.
Consumer-grade spyware apps are frequently sold under the guise of child monitoring or family-tracking software, but are referred to as “stalkerware” and “spouseware” for their ability to also track and monitor partners or spouses without their consent. These spyware apps are downloaded from outside of Google Play’s app store, planted on a phone without a person’s permission and often disappear from the home screen to avoid detection.
Stalkerware apps rely on abusing in-built Android features that are typically used by companies to remotely manage their employees’ work phones or use Android’s accessibility mode to snoop on someone’s device.
You may notice your phone acting unusually, running warmer or slower than usual, or using large amounts of network data, even when you are not actively using it.
Checking to see if your Android device is compromised can be done quickly and easily.
It’s important to have a safety plan in place and trusted support if you need it. Keep in mind that removing the spyware from your phone may alert the person who planted it, which could create an unsafe situation. The Coalition Against Stalkerware offers advice and guidance for victims and survivors of stalkerware.
Note that this guide only helps you to identify and remove spyware apps, it does not delete the data that was already collected and uploaded to its servers. Also, some versions of Android may have slightly different menu options. As is standard with any advice, you follow these steps at your own risk.
Google Play Protect is one of the best safeguards to protect against malicious Android apps by screening apps downloaded from Google’s app store and outside sources for signs of potentially malicious activity. Those protections stop working when Play Protect is switched off. It’s important to ensure that Play Protect is switched on to ensure that it’s working and scanning for malicious apps.
You can check that Play Protect is enabled through the Play Store app settings. You also can scan for harmful apps, if a scan hasn’t been done already.
Stalkerware relies on deep access to your device to access the data, and is known to abuse Android’s accessibility mode which, by design, requires broader access to the operating system and your data for screen readers and other accessibility features to work.
Android users who do not use accessibility apps or features should not see any apps in this section of Android’s settings.
If you do not recognize a downloaded service in the Accessibility options, you may want to switch it off in the settings and remove the app. Some stalkerware apps are disguised as ordinary looking apps and are often called “Accessibility,” “Device Health,” “System Service” or other innocuous-sounding names.
Much like the accessibility features, Android also allows third-party apps to access and read your incoming notifications, such as allowing smart speakers to read alerts out loud or your car to display notifications on its dashboard. Granting notification access to a stalkerware app allows for persistent surveillance of your notifications, which includes the contents of messages and other alerts.
You can check which apps have access to your notifications by checking your Android notification access settings under Special app access. Some of these apps you may recognize, like Android Auto. You can switch off notification access for any app that you do not recognize.
Other features commonly abused by stalkerware are Android’s device admin options, which have similar but even broader access to Android devices and users’ data.
Device admin options are usually used by companies to remotely manage their employees’ phones, such as wiping the phone in the event of device theft to prevent data loss. But these features also allow stalkerware apps to snoop on the Android display and the device’s data.
You can find the device admin app settings in Settings under Security.
Most people won’t have a device admin app on their personal phone, so be aware if you see an app that you don’t recognize, named something similarly obscure and vague like “System Service,” “Device Health” or “Device Admin.”
You may not see a home screen icon for any of these stalkerware apps, but they will still appear in your Android device’s app list.
You can view all of the installed apps in Android’s settings. Look for apps and icons that you don’t recognize. These apps may also show as having broad access to your calendar, call logs, camera, contacts and location data.
Force stopping and uninstalling a stalkerware app will likely alert the person who planted the stalkerware that the app no longer works.
If stalkerware was planted on your phone, there is a good chance that your phone was unlocked, unprotected or that your screen lock was guessed or learned. A stronger lock screen password can help to protect your phone from intruders. You should also protect email and other online accounts using two-factor authentication wherever possible.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Keep reading the article on Tech Crunch
A security vulnerability in a pair of phone-monitoring apps is exposing the personal data of millions of people who have the apps unwittingly installed on their devices, according to a security researcher who found the flaw.
The bug allows anyone to access the personal data — messages, photos, call logs, and more — exfiltrated from any phone or tablet compromised by Cocospy and Spyic, two differently branded mobile stalkerware apps that share largely the same source code. The bug also exposes the email addresses of the people who signed up to Cocospy and Spyic with the intention of planting the app on someone’s device to covertly monitor them.
Much like other kinds of spyware, products like Cocospy and Spyic are designed to remain hidden on a victim’s device while covertly and continually uploading their device’s data to a dashboard visible by the person who planted the app. By nature of how stealthy spyware can be, the majority of phone owners are likely unaware that their devices have been compromised.
The operators of Cocospy and Spyic did not return TechCrunch’s request for comment, nor have they fixed the bug at the time of publishing.
The bug is relatively simple to exploit. As such, TechCrunch is not publishing specific details of the vulnerability so as to not help bad actors exploit it and further expose the sensitive personal data of individuals whose devices have already been compromised by Cocospy and Spyic.
The security researcher who found the bug told TechCrunch that it allows anyone to access the email address of the person who signed up for either of the two phone-monitoring apps.
The researcher collected 1.81 million email addresses of Cocospy customers and 880,167 email addresses of Spyic customers by exploiting the bug to scrape the data from the apps’ servers. The researcher provided the cache of email addresses to Troy Hunt, who runs data breach notification service Have I Been Pwned.
Hunt told TechCrunch that he loaded a combined total of 2.65 million unique email addresses registered with Cocospy and Spyic to Have I Been Pwned, after he removed duplicate email addresses that appeared in both batches of data. Hunt said that as with previous spyware-related data breaches, the Cocospy and Spyic cache is marked as “sensitive,” in Have I Been Pwned, which means that only the person with an affected email address can search to see if their information is in there.
Cocospy and Spyic are the latest in a long list of surveillance products that have experienced security mishaps in recent years, often as a result of bugs or poor security practices. By TechCrunch’s running count, Cocospy and Spyic are now among the 23 known surveillance operations since 2017 that have been hacked, breached, or otherwise exposed customers’ and victims’ highly sensitive data online.
Phone-monitoring apps like Cocospy and Spyic are typically sold as parental control or employee-monitoring apps but are often referred to as stalkerware (or spouseware), as some of these products expressly promote their apps online as a means of spying on a person’s spouse or romantic partner without their knowledge, which is illegal. Even in the case of mobile surveillance apps that are not explicitly marketed for nefarious activity, often the customers still use these apps for ostensibly illegal purposes.
Stalkerware apps are banned from app stores and so are usually downloaded directly from the stalkerware provider. As a result, stalkerware apps usually require physical access to someone’s Android device to be planted, often with prior knowledge of the victim’s device passcode. In the case of iPhones and iPads, stalkerware can tap into a person’s device’s data stored in Apple’s cloud storage service iCloud, which requires using their stolen Apple account credentials.
Little else is known about these two spyware operations, including who runs Cocospy and Spyic. Stalkerware operators often try to eschew public attention, given the reputational and legal risks that go with running surveillance operations.
Cocospy and Spyic launched in 2018 and 2019, respectively. From the number of registered users alone, Cocospy is one of the largest-known stalkerware operations going today.
Security researchers Vangelis Stykas and Felipe Solferini, who analyzed several stalkerware families as part of a 2022 research project, found evidence linking the operation of Cocospy and Spyic to 711.icu, a China-based mobile app developer, whose website no longer loads.
This week, TechCrunch installed the Cocospy and Spyic apps on a virtual device (which allows us to run the apps in a safe sandbox without giving either of the spy services any real-world data, such as our location). Both of the stalkerware apps masquerade as a nondescript-looking “System Service” app for Android, which appears to evade detection by blending in with Android’s built-in apps.
We used a network analysis tool to watch data flowing in and out of the app to understand how the spyware operations work, what data is shared, and where the servers are located.
Our traffic analysis found the app was sending our virtual device’s data via Cloudflare, a network security provider that obfuscates the true real-world location and web host of the spyware operations. But some of the web traffic showed the two stalkerware apps were uploading some victims’ data, like photos, to a cloud storage server hosted on Amazon Web Services.
Neither Amazon nor Cloudflare responded to TechCrunch’s inquiries about the stalkerware operations.
The analysis also showed that while using the app, the server would occasionally respond with status or error messages in Chinese, suggesting the apps are developed by someone with a nexus to China.
The email addresses scraped from Cocospy and Spyic allow anyone who planted the apps to determine if their information (and their victim’s data) was compromised. But the data does not contain enough identifiable information to notify individuals whose phones are compromised.
However, there are things you can do to check if your phone is compromised by Cocospy and Spyic. Like most stalkerware, both of these apps rely on a person deliberately weakening the security settings on an Android device to plant the apps — or in the case of iPhones and iPads, accessing a person’s Apple account with knowledge of their username and password.
Even though both Cocospy and Spyic try to hide by appearing as a generic-looking app called “System Service,” there are ways to spot them.
With Cocospy and Spyic, you can usually enter ✱✱001✱✱ on your Android phone app’s keypad and then press the “call” button to make the stalkerware apps appear on-screen — if they are installed. This is a feature built into Cocospy and Spyic to allow the person who planted the app on the victim’s device to regain access. In this case, the feature can also be used by the victim to determine if the app is installed.
You can also check your installed apps through the apps menu in the Android Settings menu, even if the app is hidden from view.
TechCrunch has a general Android spyware removal guide that can help you identify and remove common types of phone stalkerware. Remember to have a safety plan in place, given that switching off spyware may alert the person who planted it.
For Android users, switching on Google Play Protect is a helpful safeguard that can protect against malicious Android apps, including stalkerware. You can enable it from Google Play’s settings menu if it isn’t already enabled.
And for iPhone and iPad users who think you may be compromised, you should check that your Apple Account uses a long and unique password (ideally saved in a password manager) and that your account also has two-factor authentication switched on. You should also check and remove any devices from your account that you don’t recognize.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Contact Zack Whittaker securely on Signal and WhatsApp at +1 646-755-8849. You can also share documents securely with TechCrunch viaSecureDrop.
Keep reading the article on Tech Crunch