The app, KidsGuard, claims it can “access all the information” on a target device, including its real-time location, text messages, browser history, access to its photos, videos and app activities, and recordings of phone calls. But a misconfigured server meant the app was also spilling out the secretly uploaded contents of victims’ devices to the internet.
These consumer-grade spyware apps — also known as “stalkerware” — have come under increased scrutiny in recent years for allowing and normalizing surveillance, often secretly and without obtaining permission from their victims. Although many of these apps are marketed toward parents to monitor their child’s activities, many have repurposed the apps to spy on their spouses. That’s prompted privacy groups and security firms to work together to help better identify stalkerware. KidsGuard is no different. Its maker, ClevGuard, pitches the spyware app as a “stealthy” way to keep children safe, but also can be used to “catch a cheating spouse or monitor employees.” But the security lapse offers a rare insight into how pervasive and intrusive these stalkerware apps can be.
Exclusive: KidsGuard siphoned off photos, videos, screenshots and call recordings to an unprotected server.