A security vulnerability in a pair of phone-monitoring apps is exposing the personal data of millions of people who have the apps unwittingly installed on their devices, according to a security researcher who found the flaw.
The bug allows anyone to access the personal data — messages, photos, call logs, and more — exfiltrated from any phone or tablet compromised by Cocospy and Spyic, two differently branded mobile
stalkerware apps that share largely the same source code. The bug also exposes the email addresses of the people who signed up to Cocospy and Spyic with the intention of planting the app on someone’s device to covertly monitor them.
Much like other kinds of
spyware, products like Cocospy and Spyic are designed to remain hidden on a victim’s device while covertly and continually uploading their device’s data to a dashboard visible by the person who planted the app. By nature of how stealthy spyware can be, the majority of phone owners are likely unaware that their devices have been compromised.
The operators of Cocospy and Spyic did not return TechCrunch’s request for comment, nor have they fixed the bug at the time of publishing.
techcrunch.com
