Developed states are backing spyware that can remotely hack into iPhones. Governments are buying and using these hacking tools to target dissent—journalists, activists and human rights defenders.

Another kind of spyware exists that is more relevant and likely to affect a common person: the consumer-grade spyware apps that are managed by everyday people.

Consumer-grade spyware is often sold under the garb of child monitoring software, although it’s called “stalkerware” as it can covertly track and monitor other people or spouses. The Stalkerware apps are installed secretly by anyone who has access to a person’s phone. These apps don’t appear on home screens and will covertly and continuously upload call records, text messages, photos, browsing history, location data and call recordings from the phone. It is easier to plant this spyware on android than on IoS, which has a stricter vetting process on what kinds of apps can be installed and what data can be accessed. 

TechCrunch, last October, released a consumer-grade spyware security issue that’s jeopardising phone data, messages and locations of several people, including Americans. 

It wasn’t one spyware app risking people’s phone data but a raft of android spyware apps that share the same vulnerability. 

TechCrunch first unravelled the vulnerability as part of a campaign to explore consumer-grade spyware. The vulnerability is simple but effective and allows almost unfettered remote access to a device’s data. But attempts to privately reveal the security flaw to prevent nefarious actors from exploiting the vulnerability has been avoided both by those operating the spyware and from Codero, the web company that hosts the spyware server infrastructure.  

The spyware operates secretly; therefore, the people targeted are oblivion to spyware. TechCrunch is divulging information about the spyware apps and the operation so that affected owners can remove the spyware themselves if it’s safe to do so. Further, with no patch for vulnerability to be released in near future, TechCrunch is releasing vulnerability information. 

CERT/CC, the vulnerability disclosure centre at Carnegie Mellon University’s Software Engineering Institute, has also issued a note on the spyware as alerting the victims turns out to be a complex process.

Investigating the spyware for a month revealed a large scale stalkware operation collecting data from some 400,000 phones around the world and the targeted victims growing every day, including in the United States, Brazil, Indonesia, India, Jamaica, the Phillippines, South Africa and Russia. 

The operation is led by a collection of white-label Android spyware apps that continuously gathers data from a person’s phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that cover obscuring links, to its true operator, Underneath the app is a server infrastructure, which the operator controls and the operator as known to TechCrunch are a Vietnamese company 1Byte.

TechCrunch identified nine similar spyware apps that has distinct branding, some having more abstruse names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy.

Apart from their names, the spyware apps have identical features and user interfaces for establishing the spyware. Once established, each app allows the person who installed spyware on the phone to access the target’s phone data in real-time through a web dashboard—messages, contacts, location, photos and more. Like the dashboard, apps are clones of the same web software.  And TechCrunch’s analysis of apps’ network traffic pointed out that all apps connect to the same server infrastructure. 

Since the nine apps share the code, web dashboards and infrastructure, they also share the vulnerabilities. 

The vulnerability that we are discussing is called insecure direct object reference, or IDOR, a type of bug that exposes files or data on a server as there exists inferior or absence of security controls. It’s like having a key to unlock your mailbox, but that key can also unlock other mailboxes in your vicinity. IDORs are one of the most widely found vulnerabilities. TechCrunch had identified and privately revealed similar flaws before, as when LabCorp exposed thousands of lab test results, and recently when CDC-approved health app Docket exposing COVID-19 digital vaccine records. IDORs have an advantage: they can often be fixed at the server level without needing to roll out a software update to an app, or in this case, a fleet of apps.

IDORs have an advantage as they can often be fixed at the server level and doesn’t need to release software updates for the app, or in this case, a fleet of apps.

But second-rate coding didn’t just reveal people’s phone data. The whole spyware infrastructure is plagued with bugs that give more details about the operation itself. That’s how we tracked that data on approx 4,00,000 devices have been affected. Second-rate coding has also put affiliates’ data at risk, affiliates that bring new paying customers, information that they assume to be kept private, even the operators themselves,

Underneath each branded app, web dashboard and front-facing website was a fictitious parent company with its own corporate website. The parent companies’ websites are similar, and all assert to be “software outsourcing” companies having a decade of experience and hundreds of engineers. Further, each website states that those nine branded apps as their flagship product. 

If the identical website doesn’t concern you, then the parent company websites are all hosted on the same web server. TechCrunch also scanned state and public databases but couldn’t find records of any of the parent companies. 

Jexpa, one of the parent companies, has no paper record, but at some time, it did exist. Jexpa existed as a technology company in California in 2003, but was suspended from the state’s business registry in 2009. The company’s domain was left to expire.

An unknown buyer bought Jexpa’s expired domain in 2015. (TechCrunch has found no evidence that links the former Jexpa and the later Jexpa.) Jexpa now advertises as a software outsourcing company but has stock photos and dummy pages filling the website. The operators have tried their best to hide their participation in the operation, including registering email addresses using other peoples’  credentials. In one instance identity of a former NYPD police commissioner was used.

But Jexpa is more than just a name. TechCrunch unravelled many overlaps between Jexpa and the branded spyware apps, including a bunch of release notes that was not meant to be public but had been left — and revealed — on its servers.

The release notes have about three years of detailed changes and fixes to the back-end web dashboards, detailing the spyware’s evolution since the log was first created in late-2018, with its most recent fixes put to use in April 2021. The notes were signed by a developer with a email address.

The notes detail fixes to what the developers label the Jexpa framework. The software stack that the servers run is used to keep the operation, each brand’s web dashboard and the storage for a large amount of phone data gathered from the spyware apps themselves. We identified through the technical documents that developers left just like the release notes, and they also left the Jexpa Framework exposed to the internet. 

The document specified technical configurations and comprehensive instructions with shoddy redacted screenshots that showed portions of several domains and subdomains used by the spyware apps. Those same screenshots also showed the operator’s website, but more on that in a moment. The documentation pages also have examples of the spyware apps themselves, like SecondClone, and go far in describing how to set up new content storage servers for each app from scratch, even down to which web host to use — such as Codero, Hostwinds and Alibaba — because they allow for a particular disk storage setup required for the apps to work.

For a company with no apparent business filings, the operator put considerable effort into making Jexpa look like the top of the operation. But the operator left behind a trail of internet records, exposed source code and documentation that connects Jexpa, the Jexpa Framework and the fleet of spyware apps to a Vietnam-based company called 1Byte.

The company has no record, and the operator worked hard into making Jexpa appear, the face of the operation. But the operator left behind internet records, which revealed source code and documentation that links Jexpa, the Jexpa Framework and several spyware apps to 1Byte, a Vietnamese company.

We were unable to access Jexpa documents; a little after we connected 1Byte about the vulnerability and its links to Jexpa.