A little-known Minnesota-based spyware maker has been hacked, TechCrunch has learned, revealing that thousands of devices around the world are under its stealthy remote surveillance.
A person with knowledge of the breach provided TechCrunch with a cache of files extracted from the company’s servers containing detailed device activity logs from the phones, tablets, and computers that Spytech monitors, with some of the files dating as recently as early June.
TechCrunch verified the authenticity of the data in part by analyzing some of the activity logs from the exfiltrated devices that relate to the company’s CEO, who installed the spyware on one of his own devices.
The data shows that Spytech’s spyware — Realtime-Spy and SpyAgent, among others — has been used to compromise more than 10,000 devices since the first leaked records in 2013, including Android devices, Chromebooks, Macs and Windows PCs worldwide.
Spytech is the latest spyware maker to be compromised in recent years, and the fourth known spyware maker to be hacked this year alone, according to TechCrunch’s current count.
Reached for comment, Spytech CEO Nathan Polencheck said the TechCrunch email “was the first I’ve heard of the breach and I haven’t seen the data that you’ve seen, so right now all I can really say is that I’m investigating everything and will take appropriate action.”
Spytech is a creator of remote access applications, often called “stalkerware,” that are sold under the guise of allowing parents to monitor their children’s activities, but are also marketed to spy on the devices of spouses and partners. Spytech’s website openly promotes its products for spousal monitoring, promising to “keep tabs on your spouse’s suspicious behavior.”
While monitoring the activity of children or employees is not illegal, monitoring a device without the owner’s consent is illegal, and both operators and customers of spyware have been prosecuted for selling and using spyware.
Stalkerware apps are typically planted by someone with physical access to a person’s device, often with knowledge of their password. By their nature, these apps can remain invisible and are difficult to detect and remove. Once installed, spyware apps send keystrokes and screen taps, web browsing history, device activity usage, and, in the case of Android devices, granular location data to a dashboard controlled by the person who planted the app.
The hacked data, viewed by TechCrunch, contains logs from all devices under Spytech’s control, including records of each device’s activity. Most of the devices compromised by the spyware are Windows PCs and, to a lesser extent, Android devices, Macs, and Chromebooks.
The device activity logs we saw were not encrypted.
TechCrunch analyzed location data obtained from hundreds of compromised Android phones and plotted the coordinates in an offline mapping tool to preserve victims’ privacy. The location data gives an idea, but not a complete picture, of where at least some of Spytech’s victims are located.
A world map showing hundreds of Android devices compromised by Spytech's spyware, plotted on a world map, with large clusters in the US and across Europe, and scattered dots throughout the rest of the world.
Hundreds of Android devices compromised by Spytech spyware depicted on a world map.
Image credits: TechCrunch
Our analysis of mobile data only shows that Spytech has significant clusters of monitored devices in Europe and the United States, as well as devices located in Africa, Asia, Australia and the Middle East.
One of the records associated with Polencheck’s administrator account includes the precise geolocation of his home in Red Wing, Minnesota.
While the data contains significant amounts of sensitive data and personal information obtained from the devices of individuals (some of whom will have no idea their devices are being monitored), the data does not contain enough identifiable information about each compromised device for TechCrunch to notify victims of the breach.
Asked by TechCrunch, Spytech’s CEO would not say whether the company plans to notify its customers, people whose devices were monitored, or U.S. state authorities, as required by data breach notification laws.
A spokesperson for the Minnesota attorney general did not respond to a request for comment.
Spytech has been around since at least 1998. The company operated largely under the radar until 2009, when an Ohio man was convicted of using Spytech spyware to infect the computer systems of a nearby children’s hospital, targeting the email account of his ex-partner who worked there.
Local media reported at the time, and TechCrunch verified from court records, that the spyware infected the children’s hospital’s systems as soon as his ex-partner opened the spyware, which prosecutors said collected sensitive medical information. The person who sent the spyware pleaded guilty to unlawful interception of electronic communications.
Spytech is the second US spyware company to suffer a data breach in recent months. In May, Michigan-based pcTattletale was hacked and its website was defaced. The company then shut down and deleted data from victims’ devices rather than notifying those affected.
Data breach notification service Have I Been Pwned later obtained a copy of the hacked data and listed 138,000 customers who had signed up for the service.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) offers free, confidential support 24 hours a day, 7 days a week to victims of domestic violence and abuse. If you are in an emergency situation, call 911. Coalition Against Harassment Software has resources if you think your phone has been compromised by spyware.
.jpg)
.webp)
0 Comments