A TechCrunch survey in February 2022 revealed that a fleet of consumer-grade spyware apps, including TheTruthSpy, share a common security vulnerability that exposes the personal data of hundreds of thousands of Android users.
Our investigation found victims in virtually every country, with large groups in the United States, Europe, Brazil, Indonesia and India. But the stealthy nature of spyware means that most victims will have no idea that their device has been compromised unless they know where to look on their device.
Then, in June, a source provided TechCrunch with a cache of files downloaded from TheTruthSpy’s internal network servers.
The cache included a list of all Android devices that had been compromised by any of the spyware apps in TheTruthSpy network, including Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, GuestSpy, and FoneTracker. Aside from their names, these apps are nearly identical and all communicate with the same server infrastructure.
The list contains the IMEI number or unique advertising ID associated with each compromised device until April 2022, which is when the data was downloaded from the spyware’s internal network. TechCrunch verified the authenticity of the list by comparing the known IMEIs of the burner and the virtual devices we used as part of our spyware network investigation.
Using this list of compromised devices, TechCrunch has created a spyware search tool to allow you to check if your Android device has been compromised by TheTruthSpy apps and to provide resources to remove spyware from your device.
How does the spyware search tool work?
Before starting, it is important to have a safety plan in place. The Coalition Against Stalkerware and the National Network to End Domestic Violence offer advice and guidance to victims and survivors of stalkerware.
Here’s how to get started with the tool.
1. First, find a device that you know is safe, such as a trusted friend’s phone or a computer in a public library.
2. Visit this same web page from that trusted device.
3. Enter the IMEI number or advertising ID of the device you suspect has been compromised into the search tool. You may want to check both of them.
Here’s how you find them:
- An IMEI number is a 14-15 digit number that is unique to your mobile. From the phone keypad, type ✱# 06 # and your IMEI number (sometimes called MEID) should appear on the screen. You may need to press the call button on some phone models.
- Your device’s advertising ID can be found in Settings> Google> Ads, although some Android versions may differ slightly. Advertising IDs vary but are typically 16 or 32 characters and are a mix of letters and numbers.
If you have reset or deleted, or if your Advertising ID has changed in some other way since the spyware was installed, this tool may not identify your device as being compromised.
If the spyware search tool returns a “match”, it means that the IMEI number or advertising ID of the device was found in the leaked list and the corresponding device was compromised by one of the TheTruthSpy spyware apps before April 2022.
If you get a “probable match”, it means that your IMEI number or device advertising ID matched a record in the list but the entry may contain extraneous data, such as the name of the device manufacturer. This result means that the corresponding device has probably been compromised by one of the TheTruthSpy apps, but that you need to confirm by checking for signs that the spyware is installed.
If “no match” is found, it means that there is no record matching that device in the leaked list of compromised devices. This does not automatically mean that the device is spyware-free. Your device may have been compromised by spyware after April 2022, or it may have been targeted by a different type of spyware.
What do I do now?
To confirm if an Android device is currently compromised, you need to look for signs that spyware is installed. This guide explains how to look for evidence that your phone has been compromised by spyware and how to remove it from your phone.
Since spyware is designed to be hidden, be aware that spyware removal will likely alert the person who installed it, which could lead to an unsafe situation. The Coalition Against Stalkerware and the National Network to End Domestic Violence offer support, guidance, and resources on how to create a security plan.
What does this spyware search tool do?
This search tool allows you to check if your Android device was compromised by any of TheTruthSpy apps before April 2022.
TechCrunch obtained a list containing the device’s IMEI number or unique advertising ID collected from each compromised device. Each phone or tablet connected to the cellular network has a unique IMEI number encoded in the device hardware, while advertising IDs are built into the device software and can be easily restored and edited by the user.
Once installed, the spyware sends one of the phone’s identifiers to its servers, just as many other apps do for permitted reasons such as advertising, although Google has largely restricted developers’ access to IMEI numbers since 2019 in favor of IDs. more user-controllable advertisements.
This search tool does not store sent IMEI numbers or advertising IDs and therefore no data is shared or sold.
Why did TechCrunch create a spyware search tool?
The list does not contain enough information to allow TechCrunch to personally identify or notify individual device owners. Even if that were the case, we could not contact the victims for fear of also alerting the person who installed the spyware and creating a dangerous situation.
A phone can store some of a person’s most personal and sensitive information. No member of civil society should ever be subjected to such invasive surveillance without her knowledge or consent. By offering this tool, anyone can check if this spyware has compromised their Android device anytime or anywhere when it is safe.
The search tool cannot tell you if your device is currently compromised. It can only tell you if there is a match for a device identifier found in the leaked list, indicating that the device was likely compromised sometime before April 2022.
What can this spyware do?
Consumer-grade spyware apps are often presented as child monitoring apps, but these apps are also referred to as “stalkerware” or “spouse” for their ability to track and monitor other people, such as spouses and home partners, without their consent.
Apps like TheTruthSpy are downloaded and installed by someone with physical access to a person’s phone and are designed to remain hidden from home screens, but will silently and continuously load call logs, text messages, photos, browsing histories, recordings of Real-time calls and location data from the phone without the owner’s knowledge.
What is the security vulnerability?
The nine known spyware apps on TheTruthSpy’s network share the same infrastructure, but due to poor coding, they also share the same security vulnerability. The flaw, officially known as CVE-2022-0732, is easy to abuse and allows anyone to remotely gain near-unlimited access to the victim’s device data.
Without expecting the vulnerability to be fixed, TechCrunch posted details on the net to help victims identify and remove spyware if it’s safe to do so.
The legal stuff
If you use this spyware search tool, TechCrunch will collect your IMEI or Advertising ID and your IP address for the sole purpose of helping you identify if your device has been compromised by this spyware. IMEI numbers and advertising IDs are not stored, sold or shared with third parties and are deleted once the results of the spyware search tool are received. IP addresses are stored briefly only to limit automated requests. TechCrunch is not responsible for any loss or damage to the device or data and makes no warranties as to the accuracy of the results. You use this tool at your own risk.
Cyber security 101: