Share this article on:
The developer of a smartphone app that can be used to track, monitor, and otherwise stalk individuals has revealed that what looks like its entire database has been hacked.
Let Me Spy kind of pretends that it is meant to be used on “your” device, allowing its users to track calls and messages and more remotely via a web browser. But the company’s own website quickly cuts to the chase about what the app is really for.
“Just download the installation file and install the app on the phone you want to track,” the marketing blurb on the Polish company’s site said. “You can monitor tracked phone 24 hours/day from your computer on www.letmespy.com.”
That is creepy enough, but to make things worse, the company also appears to have had some lax security on its end, leading to a data breach that has seen the details of not only those being spied upon leaked but also those who are doing the spying.
While it’s not known where exactly this data is at the moment, it has been sent to a Swiss cyber security researcher — in fact, the same researcher and hacktivist who discovered an unsecured copy of the TSA’s no-fly list in January 2023.
The data dump contains csv files of decrypted calls and messages from targeted phones, as well as a complete user list. According to Maia Arson, the users include government officials from Malaysia and Jordan, a Louisiana police officer, and someone who works for a competing spyware app — though none of them had used the app to any real length.
The cohort that does make great use of the app, though, is US college students, which is both somewhat alarming and oddly unsurprising.
Maia hasn’t looked too closely into the contents of the material of those being spied upon, but she does note that there are more than a few drug deals, a lot of political spam from Donald Trump, and at least a couple of people who admit to using the spyware on partner telling them they are being tracked and have been caught in a lie.
Totally normal stuff for normal people.
The data on those actually using the app to track people is even more complete, with “geolocation logs, IP addresses for each log entry, IP addresses for the operators, phone model, android version, operator payment logs” all listed. There are at least 10,000 devices being tracked, though Maia does admit that many of them “seem to have never sent any activity updates”.
Something else Maia observes is the implications for not only the questionable ethics of using such spyware but also the regulatory implications of the leak.
“In this specific case, it’s not even possible for [Let Me Spy] to inform targets, since the app has no functionality to talk to targets/notify them as well as no self-update mechanism,” Maia writes on her blog.
“At best, the company can inform operators of this breach, and even that is doubtful. What’s going to be interesting in this specific case is where the GDPR liability lies, is it on LMS or on the operators to inform victims? If we’re lucky, this could already be enough to bring them down.”
The company itself has posted a notice about the breach, stating that the incident occurred on 21 June and that Polish law enforcement and the Office for Personal Data Protection have been informed.
“In order to ensure security, all account-related functions of the website were disabled immediately after the incident was discovered,” the notice read. “They will be restored after the vulnerability exploited by the attackers is removed. Additional measures will also be taken to increase the level of data security.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.