\n<\/p>\n
A little-known phone surveillance operation called Spyzie has compromised more than half a million Android devices and thousands of iPhones and iPads, according to data shared by a security researcher.\u00a0<\/p>\n
Most of the affected device owners, who are unknown, are likely unaware that their phone data has been compromised.<\/p>\n
The security researcher told TechCrunch that Spyzie is vulnerable to the same bug as Cocospy and Spyic<\/a>, two near-identical but differently branded stalkerware<\/a> apps that share the same source code and exposed the data of more than 2 million people, as we reported last week. The bug allows anyone to access the phone data, including messages, photos, and location data, exfiltrated from any device compromised by the three apps.<\/p>\n The bug also exposes the email addresses of each customer who signed up to Spyzie to compromise someone else\u2019s device, the researcher said.<\/p>\n The researcher exploited the bug to collect 518,643 unique email addresses of Spyzie customers and provided the cache of email addresses to TechCrunch and to Troy Hunt, who operates the Have I Been Pwned<\/a> data breach notification site.\u00a0<\/p>\n This latest leak shows how increasingly prevalent consumer phone surveillance apps have become among civil society, even from little-known operations like Spyzie, which barely have any online presence and are largely banned by Google from running ads in search results<\/a>, and yet have amassed thousands of paying customers.\u00a0<\/p>\n Collectively, Cocospy, Spyic, and Spyzie are used by more than 3 million customers.<\/p>\n The leak also shows that flaws in stalkerware apps are increasingly common and put both the customer and victims\u2019 data at risk. Even in the case of parents who want to use these apps to monitor their children, which is legal, they are putting their kids\u2019 data at risk of hackers.\u00a0<\/p>\n By our count, Spyzie is now the 24th stalkerware operation<\/a> since 2017 to have been hacked or otherwise leaked or exposed its victims\u2019 highly sensitive data because of shoddy security.\u00a0<\/p>\n Spyzie\u2019s operators have not returned TechCrunch\u2019s request for comment. At the time of writing, the bug has yet to be fixed.<\/p>\n Apps like Spyzie, or Cocospy and Spyic, are designed to stay hidden from home screens, making the apps difficult to identify by their victims. All the while, the apps continually upload the contents of the victim\u2019s device to the spyware\u2019s servers and are accessible to the person who planted the app.<\/p>\n A copy of the data shared by the security researcher with TechCrunch shows that the vast majority of affected Spyzie victims are Android device owners, whose phones have to be physically accessed to plant the Spyzie app, usually by someone with knowledge of the person\u2019s device passcode.\u00a0<\/p>\n This is one of the reasons why these apps are typically used in the context of abusive relationships, where people often know their romantic partner\u2019s phone passcode.<\/p>\n The data also shows Spyzie has been used to compromise at least 4,900 iPhones and iPads.<\/p>\n Apple has stricter rules about which apps can run on iPhones and iPads, so stalkerware usually taps into a victim\u2019s device data stored in Apple\u2019s cloud storage service iCloud by using the victim\u2019s Apple account credentials, rather than on the device itself.\u00a0<\/p>\n Some of the earliest compromised Apple device owners date back to early to late February 2020 and as recently as July 2024, the leaked Spyzie records show.\u00a0<\/p>\n As with Cocospy and Spyic, it was not possible to identify individual victims of Spyzie\u2019s surveillance from the scraped data.\u00a0<\/p>\n But there are things you can do to see if your phone was compromised by Spyzie.<\/p>\n For Android users: <\/strong>Even if Spyzie is hidden from view, you can usually dial \u2731\u2731001<\/strong>\u2731\u2731 into your Android phone app\u2019s keypad and then hit the call button. If Spyzie is installed, it should appear on your screen.<\/p>\n This is a backdoor feature built into the app that allows the person who planted the app on the victim\u2019s phone to regain access. In this case, it can also be used by the victim to see if the app is installed.<\/p>\n TechCrunch has a general Android spyware removal guide<\/a> that can help you identify and remove common types of phone stalkerware and switch on the settings to secure your Android device.\u00a0<\/p>\n You should also have a safety plan in place<\/a>, as switching off spyware can alert the person who planted it.<\/p>\n For iPhone and iPad users:<\/strong> Spyzie relies on using the victim\u2019s Apple Account username and password to access the data stored in their iCloud account. You should ensure your Apple Account uses two-factor authentication<\/a>, which is a vital protection against account hacks and a primary way for stalkerware to target your data. You should also check and remove any devices from your Apple Account that you don\u2019t recognize<\/a>.<\/p>\n If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24\/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The <\/em>Coalition Against Stalkerware<\/em><\/a> has resources if you think your phone has been compromised by spyware.<\/em><\/p>\n<\/div>\nPlanted Android apps and stolen Apple credentials<\/strong><\/h2>\n
How to remove\u00a0Spyzie stalkerware<\/strong><\/h2>\n
\n