\n<\/p>\n
Amazon will not say if it plans to take action against three phone surveillance apps that are storing troves of individuals\u2019 private phone data on Amazon\u2019s cloud servers, despite TechCrunch notifying the tech giant weeks earlier that it was hosting the stolen phone data.<\/p>\n
Amazon told TechCrunch it was \u201cfollowing [its] process\u201d after our February notice, but as of the time of this article\u2019s publication, the stalkerware<\/a> operations Cocospy, Spyic, and Spyzie continue to upload and store photos exfiltrated from people\u2019s phones on Amazon Web Services.<\/p>\n Cocospy, Spyic<\/a>, and Spyzie<\/a> are three near-identical Android apps that share the same source code and a common security bug, according to a security researcher who discovered it, and provided details to TechCrunch. The researcher revealed that the operations exposed the phone data on a collective 3.1 million people, many of whom are victims with no idea that their devices have been compromised. The researcher shared the data with breach notification site Have I Been Pwned<\/a>.<\/p>\n As part of our investigation into the stalkerware operations, which included analyzing the apps themselves, TechCrunch found that some of the contents of a device compromised by the stalkerware apps are being uploaded to storage servers run by Amazon Web Services, or AWS.<\/p>\n TechCrunch notified Amazon on February 20 by email that it is hosting data exfiltrated by Cocospy and Spyic, and again earlier this week when we notified Amazon it was also hosting stolen phone data exfiltrated by Spyzie.\u00a0<\/p>\n In both emails, TechCrunch included the name of each specific Amazon-hosted storage \u201cbucket\u201d that contains data taken from victims\u2019 phones.<\/p>\n In response, Amazon spokesperson Ryan Walsh told TechCrunch: \u201cAWS has clear terms that require our customers to use our services in compliance with applicable laws. When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content.\u201d Walsh provided a link to an Amazon web page hosting an abuse reporting form, but would not comment on the status of the Amazon servers used by the apps.<\/p>\n In a follow-up email this week, TechCrunch referenced the earlier February 20 email that included the Amazon-hosted storage bucket names.\u00a0<\/p>\n In response, Walsh thanked TechCrunch for \u201cbringing this to our attention,\u201d and provided another link to Amazon\u2019s report abuse form. When asked again if Amazon plans to take action against the buckets, Walsh replied: \u201cWe haven\u2019t yet received an abuse report from TechCrunch via the link we provided earlier.\u201d<\/p>\n Amazon spokesperson Casey McGee, who was copied on the email thread, claimed it would be \u201cinaccurate of TechCrunch to characterize the substance of this thread as a [sic] constituting a \u2018report\u2019 of any potential abuse.\u201d<\/p>\n Amazon Web Services, which has a commercial interest in retaining paying customers, made $39.8 billion in profit during 2024, per the company\u2019s 2024 full-year earnings<\/a>, representing a majority share of Amazon\u2019s total annual income.<\/p>\n The storage buckets used by Cocospy, Spyic, and Spyzie, are still active as of the time of publication.<\/p>\n Amazon\u2019s own acceptable use policy<\/a> broadly spells out what the company allows customers to host on its platform. Amazon does not appear to dispute that it disallows spyware and stalkerware operations to upload data on its platform. Instead, Amazon\u2019s dispute appears to be entirely procedural.<\/p>\n It\u2019s not a journalist\u2019s job \u2014 or anyone else\u2019s \u2014 to police what is hosted on Amazon\u2019s platform, or the cloud platform of any other company.\u00a0<\/p>\n Amazon has huge resources, both financially and technologically, to use to enforce its own policies by ensuring that bad actors are not abusing its service.<\/p>\n In the end, TechCrunch provided notice to Amazon, including information that directly points to the locations of the troves of stolen private phone data. Amazon made a choice not to act on the information it received.<\/p>\n When TechCrunch learns of a surveillance-related data breach \u2014 there have been dozens of stalkerware hacks and leaks in recent years<\/a> \u2014 we investigate to learn as much about the operations as possible.\u00a0<\/p>\n Our investigations can help to identify victims whose phones were hacked<\/a>, but can also reveal the oft-hidden real-world identities of the surveillance operators themselves, as well as which platforms are used to facilitate the surveillance or host the victims\u2019 stolen data. TechCrunch will also analyze the apps (where available) to help victims determine how to identify and remove the apps<\/a>.\u00a0<\/p>\n As part of our reporting process, TechCrunch will reach out to any company we identify as hosting or supporting spyware and stalkerware operations, as is standard practice for reporters who plan to mention a company in a story. It is also not uncommon for companies, such as web hosts and payment processors<\/a>, to suspend accounts or remove data that violate their own terms of service<\/a>, including previous spyware operations that have been hosted on Amazon<\/a>.<\/p>\n In February, TechCrunch learned that Cocospy and Spyic had been breached and we set out to investigate further.<\/p>\n Since the data showed that the majority of victims were Android device owners, TechCrunch started by identifying, downloading, and installing the Cocospy and Spyic apps on a virtual Android device. (A virtual device allows us to run the stalkerware apps in a protected sandbox without giving either app any real-world data, such as our location.) Both Cocospy and Spyic appeared as identical-looking and nondescript apps named \u201cSystem Service\u201d that try to evade detection by blending in with Android\u2019s built-in apps.<\/p>\n We used a network traffic analysis tool to inspect the data flowing in and out of the apps, which can help to understand how each app works and to determine what phone data is being stealthily uploaded from our test device.<\/p>\n The web traffic showed the two stalkerware apps were uploading some victims\u2019 data, like photos, to their namesake storage buckets hosted on Amazon Web Services.\u00a0<\/p>\n We confirmed this further by logging into the Cocospy and Spyic user dashboards, which allow the people who plant the stalkerware apps to view the target\u2019s stolen data. The web dashboards allowed us to access the contents of our virtual Android device\u2019s photo gallery once we had deliberately compromised our virtual device with the stalkerware apps.\u00a0<\/p>\n When we opened the contents of our device\u2019s photo gallery from each app\u2019s web dashboard, the images loaded from web addresses containing their respective bucket names hosted on the Following later news of Spyzie\u2019s data breach<\/a>, TechCrunch also analyzed Spyzie\u2019s Android app using a network analysis tool and found the traffic data to be identical as Cocospy and Spyic. The Spyzie app was similarly uploading victims\u2019 device data to its own namesake storage bucket on Amazon\u2019s cloud, which we alerted Amazon to on March 10.<\/p>\n If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24\/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The <\/em>Coalition Against Stalkerware<\/em><\/a> has resources if you think your phone has been compromised by spyware.<\/em><\/p>\n<\/div>\nWhy this matters<\/h2>\n
How we found victims\u2019 data hosted on Amazon<\/h2>\n
amazonaws.com<\/code> domain, which is run by Amazon Web Services.\u00a0<\/p>\n
\n