A Portuguese-language spyware<\/span> called WebDetetive has been used to compromise more than 76,000 Android phones in recent years across South America, largely in Brazil. WebDetetive is also the latest phone spyware company in recent months to have been hacked.<\/p>\n In an undated note seen by TechCrunch, the unnamed hackers described how they found and exploited several security vulnerabilities that allowed them to compromise WebDetetive\u2019s servers and access to its user databases. By exploiting other flaws in the spyware maker\u2019s web dashboard \u2014 used by abusers to access the stolen phone data of their victims \u2014 the hackers said they enumerated and downloaded every dashboard record, including every customer\u2019s email address.<\/p>\n The hackers said that dashboard access also allowed them to delete victim devices from the spyware network altogether, effectively severing the connection at the server level to prevent the device from uploading new data. \u201cWhich we definitely did. Because we could. Because #fuckstalkerware,\u201d the hackers wrote in the note.<\/p>\n The note was included in a cache containing more than 1.5 gigabytes of data scraped from the spyware\u2019s web dashboard. That data included information about each customer, such as the IP address they logged in from, and purchase history. The data also listed every device that each customer had compromised, which version of the spyware the phone was running, and the types of data that the spyware was collecting from the victim\u2019s phone.<\/p>\n The cache did not include the stolen contents from victims\u2019 phones.<\/p>\n DDoSecrets<\/a>, a nonprofit transparency collective that indexes leaked and exposed datasets in the public interest, received the WebDetetive data and shared it with TechCrunch for analysis.<\/p>\n In total, the data showed that WebDetetive had compromised 76,794 devices to date at the time of the breach. The data also contained 74,336 unique customer email addresses, though WebDetetive does not verify a customer\u2019s email addresses when signing up, preventing any meaningful analysis of the spyware\u2019s customers.<\/p>\n It\u2019s not known who is behind the WebDetetive breach and the hackers did not provide contact information. TechCrunch could not independently confirm the hackers\u2019 claim that it deleted victims\u2019 devices from the network, though TechCrunch did verify the authenticity of the stolen data by matching a selection of device identifiers in the cache against a publicly accessible endpoint on WebDetetive\u2019s server.<\/p>\n WebDetetive is a type of phone monitoring app that is planted on a person\u2019s phone without their consent, often by someone with knowledge of the phone\u2019s passcode.<\/p>\n Once planted, the app changes its icon on the phone\u2019s home screen, making the spyware difficult to detect and remove. WebDetetive then immediately begins stealthily uploading the contents of a person\u2019s phone to its servers, including their messages, call logs, phone call recordings, photos, ambient recordings from the phone\u2019s microphone, social media apps, and real-time precise location data.<\/p>\n Despite the broad access that these so-called \u201cstalkerware\u201d (or spouseware) apps have to a victim\u2019s personal and sensitive phone data, spyware is notoriously buggy and known for their shoddy coding, which puts victims\u2019 already-stolen data at risk of further compromise.<\/p>\n Little is known about WebDetetive beyond its surveillance capabilities. It\u2019s not uncommon for spyware makers to conceal or obfuscate their real-world identities, given the reputational and legal risks that come with producing spyware and facilitating the illegal surveillance of others. WebDetetive is no different. Its website does not list who owns or operates WebDetetive.<\/p>\n But while the breached data itself reveals few clues about WebDetetive\u2019s administrators, much of its roots can be traced back to OwnSpy, another widely used phone spying app.<\/p>\n TechCrunch downloaded the WebDetetive Android app from its website (since both Apple and Google ban stalkerware apps from their app stores), and planted the app onto a virtual device, allowing us to analyze the app in an isolated sandbox without giving it any real data, such as our location. We ran a network traffic analysis to understand what data was flowing in and out of the WebDetetive app, which found it was a largely repackaged copy of OwnSpy\u2019s spyware. WebDetetive\u2019s user agent, which it sends to the server to identify itself, was still referring to itself as OwnSpy, even though it was uploading our virtual device\u2019s dummy data to WebDetetive\u2019s servers.<\/p>\n A side-by-side photo comparison of WebDetetive (left) and OwnSpy (right) running on Android. Image Credits:<\/strong> TechCrunch<\/p>\n<\/div>\n OwnSpy is developed in Spain by Mobile Innovations<\/a>, a Madrid-based company run by Antonio Calatrava. OwnSpy has operated since at least 2010, according to its website, and claims to have 50,000 customers, though it\u2019s not known how many devices OwnSpy has compromised to date.<\/p>\n OwnSpy also operates an affiliate model, allowing others to make a commission by promoting the app or offering \u201ca new product to your clients\u201d in return for OwnSpy taking a cut of the profits, according to an archived copy<\/a> of its affiliates website. It\u2019s not clear what other operational links, if any, exist between OwnSpy and WebDetetive. Calatrava did not return a request for comment or provide contact information for WebDetetive\u2019s administrators.<\/p>\n A short time after we emailed Calatrava, portions of OwnSpy\u2019s known infrastructure dropped offline. A separate network traffic analysis of OwnSpy\u2019s app by TechCrunch found that OwnSpy\u2019s spyware app was no longer functioning. WebDetetive\u2019s app continues to function.<\/p>\n WebDetetive is the second spyware maker to be targeted by a data-destructive hack in recent months. LetMeSpy, a spyware app developed by Polish developer Rafal Lidwin, shut down<\/a> following a hack that exposed and deleted victims\u2019 stolen phone data from LetMeSpy\u2019s servers<\/a>. Lidwin declined to answer questions about the incident.<\/p>\n By TechCrunch\u2019s count, at least a dozen spyware companies<\/a> in recent years have exposed, spilled, or otherwise put victims\u2019 stolen phone data at risk of further compromise because of shoddy coding and easily exploitable security vulnerabilities.<\/p>\n TechCrunch was unable to reach the WebDetetive administrators for comment. An email sent to WebDetetive\u2019s support email address about the data breach \u2014 including whether the spyware maker has backups \u2014 went unreturned. It\u2019s not clear if the spyware maker will notify customers or victims of the data breach, or if it still has the data or records to do so.<\/p>\n Destructive attacks, although infrequent, could have unintended and dangerous consequences for victims of spyware. Spyware typically alerts the abuser if the spyware app stops working or is removed from a victim\u2019s phone, and severing a connection without a safety plan in place could put spyware victims in an unsafe situation. The Coalition Against Stalkerware<\/a>, which works to support victims and survivors of stalkerware, has resources on its website for those who suspect their phone is compromised.<\/p>\n Unlike most phone monitoring apps, WebDetetive and OwnSpy do not hide their app on an Android home screen, but instead disguise themselves as an Android system-presenting Wi-Fi app.<\/p>\n WebDetetive is relatively easy to detect. The app appears named as \u201cWiFi\u201d and features a white wireless icon in a blue circle on a white background.<\/p>\n A screenshot showing the \u201cWiFi\u201d app, which presents as a system Wi-Fi app. However, this app is spyware in disguise.\u00a0Image Credits:\u00a0<\/strong>TechCrunch<\/p>\n<\/div>\n When tapped and held, and the app info is viewed, the app is actually called \u201cSistema.\u201d<\/p>\n This \u201cWiFi\u201d app icon, when tapped, will actually show as an app called \u201cSistema,\u201d designed to look like an Android system app, but is actually WebDetetive spyware. Image Credits:<\/strong> TechCrunch<\/p>\n<\/div>\n We have a general guide<\/a> that can help you remove Android spyware from your phone, if it is safe to do so. You should ensure that Google Play Protect is switched on<\/a> as this on-device security feature can defend against malicious Android apps. You can check its status from the settings menu in Google Play.<\/p>\n If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24\/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware<\/a> also has resources if you think your phone has been compromised by spyware.<\/em><\/p>\n<\/p><\/div>\nWebDetetive, meet OwnSpy<\/h2>\n
Destructive attack?<\/h2>\n
How to find and remove WebDetetive<\/h2>\n
![\"A](\"https:\/\/techcrunch.com\/wp-content\/uploads\/2023\/08\/webdetetive-apps-1-4-wifi.jpeg\")
<\/p>\n![\"This](\"https:\/\/techcrunch.com\/wp-content\/uploads\/2023\/08\/webdetetive-apps-uninstall.jpeg\")
<\/p>\n