A consumer-grade spyware operation named TheTruthSpy is posing a persistent security and privacy threat to thousands of people with compromised Android devices, due to an unresolved security flaw in its mobile surveillance apps.
Recently, two hacking groups discovered a flaw that allows for mass access to victims’ stolen mobile device data directly from TheTruthSpy’s servers.
According to a blog post by Switzerland-based hacker maia arson crimew, the groups SiegedSec and ByteMeCrew exploited the flaw in December 2023. Crimew also disclosed additional security vulnerabilities found in TheTruthSpy’s software stack.
SPYWARE LOOKUP TOOL
You can check to see if your Android phone or tablet was compromised here.
SiegedSec and ByteMeCrew confirmed that they will not publicly release the breached data, considering its sensitive nature.
In collaboration with TechCrunch, maia arson crimew provided some of the breached TheTruthSpy data for verification and analysis, which revealed the unique device IMEI numbers and advertising IDs of tens of thousands of recently compromised Android phones.
TechCrunch verified the authenticity of the new data by matching some of the IMEI numbers and advertising IDs against a list of previously known compromised devices, revealing that TheTruthSpy continues to actively spy on large groups of victims across various countries.
Furthermore, TechCrunch has added the latest unique identifiers — approximately 50,000 new Android devices — to a free spyware lookup tool, enabling individuals to check if their Android device was compromised by TheTruthSpy.
Security bug in TheTruthSpy exposed victims’ device data
TheTruthSpy, once a prolific app for secret mobile device surveillance, became one of many similar Android spyware apps designed to covertly track and monitor individuals without their knowledge.
However, despite touting its powerful surveillance capabilities, TheTruthSpy overlooked the security of the stolen data.
An investigation by TechCrunch in February 2022 unveiled a common vulnerability found in TheTruthSpy and its clone apps, exposing victims’ phone data stored on the spyware’s servers. The bug, known as CVE-2022-0732, has continued to threaten the security of affected individuals.
Notably, the bug was never addressed by the operators behind TheTruthSpy, making its exploitation by hackers an inevitable outcome due to its simplicity.
TheTruthSpy linked to Vietnam-based startup, 1Byte
TheTruthSpy has been involved in several security incidents, disclosing the real-world identities of the developers behind the operation, which were initially masked.
Notably, a Vietnam-based startup called 1Byte was identified as the parent company of TheTruthSpy, revealing illicit financial activities and false identities linked to the spyware’s operations.
Following inquiries by TechCrunch, financial service providers and web hosting companies took action against TheTruthSpy and 1Byte, leading to the spyware operation being hosted on servers in Moldova.
Despite these challenges, TheTruthSpy remains a threat to the security and privacy of its victims, underscoring the urgent need for continued vigilance and protection against such intrusive spyware.
