A yr after it was banned by the Federal Commerce Fee, a infamous cellphone surveillance firm is again in all however title, a TechCrunch investigation has discovered.
A groundbreaking FTC order in 2021 banned the stalkerware app SpyFone, its mother or father firm Assist King, and its chief government Scott Zuckerman from the surveillance business. The order, unanimously authorized by the regulator’s 5 sitting commissioners, additionally demanded that Assist King delete the cellphone knowledge it illegally collected and notify victims that its app was secretly put in on their gadget.
Stalkerware, or spouseware, are apps which are surreptitiously planted by somebody with bodily entry to an individual’s cellphone, usually underneath the guise of household monitoring or youngster monitoring, besides that these apps are designed to remain hidden from residence screens, all of the whereas silently importing the contents of an individual’s cellphone, together with their textual content messages, images, searching historical past, and granular location knowledge.
However many stalkerware apps — like KidsGuard, TheTruthSpy and Xnspy — have safety flaws that put hundreds of individuals’s private cellphone knowledge vulnerable to additional compromise.
That additionally consists of SpyFone, whose unsecured cloud storage server spilled the private knowledge stolen from greater than 2,000 victims’ telephones, prompting the FTC to analyze and subsequently ban Assist King and its CEO Zuckerman from providing, distributing, selling, or in any other case aiding within the sale of surveillance apps.
Since then, TechCrunch has acquired additional tranches of information, together with from the inner servers of a stalkerware app known as SpyTrac, which is run by builders with ties to Assist King.
Meet Aztec Labs
With greater than 1.3 million compromised units, SpyTrac is among the largest recognized lively Android stalkerware operations, surpassing the variety of victims ensnared by TheTruthSpy more than threefold. Regardless of its huge worldwide attain, U.S. guests to SpyTrac’s web site are blocked with an abrupt message stating that “your nation will not be supported.”
However SpyTrac is like every other stalkerware app, together with its capacity to remain hidden on a sufferer’s gadget. SpyTrac’s web site additionally makes no point out of the people working the operation, more likely to defend the builders from authorized and reputational dangers related to working a stalkerware operation.
In keeping with the information and different public information seen by TechCrunch, SpyTrac is managed by builders who work for each Assist King and an outfit of builders known as Aztec Labs, which builds and maintains the SpyTrac stalkerware operation. Aztec Labs additionally maintains a near-identical Spanish-language stalkerware app known as Espía Móvil (which interprets to “spy cell”), and one other clone stalkerware app known as StealthX Professional, the information reveals.
Among the knowledge discovered on SpyTrac’s server immediately connects SpyTrac to Assist King.
One of many server information contained a set of Amazon Net Companies personal keys that permit entry to cloud storage related to Assist King and GovAssist, a web site that claims to assist immigrants get hold of U.S. visas and everlasting residency permits. The keys additionally permit entry to cloud storage for OneClickMonitor, a clone stalkerware app that Assist King shut down concurrently SpyFone.
Each Support King and GovAssist are headed by chief government Scott Zuckerman.
When reached by e-mail, Zuckerman advised TechCrunch: “We’re investigating your claims that SpyTrac inner knowledge was storing AWS keys which may be related to S3 buckets referring to Assist King, GovAssist, and OneClickMonitor. We take this very severely and can adjust to all provisions of the FTC Order.”
A redacted screenshot from a SpyTrac video, which references SpyFone, a Assist King surveillance app banned by the FTC a yr earlier. Picture Credit: TechCrunch (screenshot)
Entry logs seen by TechCrunch present no less than two Aztec Labs builders logging in to SpyTrac’s servers utilizing completely different units of credentials, however every from the identical IP addresses. Each of the builders logged in from IP addresses registered to a Bosnian residential broadband supplier utilizing credentials related to Aztec Labs, SpyTrac, and Assist King e-mail addresses.
One of many builders is Aztec Labs’ technical lead, whose LinkedIn says he’s primarily based in Sarajevo. His different public freelance portfolios listing his work as a program supervisor at Assist King, a task that he describes as “managing your complete IT staff.”
In keeping with LinkedIn profiles and different work portfolios, the technical lead and different SpyTrac builders additionally work on Zuckerman’s newest enterprise, GovAssist.
The entry logs additionally present a 3rd developer logging in to SpyTrac’s servers, additionally from their residence IP handle in Sarajevo, utilizing completely different units of credentials related to Assist King, Aztec Labs, and GovAssist e-mail addresses.
In response, Zuckerman advised TechCrunch: “Neither I, nor any of my companies, are affiliated with Aztec Labs, SpyTrac, or [the technical lead, who] labored as an impartial contractor for Assist King between June 2019 and October 2021. Nor do now we have entry to SpyTrac’s servers.”
The SpyFone connection
SpyFone, the stalkerware app banned by the FTC in September 2021, now not operates.
The inner SpyTrac knowledge now we have seen reveals that SpyFone issued its final buyer license simply days earlier than it was banned by the FTC. SpyFone’s area title was sold to a different cellphone surveillance maker, SpyPhone. Clients making an attempt to log in to SpyFone’s internet dashboard, used for accessing a sufferer’s stolen knowledge, have been redirected to SpyPhone’s web site as an alternative.
The FTC’s 2021 order additionally demanded that Assist King delete the information it had illegally collected from SpyFone. However the inner SpyTrac knowledge seen by TechCrunch nonetheless incorporates hundreds of information related to SpyFone licenses assigned to the e-mail addresses of shopping for prospects.
Each SpyFone license was bought by a reseller with a Assist King e-mail handle, the information confirmed.
SpyTrac additionally got here to the eye of safety researchers Vangelis Stykas and Felipe Solferini, whose months-long analysis recognized widespread and easy-to-find safety flaws in a number of stalkerware households, together with SpyTrac. Their findings, which they offered at BSides London this month, concerned decompiling the apps and mapping out their server infrastructure utilizing public web knowledge. Their proof hyperlinks SpyTrac to Assist King.
Zuckerman stated in response: “Assist King deleted all knowledge in its servers related with SpyFone and OneClickMonitor prospects pursuant to the FTC Order.”
A short while after TechCrunch contacted Zuckerman for remark, SpyTrac’s web site went offline with a message saying the “product is quickly not out there.” The web sites for SpyTrac’s clone stalkerware apps, StealthX Professional and its Spanish-language clone Espía Móvil, additionally went offline. Aztec Labs’ web site additionally stopped loading.
A screenshot of the FTC discover on Assist King’s web site. Picture Credit: TechCrunch (screenshot)
Stalkerware is a tough drawback to fight. These operations are clandestine by design, making it tough for regulators to analyze or know underneath whose jurisdiction they fall.
In 2020, the FTC took its first ever motion towards a stalkerware operator, Retina-X, which was hacked a number of occasions and later shut down. The FTC’s second motion was towards Assist King a yr later.
Firms that violate FTC orders can face appreciable civil penalties. Earlier this yr, Twitter was ordered to pay $150 million for violating an FTC order from 2011.
As an alternative, a lot of the hassle towards stalkerware and different business surveillance has been taken up by the tech business, together with gadget makers Apple and Google, which have banned stalkerware apps. In 2020, Google also banned ads in its search results that promote stalkerware. Anti-malware suppliers who’re members of the Coalition Towards Stalkerware, which launched in 2019 to help victims and survivors of stalkerware, collectively share signatures of recognized stalkerware apps and networks to dam them from engaged on their prospects’ telephones.
A former FTC lawyer, who reviewed our findings forward of publication, advised TechCrunch that the proof factors to a possible breach of the FTC’s ban. As as to whether Assist King broke its settlement with the FTC will in the end be for the company to determine.
When reached, a spokesperson for the FTC declined to remark.
If you happen to or somebody you already know wants assist, the Nationwide Home Violence Hotline (1-800-799-7233) supplies 24/7 free, confidential help to victims of home abuse and violence. If you’re in an emergency state of affairs, name 911. The Coalition Against Stalkerware additionally has assets should you assume your cellphone has been compromised by spyware and adware. You possibly can contact this reporter on Sign and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by e-mail.
Learn extra:
