Spyware Vendor Hacked

A Brazilian spyware app vendor was hacked by activists:

In an undated note seen by TechCrunch, the unnamed hackers described how they found and exploited several security vulnerabilities that allowed them to compromise WebDetetive’s servers and access its user databases. By exploiting other flaws in the spyware maker’s web dashboard—used by abusers to access the stolen phone data of their victims—the hackers said they enumerated and downloaded every dashboard record, including every customer’s email address.

The hackers said that dashboard access also allowed them to delete victim devices from the spyware network altogether, effectively severing the connection at the server level to prevent the device from uploading new data. “Which we definitely did. Because we could. Because #fuckstalkerware,” the hackers wrote in the note.

The note was included in a cache containing more than 1.5 gigabytes of data scraped from the spyware’s web dashboard. That data included information about each customer, such as the IP address they logged in from and their purchase history. The data also listed every device that each customer had compromised, which version of the spyware the phone was running, and the types of data that the spyware was collecting from the victim’s phone.

Tags: , , , ,

Posted on September 1, 2023 at 7:07 AM7 Comments

Comments

Ted September 1, 2023 1:12 PM

The types of data this app collects is INSANE.

… including their messages, call logs, phone call recordings, photos, ambient recordings from the phone’s microphone, social media apps, and real-time precise location data.

Bob September 1, 2023 1:32 PM

@Ted The types of data the app collects are totally sane when you consider the fact that it’s stalkerware. Predictable and unsurprising, even.

Ted September 1, 2023 1:50 PM

@Bob

Ay. It’s wild that Android allows features like “Google Play Protect” to be toggled off and on. That’s a lot of freedom to allow crazy apps like this. Is the default at least set to “on”?

lurker September 1, 2023 2:55 PM

@Ted
re insane types of data

Actually Google permits (encourages?) this. Google Play Services, which underpins the Play Store app and a number of other Google services, comes installed with all its default permissions ON. These include on a typical handset requiring access to:
Body sensors, Call logs, Camera, Contacts, Location, Microphone, Phone, SMS, Storage.

Google Play Store will still work with all those turned OFF, except you cannot download or install anything if you have no access to local storage. Sanitising a new Android handset is like plugging the holes in a sieve, one by one.

Bob September 1, 2023 3:03 PM

@Ted It’s always been on by default on my phones. Even when I set up Lineage years ago, it was on by default when I deployed the image with Google Play. It is actually possible to deploy Lineage without Google Play at all, let alone its Protect component.

Android gives users/vendors access to things that can be dangerous if used incorrectly. Always has.

vas pup September 2, 2023 4:22 PM

Former heads of Shin Bet, air force petition court against Pegasus spyware inquiry
https://www.timesofisrael.com/former-heads-of-shin-bet-air-force-petition-court-
against-pegasus-spyware-inquiry/

“Former senior security officials petitioned the High Court of Justice on Wednesday against the government’s newly formed commission of inquiry into the use of spyware technology in criminal investigations, saying the probe could “damage security.”

Ex-Shin Bet head Nadav Argaman and former air force commander and Defense Ministry
director general Amir Eshel petitioned alongside Black Robes Protest — a group of
activist lawyers — asking the court to freeze and then cancel the inquiry, on the
grounds that it represents “a conflict of interest, while completely ignoring the
position of the security forces and the attorney general.”

=>Shin Bet and National Security Council officials previously cautioned the government that such an inquiry could leak operational secrets.

The court rejected a request for an interim injunction as it considers the petition.

Israel Police has also opposed the panel, saying it could create difficulties in the
police’s ongoing fight against endemic organized crime in Arab communities, which is responsible for a deadly crimewave.”

My nickel: LEAs do need spyware. The problem is with legitimate usage/application (with court approval only ) and personal harsh responsibility for usage outside legal framework e.g. for spying on ex boyfriend/girlfriend

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.