According to a security expert, a significant security flaw in two phone-monitoring applications is putting the private information of millions of unsuspecting users at risk.

This vulnerability allows unauthorized individuals to access sensitive data such as messages, images, and call logs from any smartphone or tablet that is compromised by Cocospy and Spyic—two distinct mobile tracking applications that utilize similar underlying source code. The issue also reveals the email addresses of those who have registered with Cocospy and Spyic with the intent to secretly monitor someone’s device.

Like many spyware programs, Cocospy and Spyic are designed to remain hidden on targeted devices while continuously transmitting users’ data to a dashboard accessible by the individual who installed the software. As a result of this stealthy nature, many phone owners might be completely unaware that their devices have been infiltrated.

As of the time of publication, neither Cocospy nor Spyic has responded to TechCrunch’s inquiries regarding this issue, nor have they remedied the flaw.

The vulnerability is relatively straightforward to exploit. To prevent assisting malicious actors, TechCrunch is withholding specific details about the flaw that could lead to further exploitation of the private data of individuals affected by these apps.

The researcher who uncovered this vulnerability informed TechCrunch that it enables anyone to access the email addresses of users registered with either of the phone-monitoring applications.

By exploiting this flaw, the researcher extracted a total of 1.81 million email addresses linked to Cocospy and 880,167 associated with Spyic. This information was then shared with Troy Hunt, the creator of the data breach notification service Have I Been Pwned.

Hunt stated to TechCrunch that he uploaded a combined count of 2.65 million unique email addresses from Cocospy and Spyic to Have I Been Pwned after eliminating duplicates. Furthermore, as per the platform’s policy, this sensitive data breach is designated as “sensitive,” which means only individuals with affected email addresses can search to see if their information is included.

Cocospy and Spyic are the latest entries in a lengthy list of surveillance software that have faced security issues recently, often due to software flaws or inadequate security measures. Through TechCrunch’s ongoing tally, it is noted that Cocospy and Spyic now rank among the 23 known surveillance operations since 2017 that have been hacked or otherwise compromised, exposing sensitive data.

These phone-monitoring applications, typically marketed as parental control or employee monitoring solutions, are frequently referred to as stalkerware, as some promote the applications as tools for spying on a partner without their consent, which is illegal. Even apps not explicitly marketed for harmful use are often utilized for similarly unlawful purposes by customers.

Stalkerware applications are prohibited from mainstream app stores and are generally downloaded directly from the provider, necessitating physical access to a user’s Android device for installation. For iPhones and iPads, stalkerware can access stored data in Apple’s iCloud, requiring the use of compromised Apple account credentials.

Link to China in Stalkerware Operations

Details about the operators behind Cocospy and Spyic remain scarce, reflecting the tendency of stalkerware developers to avoid public scrutiny due to the associated reputational and legal challenges.

Established in 2018 and 2019, respectively, Cocospy is among the largest known stalkerware services currently operating, based on user registration numbers.

Security analysts Vangelis Stykas and Felipe Solferini discovered connections linking Cocospy and Spyic to 711.icu, a mobile app development entity based in China, whose website is currently down.

This week, TechCrunch tested both Cocospy and Spyic applications on a virtual device, providing a secure environment that prevents the spyware from accessing any real user data, such as physical location. The apps camouflage themselves as a nondescript “System Service” app on Android, attempting to evade detection by blending with designated system applications.

Through traffic analysis, we monitored the data exchanged by the apps to learn about their functioning, data transfers, and server locations.

Our findings indicated that the apps transmitted data from the virtual device through Cloudflare, a network security provider that conceals the actual location of the spyware operations. Nonetheless, the analysis indicated that certain victims’ data, including images, were uploaded to a cloud storage server on Amazon Web Services.

As of now, neither Amazon nor Cloudflare has responded to inquiries from TechCrunch regarding the stalkerware operations.

Furthermore, our analysis revealed that the server periodically generated status or error messages in Chinese, indicating a development origin linked to China.

Steps to Remove Stalkerware

The email addresses harvested from Cocospy and Spyic could enable anyone who installed these applications to check if their data and their victim’s information are compromised. However, the scraped data lacks sufficient identifiable information to notify individuals about their compromised devices.

There are steps users can take to verify if their phones are infected with Cocospy and Spyic. As is common with stalkerware, these applications usually depend on users intentionally lowering the security settings on Android devices to enable installation—or for iPhones, accessing an Apple account with knowledge of login credentials.

Despite attempts by Cocospy and Spyic to appear as a generic “System Service” app, there are methods to detect their presence.

If you suspect these applications have been installed, typing ✱✱001✱✱ on your Android device’s keypad and pressing “call” can bring the stalkerware apps up on your screen, assuming they are present. This feature, designed for the installer’s access, can also help victims check for the app’s existence.

Users can also navigate to the apps menu in the Android Settings to see all installed applications, even if any stalking applications are hidden from view.

TechCrunch has a detailed guide for removing Android spyware that may assist you in identifying and eliminating common types of stalkerware. It’s important to have a safety plan ready, as disabling spyware could alert the person who installed it.

For Android users, activating Google Play Protect is an effective measure to guard against harmful Android applications, including stalkerware. Ensure it is enabled through Google Play’s settings if presently disabled.

If you’re using an iPhone or iPad and suspect possible compromise, verify that your Apple account has a robust and unique password (ideally stored in a password manager) and that two-factor authentication is turned on. Additionally, review and remove any unfamiliar devices from your account.

For anyone in need of assistance, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 free and confidential support for victims of domestic violence and abuse. In case of emergency, please dial 911. The Coalition Against Stalkerware has vital resources for those suspecting their phones have been compromised by spyware.

Contact Zack Whittaker confidentially on Signal and WhatsApp at +1 646-755-8849. You can also securely share documents with TechCrunch via SecureDrop.