Xnspy stalkerware has stolen data from thousands of users
More than 10,000 unique iCloud email addresses and passwords were breached, including 6,000 authentication tokens
Tens of thousands of iPhones and Android devices had their data stolen by a phone spy application called Xnspy. Most of the users are unaware that their information has been compromised. Xnspy advertised themselves as a tool for spying on spouses or domestic partner’s gadgets without their consent. They are one of many ‘stalkware’ programmes being sold under the pretence of helping parents keep tabs on their children’s activities.
Stalkerware apps, also known as spouseware, are covertly installed by someone with physical access to a person’s phone, circumventing the on-device security safeguards. They are particularly hard to spot because they are made to remain hidden from screens. The contents of a person’s phone, including call history, text messages, images, browser history, and precise location information, will silently and continuously upload after these apps are installed, giving the person who planted the programme access to almost all of their victim’s data.
Many stalkerware programmes have serious security holes that expose the information that has been taken from phones of victims. Several well-known stalkerware apps were decompiled by security researchers Vangelis Stykas and Felipe Solferini. Their analysis was presented at BSides London and showed that they discovered widespread and simple security weaknesses like passwords and private keys left in the code by the developer and inefficient or nonexistent encryption, across a number of stalkerware families, including Xnspy.
At least 60,000 people have been victims of Xnspy since 2014 and, as recently as 2022, thousands more recent intrusions were detected. The majority of victims are Android smartphone owners, but Xnspy also has information on thousands of iPhones.
Many stalkerware programmes are developed for Android smartphones because it is easier to install malicious software on an Android device than an iPhone. Instead of installing a malicious programme, stalkerware for iPhones accesses a device’s backup stored in Apple’s cloud storage service, iCloud.
By using the victim’s iCloud credentials, the stalkerware frequently downloads the device’s most recent iCloud backup from Apple’s servers without the owner’s knowledge. Since iCloud backups include the majority of a person’s device data, stalkerware can steal messages, photos, and other information. Hackers find it much more challenging to gain access to a user’s online account when two-factor authentication is set.
TheTruthSpy, Family Orbit, KidsGuard, Mobistealth, and Flexispy are just a handful of the many stalkerware programmes that have recently compromised or exposed data of its victims.
