Massive leaked data cache reveals Android ‘stalkerware’ app is secretly spying on thousands of Americans

An Android app with an enormous reach has been quietly spying on hundreds of thousands of people from all over the world, including thousands of Americans who have no idea their personal device data, including text messages and call logs, have been secretly stolen from their phones and tablets, according to an analysis of leaked data.

“The leaked data includes call logs, text messages, granular location data and other personal device data of unsuspecting victims whose Android phones and tablets were compromised by a fleet of near-identical stalkerware apps, including TheTruthSpy, Copy9, MxSpy and others,” writes TechCrunch, which warns the app is being downloaded to victims’ devices by someone they may know.

“These Android apps are planted by someone with physical access to a person’s device and are designed to stay hidden on their home screens but will continuously and silently upload the phone’s contents without the owner’s knowledge,” the outlet reports.

TechCrunch first reported on the widespread “consumer-grade spyware” back in February and highlighted a “fleet of Android spyware apps” with the same “security vulnerability” that allows “nefarious actors” to exploit those who only wished to see if their spouse was cheating on them or if their babysitter is treating their child well.

“Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term ‘stalkerware’ for its ability to track and monitor other people or spouses without their consent,” TechCrunch explained. “Stalkerware apps are installed surreptitiously by someone with physical access to a person’s phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner’s knowledge.”

“TechCrunch first discovered the vulnerability as part of a wider exploration of consumer-grade spyware,” the outlet reported. “The vulnerability is simple, which is what makes it so damaging, allowing near-unfettered remote access to a device’s data. But efforts to privately disclose the security flaw to prevent it from being misused by nefarious actors has been met with silence both from those behind the operation and from Codero, the web company that hosts the spyware operation’s back-end server infrastructure.”

Since that report, a source provided TechCrunch with “tens of gigabytes of data dumped from the stalkerware’s servers.”

“The cache contains the stalkerware operation’s core database, which includes detailed records on every Android device that was compromised by any of the stalkerware apps in TheTruthSpy’s network since early 2019 (though some records date earlier) and what device data was stolen,” the outlet states.

The result of TechCrunch’s analysis is staggering, and there seems to be little authorities can do to fight it.

“Our analysis shows TheTruthSpy’s network is enormous, with victims on every continent and in almost every country,” TechCrunch writes. “But stalkerware like TheTruthSpy operates in a legal gray area that makes it difficult for authorities around the world to combat, despite the growing threat it poses to victims.”

The 34-gigabytes database received by TechCrunch “consists of metadata, such as times and dates, as well as text-based content, like call logs, text messages and location data — even names of Wi-Fi networks that a device connected to and what was copied and pasted from the phone’s clipboard, including passwords and two-factor authentication codes.”

Media, images, videos, and call recordings were not contained in the database, but it did include information about each file, “such as when a photo or video was taken, and when calls were recorded and for how long.”

In examining the most recent data stored in the database at the time they received it, from March 4 to April 14, 2022, TechCrunch found that roughly 360,000 unique device identifiers were present in the database, “including IMEI numbers for phones and advertising IDs for tablets.”

“This number represents how many devices were compromised by the operation to date and about how many people are affected,” TechCrunch explains.

And it gets worse.

“The database also contains the email addresses of every person who signed up to use one of the many TheTruthSpy and clone stalkerware apps with the intention of planting them on a victim’s device, or about 337,000 users,” TechCrunch continues. “That’s because some devices may have been compromised more than once (or by another app in the stalkerware network), and some users have more than one compromised device.”

In all, the cybersleuths found that in just the six weeks they looked at, about 9,400 new devices were compromised.

And with the more than 600,000 location data points stored in the same six-week period, TechCrunch learned that victims could be tracked to “transportation hubs, places of worship and other sensitive locations.”

On top of the location data point list was the United States, with 278,861 data points recorded. India came in second with just 77,425 points, with Indonesia, Argentina, and the United Kingdom rounding out the top five spots.

A total of 1.2 million text messages “including the recipient’s contact name” and 4.42 million call logs — again, from just six weeks of records — were found in the database, as were “179,0555 entries of call recording files that are stored on another TheTruthSpy server.”

In the United States alone, TechCrunch discovered ” evidence that 164 compromised devices in 11 states recorded thousands of calls over the six-week span without the knowledge of device owners.”

“Most of the devices were located in densely populated states like California and Illinois,” the outlet reports, noting that much of the data “was likely collected from the phones of children.”

According to TechCrunch, “TheTruthSpy’s operation is the latest in a long line of stalkerware apps to expose victims’ data because of security flaws that subsequently lead to a breach.”


If you are fed up with letting radical big tech execs, phony fact-checkers, tyrannical liberals and a lying mainstream media have unprecedented power over your news please consider making a donation to American Wire News to help us fight them.

Thank you for your donation!
Melissa Fine


We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the ∨ icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.

Latest Articles