A little-known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority whose owners are unaware that their data has been compromised.
Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child’s activities but are explicitly marketed for spying on a spouse or domestic partner’s devices without their permission. Its website boasts, “to catch a cheating spouse, you need Xnspy on your side,” and, “Xnspy makes reporting and data extraction simple for you.”
Stalkerware apps, also known as spouseware, are surreptitiously planted by someone with physical access to a person’s phone, bypassing the on-device security protections, and are designed to stay hidden from home screens, which makes them difficult to detect.
Once installed, these apps will silently and continually upload the contents of a person’s phone, including their call records, text messages, photos, browsing history and precise location data, allowing the person who planted the app near-complete access to their victim’s data.
But new findings show many stalkerware apps are riddled with security flaws and are exposing the data stolen from victims’ phones. Xnspy is no different.
Security researchers Vangelis Stykas and Felipe Solferini spent months decompiling several known stalkerware apps and analyzing the edges of the networks that the apps send data to. Their research, presented at BSides London this month, identified common and easy to find security flaws in several stalkerware families, including Xnspy, such as credentials and private keys left behind in the code by the developers and broken or nonexistent encryption. In some cases, the flaws are exposing the victims’ stolen data, now sitting on someone else’s insecure servers.