Vulnerabilities in Stalkerware Apps Expose the Data of Millions

A security flaw in two phone-monitoring apps, Cocospy and Spyic, has exposed the personal data of both the apps’ customers and users of monitored phones. The breach, affecting millions of people, was recently discovered by the cybersecurity research site Have I Been Pwned (HIBP).

This vulnerability allows third parties to access data collected from the target device, including call logs, messages, photos, and passwords. It also exposes the login credentials of users who signed up for the services.

HIBP reports that the Cocospy breach exposed approximately 1.8 million customer email addresses, along with the captured data from associated devices. The Spyic breach exposed over 880,000 customer emails.

According to TechCrunch, the bug is so easy to exploit that adding further details on its nature could put even more people at risk. Both Cocospy and Spyic have refused to comment on the incident.

The vulnerability stems from a flaw in the source code of these popular “stalkerware” apps. Stalkerware is software designed to secretly collect data from an affected device and share it with the person who installed the app, often without the user’s knowledge.

These apps are also known as “spouseware” due to their common use in secretly monitoring spouses and partners. While using stalkerware to monitor an unwitting partner is illegal, the apps themselves operate in a legal gray area. As a result, they are not available on traditional app stores but can be accessed through their platforms.

Stalkerware installation typically requires physical access to the target device. However, in Apple systems, these apps can also retrieve device information through iCloud access.

Data leaks and brute-force attacks have become increasingly common, even in more legitimate software. Recently, the information of millions of students was exposed because of the lack of basic security measures on the backend of PowerSchool’s Student Information System.