Stalkerware Developer Found Leaking Sensitive Data From Thousands Of The Software's Victims
from the it-all-starts-with-not-giving-a-fuck-about-anyone dept
Oh, if only this were more of a surprise. Another vendor selling sketchy spyware has been discovered to be careless with its handling of all the sensitive communications and data it pulls from victims' cell phones. (via Databreaches.net)
The company doing all the leaking is ClevGuard, which I guess is short for "clever." It apparently isn't. Its phone-snooping app, KidsGuard, is supposed to allow parents to monitor their children's cell phone usage. Obviously, there are other applications for it, like monitoring the activity of spouses, ex-spouses, girlfriends/boyfriends of the current and ex- variety, employees, dissidents, journalists… just about anyone someone else wants to spy on.
The name isn't deliberately misleading but the app disguises itself as a system update app, allowing it to hide in plain sight, untroubled by surveillance targets. The company even advertises the app's flexibility as going beyond monitoring kids to spying on other adults.
Zach Whittaker has the details on the leaky app for TechCrunch:
TechCrunch obtained a copy of the Android app from Till Kottmann, a developer who reverse-engineers apps to understand how they work.
Kottmann found that the app was exfiltrating the contents of victims’ phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. It’s believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.
Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmann’s findings.
The app -- in its full paid form -- is pervasive. In addition to hoovering up contacts, photos, SMS message content, and location data, it provides a wealth of information about conversations occurring in WhatsApp, Viber, and Facebook Messenger. It also compromises more secure services like Snapchat and Signal by taking snapshots of conversations and relaying them to the company's servers.
The company has since shut down access to the leaky Alibaba cloud storage bucket, but the damage may already have been done. And it's just more evidence that companies selling malicious stalkerware care very little about the security of their customers… and even less about the security of their software's victims.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, kidsguard, parents, snooping
Companies: clevguard
Reader Comments
Subscribe: RSS
View by: Time | Thread
That's one way to say 'I do not trust my kids to act well'...
If you're so paranoid about what your kids are using their phones for that you're willing to install spyware to see everything they are doing with it then that says a lot more about your relationship with them and your ability to set rules and trust them to follow those rules than it does about them.
[ link to this | view in thread ]
Re: That's one way to say 'I do not trust my kids to act well'..
You might be scared that the kids will do similar things to what you did at that age, while ignoring that it did you little or no harm.
[ link to this | view in thread ]
Every loving parent worries about their child's safety, especially when it comes to the Internet, as it's not safe for children. Also, don't forget about cyberbullying and bad companies. So I think that using apps like https://www.mspy.com/viber.html is one of the manifestations of caring about your kid. We all know how cruel children can be, and it is important to find out about the child's problems in time to help in time.
[ link to this | view in thread ]