Stalkerware Developer Demands TechCrunch Remove Article Detailing Its Leaking Of Sensitive Data

from the set-weapons-to-'backfire' dept

Last week, stalkerware purveyor ClevGuard was discovered to be hosting tons of sensitive data harvested from victims' phones in an Alibaba data bucket set to public with no password protection. ClevGuard makes KidsGuard, an app whose name suggests it's something parents can use to monitor their children's cell phone use, but the developer has helpfully noted the software's also great for monitoring spouses and employees.

After being notified of the issue, Alibaba secured the bucket and made sure ClevGuard was made aware of the problem. But ClevGuard's not finished being stupid about this. Rather than quietly go about securing its exfiltrated data -- which includes contacts, photos, GPS location data, and content harvested from a variety of messaging apps -- the company has decided it would like to raise its infamy level and ensure even more people know about its horrific stalkerware.

Zack Whittaker broke the news at TechCrunch, publishing a lengthy expose of both the product and its insecure data storage. And now ClevGuard is baselessly demanding he take down his article.

If you can't see/read the tweet, Whittaker says:

We just received an email from ClevGuard asking us to delete the two articles we published this week about the KidsGuard stalkerware, which has been used to spy on thousands of victims.

We declined.

Whittaker has also put together a how-to guide for removing this stalkerware from your device, which probably isn't improving TechCrunch/ClevGuard relations.

And while we're discussing ClevGuard, let's take a quick look at its marketing efforts, which directly contradict the End User License Agreement the company pushes on users.

Here are the limitations ClevGuard supposedly imposes on users, in all of its original, gloriously-broken English:

You comprehend that the Site and ClevGuard will be utilized just for the reasons for underneath (I) parental control of their kids, (ii) on a gadget, which is of your possession, under such situation, you should get authorization from the client being observed, (iii) other legal points as per the laws in your very own purview. The terms of Child is characterized as underneath:

Youngster: Your very own lawful kid that is under the legitimate age of 18 (as characterized by US law). The kid must be observed utilizing a perfect telephone that you possess. You can't screen a kid on the off chance that you hold one of the accompanying connections:

• Brother/Sister
• Step-Brother/Step-Sister
• Step-Father/Step-Mother
• Aunt/Uncle; Cousin/Nephew
• Grandfather/Grandmother
• Great-Grandfather/Great-Grandmother

Worker: Your representative at an organization you claim or a representative at indistinguishable organization from you and you have administrative duties regarding. The representative must be checked utilizing a perfect telephone claimed by the organization and issued to the worker under your organization's approaches with respect to organization telephones. The representative must give assent and be advised they are being observed before checking can start.

So, according to ClevGuard's own EULA, the stalkerware can only "legally" be used to monitor "youngsters" and "workers." (And only on "perfect telephones," which are generally only found in the Oval Office.)

But the company's quasi-blog suggests customers should use the software in ways that break the EULA, offering up reasons why KidsGuard is better than its competitors for stalking spouses and significant others. Here's a post detailing the "2 Best Ways to Track my Girlfriend's Phone," with KidsGuard beating out the built-in "Find My Phone" feature. Here's a list of the "10 Best Couple Tracker Apps" with KidsGuard topping the list. ClevGuard's site is full of "helpful" posts pushing KidsGuard to monitor something other than "youngsters" and "workers," suggesting it's not just "perfect telephones" that can be spied on with ClevGuard's software.

To sum up: ClevGuard is a terrible company offering a horrible product that can be abused to spy on nearly anyone without their knowledge. The data then -- until recently -- ended up in unsecured data buckets. But why should ClevGuard try harder? This sensitive data belongs to people being spied on. Screw them for being covertly surveilled, I guess. Nothing to hide, nothing to fear, etc. The bogus demand TechCrunch remove its article is just the expired icing on ClevGaurd's garbage cake.

Filed Under: data breaches, kidsguard, leaks, sensitive data, stalkerware
Companies: clevguard, techcrunch

Stalkerware Developer Found Leaking Sensitive Data From Thousands Of The Software's Victims

from the it-all-starts-with-not-giving-a-fuck-about-anyone dept

Oh, if only this were more of a surprise. Another vendor selling sketchy spyware has been discovered to be careless with its handling of all the sensitive communications and data it pulls from victims' cell phones. (via Databreaches.net)

The company doing all the leaking is ClevGuard, which I guess is short for "clever." It apparently isn't. Its phone-snooping app, KidsGuard, is supposed to allow parents to monitor their children's cell phone usage. Obviously, there are other applications for it, like monitoring the activity of spouses, ex-spouses, girlfriends/boyfriends of the current and ex- variety, employees, dissidents, journalists… just about anyone someone else wants to spy on.

The name isn't deliberately misleading but the app disguises itself as a system update app, allowing it to hide in plain sight, untroubled by surveillance targets. The company even advertises the app's flexibility as going beyond monitoring kids to spying on other adults.

Zach Whittaker has the details on the leaky app for TechCrunch:

TechCrunch obtained a copy of the Android app from Till Kottmann, a developer who reverse-engineers apps to understand how they work.

Kottmann found that the app was exfiltrating the contents of victims’ phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. It’s believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.

Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmann’s findings.

The app -- in its full paid form -- is pervasive. In addition to hoovering up contacts, photos, SMS message content, and location data, it provides a wealth of information about conversations occurring in WhatsApp, Viber, and Facebook Messenger. It also compromises more secure services like Snapchat and Signal by taking snapshots of conversations and relaying them to the company's servers.

The company has since shut down access to the leaky Alibaba cloud storage bucket, but the damage may already have been done. And it's just more evidence that companies selling malicious stalkerware care very little about the security of their customers… and even less about the security of their software's victims.

Filed Under: data breach, kidsguard, parents, snooping
Companies: clevguard