A little known phone tracking app called Xnspy has stolen data from tens of thousands of iPhones and Android devices. In fact, the majority of owners do not know that their data has been stolen.
Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child's activities. But it is available in the market for spying on the devices of spouses or partners without their permission. The app's website states that “to see if you're a cheating spouse, you need Xnspy by your side” and “Xnspy makes reporting and data extraction simpler for you.”
Stalkerware, also known as spouseware, is secretly installed by someone with physical access to the device. They bypass device security protections and are designed to remain hidden from home screens, making them very difficult to detect.
Once installed, these apps silently and continuously send phone contents such as call logs, text messages, photos, browsing history and precise location data to the person who installed the app allowing them to have almost complete access to their victim's data.
However, new findings show that many stalkerware apps are riddled with security holes and reveal data stolen from victims' phones. Xnspy is no different.
Security researchers Vangelis Stykas and Felipe Solferini spent months examining several known stalkerware applications and analyzing the networks to which they send their victims' data.
Their research, presented in BSides London this month, it identified common and easy security flaws in several stalkerware families, including Xnspy. They discovered, for example, credentials and private keys left in the code by developers and broken or non-existent encryption. In some cases, the security holes exposed the victims' stolen data, which is on someone else's unsecured servers anyway.