Nearly a year after Motherboard reported the data breaches of two spyware companies, another hacker has independently targeted two more.
This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
A hacker has broken into two consumer spyware companies—firms which sell malware to everyday people, sometimes with the explicit intent of illegally spying on spouses or lovers—and provided a large cache of data to Motherboard. The data includes gigabytes of customer records, apparent business information, and alleged intercepted messages of some people targeted by the malware.
The news comes nearly a year after Motherboard reported the hacks of two other consumer spyware companies, FlexiSpy and Retina-X. Just last week, a hacker wiped Retina-X’s servers—again. Multiple hackers are independently targeting this controversial industry.
“Spying on someone’s private devices is bad in and of itself—privacy is a fundamental human right—but it also is a powerful tool that enables stalking, harassment, and domestic violence,” Eva Galperin, director of cybersecurity at activist organization the Electronic Frontier Foundation told Motherboard in a text message.
Both of the newly hacked companies, Mobistealth and Spy Master Pro, sell monitoring software for Android and iPhone devices. Once installed on a smartphone the attacker has physical access to, the malware can intercept Facebook chats and messages from a slew of other apps; track a target’s GPS location, and in Mobistealth’s case can even remotely switch on the device’s microphone.
In all, the hacked data includes tens of thousands of customer accounts. Motherboard verified a number of the accounts by using the associated usernames to successfully request password resets, contacting people included in the data dump, and also engaging with customer support representatives to confirm that email addresses were linked to the spyware companies.
Administrators from neither company responded to multiple requests for comment.
The Spy Master Pro data includes a ream of alleged historical GPS locations for infected phones. Although it’s difficult to understand the full context in which they were sent based on their content alone, the dump also contains thousands of apparent text messages, highlighting the visceral and personal moments of ordinary people malware like this can sweep up.
“If you want counseling we will do counseling and the first thing that we be [sic] brought up as your affairs,” one alleged intercepted text message reads.
“You cheated….smh….,” another says.
To be clear, customers can use the software to legally monitor their children or employees—some of the alleged text messages appear to be written by children talking about issues at school, and one Mobistealth customer said they trialled the software while thinking about providing their child with a phone. But both hacked companies have also marketed their tools to spy on spouses or partners, which could violate hacking and wiretapping laws.
“Are you too susceptible of your partner’s behavior? Want to make sure if the person your [sic] love is loyal or not? Well, if yes, then phone monitoring software is all that you can look for at this time,” reads a Spy Master Pro blog post, published on Valentine's Day this year. Mobistealth has penned blog posts that exhort the benefits of spying on a spouse, and others that clearly state the practice can be illegal. When Motherboard posed as a potential customer last year, a Mobistealth support representative said a user could deploy the software to monitor their wife.
Journalistic investigations, court cases, and surveys of domestic abuse shelters have repeatedly found links between the consumer malware industry and cases of violence, stalking, and illegal spying. This sale of software that facilitates a meld of physical and digital abuse is one of the reasons the hacker says they targeted both companies.
“It's disgusting how easily accessible and user friendly such sites are, that they enable stalking and enable physical and emotional abuse on such high scales, and how hilariously vulnerable such sites are,” the anonymous hacker told Motherboard in an online chat.