‘Stalkerware’ Website Let Anyone Intercept Texts of Tens of Thousands of People

A hacker exposes the awful security of two companies that sell spyware for consumers. By simply viewing the HTML of a particular website, anyone could log in and rummage through Facebook messages, texts, and phone call data.

|
Oct 31 2018, 5:00pm

Image: Shutterstock

This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.

A website and app designed to let users monitor their children, employees, or illegally spy on their spouse inadvertently allowed anyone who was using the service to obtain information contained within other peoples’ accounts and intercept the communications of around 28,000 users, Motherboard has confirmed following a tip from a hacker.

The app, called Xnore, can be installed on Android, iPhone, and BlackBerry devices, and collects Facebook and WhatsApp messages, GPS coordinates, emails, photos, browsing histories as well as records phone calls. Customer accounts were exposed by a map feature on Xnore’s website. The flaw allowed anyone who viewed the HTML code of the page to see the mobile identifier used by Xnore to view any collected data. This identifier could then be used to add the intercepted data of someone else’s account to your own.

This new breach of a consumer spyware company—sometimes dubbed ‘stalkerware’ or ‘spouseware’ due to its common target audience of abusive partners—shows how truly lax the security of many of these companies really is. Regardless of whether customers use these apps for legal purposes, they’re putting the intercepted data of their victims—be them their children, employees, or spouses—in serious jeopardy.

“These companies take care about how to spy and don’t care about victim’s privacy or securing their data,” the pseudonymous hacker, who goes by the handle L&M and who originally discovered issue, told Motherboard.

Got a tip? You can contact Joseph Cox on Signal on +44 20 8133 5190, or OTR on jfcox@jabber.ccc.de; and Lorenzo Franceschi-Bicchierai on Signal on +1 917 257 1382, or OTR on lorenzofb@jabber.ccc.de. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here.

On its homepage, Xnore describes its “cell phone tracker app” as the “best parental & employee monitoring software.” But elsewhere the company also advertises its software to monitor spouses on the suspicion they may be cheating.

“In today [sic] infidelity rate is increasing. Do you suspect your spouse is cheating? How to monitor their mobile phone?” one page reads.

As Motherboard has reported extensively, consumer spyware is often used in cases of domestic stalking, and has been linked to cases of sexual assault, rape, and murder. A survey conducted by FlexiSpy, another company in this space, found that the majority of their own customers were interested in spyware because they believed their partner may be cheating. There is no direct evidence Xnore’s tools were used in any of these contexts, but the company’s advertisements are explicit and direct, including additional ones posted on social media.

“Spy on your cheating spouse, Girlfriend, Boyfriend, Kids or employee! %100 invisible and Undetectable - Monitor Android Devices Remotely,” an advert on Facebook reads.

In an email to Motherboard, Xnore claimed the majority of its customers are parents monitoring their children. Even if that were the case, the breach is still a significant threat towards those children and their parents. When Motherboard verified the website vulnerability, we were able to view text messages and other information from an infected phone. If Xnore’s software was installed on the device of a child, that device’s information would have been exposed as well.

1541004529014-texts
A screenshot of Xnore’s control panel, showing intercepted SMS messages. (Image: Motherboard)

SITTING IN PLAIN SIGHT

When users download the Xnore app, they are provided a mobile identifier; a string of characters and numbers unique to their device. Xnore offers a free trial so anyone can download the software and start intercepting communications.

The hacker pointed Motherboard to a section of Xnore’s website containing a map. Although the map itself appeared to be non-functional at the time of viewing, a dropdown menu let users select from a slew of mobile identifiers. Viewing the HTML source for that page reveals the identifiers of Xnore users. Motherboard ran a script to extract all of the mobile identifiers included in the exposed data, and found over 28,000 in total. That number matches the total number of Xnore targets the hacker says they found.

Once a user has downloaded the app, they can simply add another mobile identifier to their account. This then grants them access to all of the information that whoever planted the malware on the phone in the first place was collecting. Motherboard chose a random mobile identifier from the list of tens of thousands, provided it to the hacker, and then the hacker shared his own account login details with consent. Upon logging in with the hacker’s account, Motherboard was immediately greeted with intercepted data from the randomly selected phone. In this case, that data included text messages and a list of phone calls made and received. The site also gave an option to download a spreadsheet of all the intercepted text messages.

With a free account, a user can add one device to their account at a time, while with a paid Xnore account users are able to monitor more.

1541005088420-Screen-Shot-2018-10-31-at-125750-PM
A screenshot of Xnore's homepage. (Image: Motherboard)

In response to inquiries from Motherboard, Xnore removed the map feature from its website.

“We have already took that page down as soon as we received your email. Also to secure the users’ data we are adding some extra authentication layer while adding device,” a representative of the company wrote in an email Tuesday. The representative added that they believed the mobile identifiers on the site “were old and mostly deactivated.” However, the account Motherboard reviewed was last active four weeks ago, according to the Xnore control panel, meaning Xnore’s malware collected the data fairly recently.

Notably, Xnore’s website uses some of the same marketing images and text as FlexiSpy. In an online chat, FlexiSpy claimed it had no connection to Xnore.

This isn’t the only time a consumer spyware company has exposed its customers data, including potentially that of children. In August, a company called Family Orbit confirmed to Motherboard it had left some 281 gigabytes of children’s photos online.

And this is just the latest data breach to impact this industry more generally. Motherboard has reported on breaches from nine companies in all.

1541004648430-Screen-Shot-2018-10-31-at-121140-PM
A screenshot of Copy9's homepage. (Image: Motherboard)

ANOTHER DAY, ANOTHER STALKERWARE BREACH

In a second, separate breach, L&M accessed the usernames and passwords of almost 12,000 users of a spyware app called Copy9 and claimed to have gained access to the data of all its surveillance targets, including text messages, photos, WhatsApp chats, call recordings, contacts, and browser history.

Copy9 offers approximately the same services as Xnore and countless other consumer spyware apps.

Copy9 did not respond to multiple requests for comment. Motherboard was able to confirm the breach by contacting a sample of users, which were provided by the hacker. One of the users, who asked to remain anonymous, confirmed that he was a customer of Copy9 and that the app does not work very well, “but it helped” keeping tabs on his children.

Motherboard also verified the data by trying to sign up to Copy9 with the stolen email addresses; in the majority of cases this was not possible because an account with that address already existed, indicated that the data obtained by L&M corresponded to actual accounts.

L&M, who was also behind the breach of another spyware app called TheTruthSpy, said that they have been targeting these companies in part because they want to expose their poor security and their questionable ethics, much like the hackers behind the FlexiSpy breach, who called themselves The Decepticons.

But L&M was also transparent about this being more than just an act of hacktivism. The hacker previously asked Motherboard for money in exchange for stolen data (in line with common journalistic practice, Motherboard declined). L&M also said the companies are “fertiles grounds” for data that may be financially worthwhile obtaining.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.