Xnspy stalkerware has spied on thousands of iPhones and Android devices • TechCrunch
An unknown phone The surveillance app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority of which owners are unaware their data has been compromised.
Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child’s activities, but are explicitly marketed to spy on the devices of a spouse or domestic partner without their permission. Its website boasts “to catch a cheating spouse, you need Xnspy on your side” and “Xnspy makes reporting and data mining easy for you.”
Stalkerware apps, also known as consorts, are surreptitiously installed by someone with physical access to a person’s phone, bypassing security protections on the device, and are designed to remain hidden from home screens, causing them to makes it difficult to detect. Once installed, these apps silently and continuously download content from a person’s phone, including their call recordings, text messages, photos, browsing history, and precise location data, allowing the person which crashed the app nearly full access to its victim’s data.
But new findings show that many stalkerware apps are riddled with security holes and expose data stolen from victims’ phones. Xnspy is no different.
Security researchers Vangelis Stykas and Felipe Solferini spent months decompiling several known stalkerware apps and analyzing the edges of the networks the apps send data to. Their research, presented at BSides in London this month, identified common and easy-to-find security flaws in several stalkerware families, including Xnspy, such as credentials and private keys left in code by developers and broken or non-existent encryption. In some cases, the flaws expose stolen victims’ data, which is now on someone else’s unsecured servers.
During their research, Stykas and Solferini uncovered clues and artifacts that identified the individuals behind each operation, but they declined to share details of the vulnerabilities with stalkerware operators or publicly release details about fear flaws. than it benefits malicious hackers and further. harm the victims. Stykas and Solferini said all of the flaws they found are easy to exploit and have likely been around for years.
Others have waded into murkier legal waters by exploiting these easy-to-find vulnerabilities with the apparent aim of exposing stalkerware operations as a form of vigilance. A massive cache of internal data sourced from the servers of TheTruthSpy stalkerware and its affiliated apps and turned over to TechCrunch earlier this year has enabled us to notify thousands of victims whose devices have been compromised.
Since our investigation of TheTruthSpy, TechCrunch has obtained other caches of stalkerware data, including from Xnspy, exposing their operations and the individuals profiting from the surveillance.
Data viewed by TechCrunch shows that Xnspy has at least 60,000 victims dating back to 2014, including thousands of new breaches recorded as recently as 2022. The majority of victims are Android owners, but Xnspy also has data from thousands of iPhones.
Many stalkerware apps are designed for Android because it’s easier to plant a malicious app than on an iPhone, which has tighter restrictions on what apps can be installed and what data can be accessed. Instead of crashing a malicious app, iPhone stalkerware taps into a device’s backup stored in Apple’s iCloud cloud storage service.
Along with a victim’s iCloud credentials, the stalkerware continually downloads the device’s most recent iCloud backup directly from Apple’s servers without the owner’s knowledge. iCloud backups contain the majority of a person’s device data, allowing stalkerware to steal their messages, photos, and other information. Enabling two-factor authentication makes it much harder for attackers to compromise someone’s online account.
The data we saw contains more than 10,000 unique iCloud email addresses and passwords used to access a victim’s cloud-stored data, although many iCloud accounts are logged into multiple devices. Of this number, the data contains more than 6,600 authentication tokens, which had been actively used to exfiltrate data from victims’ devices in Apple’s cloud, although many have expired. Given the possibility of continued risk to victims, TechCrunch provided the list of compromised iCloud credentials to Apple prior to publication.
The Xnspy data we got was not encrypted. It also included information that further exposed the developers of Xnspy.
Konext is a small development startup in Lahore, Pakistan, run by a dozen employees, according to its LinkedIn page. The startup’s website says the startup specializes in “tailor-made software for companies looking for all-in-one solutions” and claims to have created dozens of mobile apps and games.
What Konext does not advertise is that it develops and maintains the Xnspy stalkerware.
The data TechCrunch viewed included a list of scrambled names, email addresses, and passwords saved exclusively for Konext developers and employees to gain access to internal Xnspy systems.
The cache also includes the Xnspy credentials of a third-party payment provider that are linked to the email address of Konext’s lead systems architect, according to his LinkedIn, and who is believed to be the lead developer at the origin of the spyware operation. Other Konext developers used credit cards registered to their own home addresses in Lahore to test payment systems used for Xnspy and TrackMyFone, an Xnspy clone also developed by Konext.
Some of Konext’s employees are located in Cyprus, according to the data.
Konext, like other stalkerware developers, makes a concerted effort to conceal its activities and the identities of its developers from public view, likely to protect itself from the legal and reputational risks that come with facilitating covert surveillance at large scale. But coding errors left behind by Konext’s own developers further tie its involvement in stalkerware development.
TechCrunch found that the Konext website is hosted on the same dedicated server as the TrackMyFone website; and Serfolet, a Cyprus-based entity with a visibly stripped-down website, which Xnspy claims processes refunds on behalf of its customers. No other websites are hosted on the server.
TechCrunch reached out to Konext’s senior systems architect via email for comment, on both his Konext and Xnspy email addresses. Instead, someone named Sal, whose Konext email address was also in the data but declined to provide his full name, replied to our email. Sal neither disputed nor denied the company’s ties to Xnspy in a series of emails with TechCrunch, but declined to comment. Asked about the number of compromised devices, Sal appeared to confirm his company’s involvement, saying in an email that “the numbers you quoted do not match what we have.” When asked for clarification, Sal did not elaborate.
Xnspy is the latest in a long list of flawed stalkerware apps: mSpy, Mobistealth, Flexispy, Family Orbit, KidsGuard and TheTruthSpy have all exposed or compromised their victims’ data in recent years.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential 24/7 support for victims of domestic violence. If you are in an emergency, call 911. The Coalition Against Stalkerware also has resources if you suspect your phone has been compromised by spyware. You can reach this reporter on Signal and WhatsApp at +1 646-755-8849 or email email@example.com.