A 12 months after it was banned by the Federal Commerce Fee, a infamous telephone surveillance firm is again in all however identify, a TechCrunch investigation has discovered.
A groundbreaking FTC order in 2021 banned the stalkerware app SpyFone, its mum or dad firm Assist King, and its chief govt Scott Zuckerman from the surveillance business. The order, unanimously authorized by the regulator’s 5 sitting commissioners, additionally demanded that Assist King delete the telephone information it illegally collected and notify victims that its app was secretly put in on their system.
Stalkerware, or spouseware, are apps which are surreptitiously planted by somebody with bodily entry to an individual’s telephone, typically underneath the guise of household monitoring or youngster monitoring, besides that these apps are designed to remain hidden from house screens, all of the whereas silently importing the contents of an individual’s telephone, together with their textual content messages, pictures, shopping historical past, and granular location information.
However many stalkerware apps — like KidsGuard, TheTruthSpy and Xnspy — have safety flaws that put 1000’s of individuals’s private telephone information vulnerable to additional compromise.
That additionally consists of SpyFone, whose unsecured cloud storage server spilled the private information stolen from greater than 2,000 victims’ telephones, prompting the FTC to research and subsequently ban Assist King and its CEO Zuckerman from providing, distributing, selling, or in any other case aiding within the sale of surveillance apps.
Since then, TechCrunch has acquired additional tranches of knowledge, together with from the inner servers of a stalkerware app referred to as SpyTrac, which is run by builders with ties to Assist King.
Meet Aztec Labs
With greater than 1.3 million compromised units, SpyTrac is among the largest identified energetic Android stalkerware operations, surpassing the variety of victims ensnared by TheTruthSpy greater than threefold. Regardless of its huge worldwide attain, U.S. guests to SpyTrac’s web site are blocked with an abrupt message stating that “your nation just isn’t supported.”
However SpyTrac is like another stalkerware app, together with its potential to remain hidden on a sufferer’s system. SpyTrac’s web site additionally makes no point out of the people working the operation, more likely to protect the builders from authorized and reputational dangers related to working a stalkerware operation.
Based on the info and different public data seen by TechCrunch, SpyTrac is managed by builders who work for each Assist King and an outfit of builders referred to as Aztec Labs, which builds and maintains the SpyTrac stalkerware operation. Aztec Labs additionally maintains a near-identical Spanish-language stalkerware app referred to as Espía Móvil (which interprets to “spy cell”), and one other clone stalkerware app referred to as StealthX Professional, the info reveals.
A number of the information discovered on SpyTrac’s server instantly connects SpyTrac to Assist King.
One of many server recordsdata contained a set of Amazon Net Companies personal keys that enable entry to cloud storage related to Assist King and GovAssist, an internet site that claims to assist immigrants get hold of U.S. visas and everlasting residency permits. The keys additionally enable entry to cloud storage for OneClickMonitor, a clone stalkerware app that Assist King shut down similtaneously SpyFone.
Each Assist King and GovAssist are headed by chief govt Scott Zuckerman.
When reached by e-mail, Zuckerman advised TechCrunch: “We’re investigating your claims that SpyTrac inner information was storing AWS keys that could be related to S3 buckets referring to Assist King, GovAssist, and OneClickMonitor. We take this very critically and can adjust to all provisions of the FTC Order.”
A redacted screenshot from a SpyTrac video, which references SpyFone, a Assist King surveillance app banned by the FTC a 12 months earlier. Picture Credit: TechCrunch (screenshot)
Entry logs seen by TechCrunch present at the least two Aztec Labs builders logging in to SpyTrac’s servers utilizing completely different units of credentials, however every from the identical IP addresses. Each of the builders logged in from IP addresses registered to a Bosnian residential broadband supplier utilizing credentials related to Aztec Labs, SpyTrac, and Assist King e-mail addresses.
One of many builders is Aztec Labs’ technical lead, whose LinkedIn says he’s based mostly in Sarajevo. His different public freelance portfolios checklist his work as a program supervisor at Assist King, a job that he describes as “managing the complete IT workforce.”
Based on LinkedIn profiles and different work portfolios, the technical lead and different SpyTrac builders additionally work on Zuckerman’s newest enterprise, GovAssist.
The entry logs additionally present a 3rd developer logging in to SpyTrac’s servers, additionally from their house IP deal with in Sarajevo, utilizing completely different units of credentials related to Assist King, Aztec Labs, and GovAssist e-mail addresses.
In response, Zuckerman advised TechCrunch: “Neither I, nor any of my companies, are affiliated with Aztec Labs, SpyTrac, or [the technical lead, who] labored as an impartial contractor for Assist King between June 2019 and October 2021. Nor do we’ve got entry to SpyTrac’s servers.”
The SpyFone connection
SpyFone, the stalkerware app banned by the FTC in September 2021, not operates.
The inner SpyTrac information we’ve got seen reveals that SpyFone issued its final buyer license simply days earlier than it was banned by the FTC. SpyFone’s area identify was bought to a different telephone surveillance maker, SpyPhone. Clients attempting to log in to SpyFone’s net dashboard, used for accessing a sufferer’s stolen information, had been redirected to SpyPhone’s web site as a substitute.
The FTC’s 2021 order additionally demanded that Assist King delete the info it had illegally collected from SpyFone. However the inner SpyTrac information seen by TechCrunch nonetheless comprises 1000’s of data related to SpyFone licenses assigned to the e-mail addresses of shopping for clients.
Each SpyFone license was bought by a reseller with a Assist King e-mail deal with, the info confirmed.
SpyTrac additionally got here to the eye of safety researchers Vangelis Stykas and Felipe Solferini, whose months-long analysis recognized widespread and easy-to-find safety flaws in a number of stalkerware households, together with SpyTrac. Their findings, which they offered at BSides London this month, concerned decompiling the apps and mapping out their server infrastructure utilizing public web information. Their proof hyperlinks SpyTrac to Assist King.
Zuckerman stated in response: “Assist King deleted all information in its servers related with SpyFone and OneClickMonitor clients pursuant to the FTC Order.”
A short while after TechCrunch contacted Zuckerman for remark, SpyTrac’s web site went offline with a message saying the “product is briefly not accessible.” The web sites for SpyTrac’s clone stalkerware apps, StealthX Professional and its Spanish-language clone Espía Móvil, additionally went offline. Aztec Labs’ web site additionally stopped loading.
A screenshot of the FTC discover on Assist King’s web site. Picture Credit: TechCrunch (screenshot)
Stalkerware is a troublesome drawback to fight. These operations are clandestine by design, making it troublesome for regulators to research or know underneath whose jurisdiction they fall.
In 2020, the FTC took its first ever motion towards a stalkerware operator, Retina-X, which was hacked a number of instances and later shut down. The FTC’s second motion was towards Assist King a 12 months later.
Firms that violate FTC orders can face appreciable civil penalties. Earlier this 12 months, Twitter was ordered to pay $150 million for violating an FTC order from 2011.
As an alternative, a lot of the trouble towards stalkerware and different business surveillance has been taken up by the tech business, together with system makers Apple and Google, which have banned stalkerware apps. In 2020, Google additionally banned advertisements in its search outcomes that promote stalkerware. Anti-malware suppliers who’re members of the Coalition Towards Stalkerware, which launched in 2019 to help victims and survivors of stalkerware, collectively share signatures of identified stalkerware apps and networks to dam them from engaged on their clients’ telephones.
A former FTC legal professional, who reviewed our findings forward of publication, advised TechCrunch that the proof factors to a probable breach of the FTC’s ban. As as to if Assist King broke its settlement with the FTC will in the end be for the company to resolve.
When reached, a spokesperson for the FTC declined to remark.
Should you or somebody you recognize wants assist, the Nationwide Home Violence Hotline (1-800-799-7233) gives 24/7 free, confidential help to victims of home abuse and violence. If you’re in an emergency state of affairs, name 911. The Coalition Towards Stalkerware additionally has assets for those who suppose your telephone has been compromised by adware. You’ll be able to contact this reporter on Sign and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by e-mail.
Learn extra:
