The website for SpyHuman, an Indian vendor of an Android app ostensibly for monitoring employees and children, contains a flaw that exposes the text messages and phone numbers of users who have been monitored via the app according to a security researcher speaking to Motherboard today.
Baptiste Robert, who goes by the name Elliot Anderson on Twitter, provided evidence to Motherboard that SpyHuman was exposing 440 million pieces of data; in addition to the device's phone number and text messages captured by the spying app, one could also access the phone number of another device that the affected user called or recieved a call from, plus the duration of the call and the exact time of day the call was placed.
Motherboard notes that hacks against spyware websites are a growing trend, which greatly increases the amount of exposure of your personal data, if you have been spied on via one of their apps. Some of the hacks are done to publicly expose how poorly these sites are secured, while others may be using the data as a black market commodity akin to credit card info and Social Security numbers.
Robert claims to be the intermediary for an anonymous source who provided this information to him. The exact nature of the website hack was not disclosed; it's customary among "white hat" hackers to give companies a certain amount of time to correct their security lapses before publishing the details.
However, the disposition of Robert's hacker contact and the extent of his or her knowledge distribution is not known and may never be fully known; such is the nature of information security research.
While SpyHuman's website emphasises the monitoring of one's employees and children -- for relatively innocent company policy adherence and family safety -- these apps are notoriously linked to stalkers, jealous suitors, and paranoid or abusive spouses. As such, they have become indistinguishable from overt malware.
And as Robert, himself notes, digging into the SpyHuman website uncovers far more layers than simple supervision, with this rather notable language: "Have you ever wondered that your Husband/Wife cheating on you? Is he really at work or hanging out with other girls? Or your spouse really going shopping with her girlfriend or watching movie with other guy?
"If any of these questions arises in your mind then, you can get answer of all these questions with the Spy Human's GPS Location Tracker feature. The SpyHuman application allows you to spy on your Wife/Husband silently without being known by them. Is your life partner start keeping distance from you then yes, it is the right time to get into the SpyHuman."
These paragraphs were quietly removed from SpyHuman's website, but the original version can be retrieved from the Internet Archive, proving once again how difficult it can be to cover your digital tracks -- and how common it is among Android spyware apps to tap into a customer's deeply personal fears.
In addition to secretly recording your text messages and phone numbers, the SpyHuman app can also record the phone calls, themselves, and whatever other sounds the device's microphone can pick up. It doesn't advertise an ability to take screenshots or record video, but it can access images stored on the device, even with a thumbnail gallery viewing option, and also download them to another device.
FOLLOW Download.com on Twitter to keep up with the latest app news.
How do you remove the SpyHuman app from your phone or tablet?
If you suspect that someone is spying on you with SpyHuman, be aware that the Android app is designed to hide its presence on your device. In that case, you may need to do a factory reset. Be aware that this erases all data from your phone or tablet, so make sure to back up your pictures, texts, and other personal data before you go with the nuclear option.
Google's official instructions for a factory reset on an Android device can be found here. There is no iOS version of SpyHuman, likely thanks to Apple's tight security restrictions. But if you need to do an iOS factory reset for a different reason, you can find the official instructions here.
- While the digital age is connecting people from all over the globe, it's also making it easier to stalk and harass people. Thankfully, spyware like SpyHuman isn't available on the Google Play Store, at least.
- An app with cloudy morals may not be treating its customers any better than the customer's victims. Remember the old adage: No honor among thieves. And little sympathy, either.
- Android malware Sonvpay secretly charges you premium text message fees (Download.com)
- Google Chrome web browser freezing hack tricks you into calling fake tech support to fix it (Download.com)
- Fortnite malware aimed at cheaters infects tens of thousands of devices (Download.com)
- Cameras, surveillance and the sinister tech behind domestic abuse (CNET)
- Time to cover your webcam? This stealthy spyware records video and audio (ZDNet)
- How to use Chrome's built-in anti-malware tool (TechRepublic)