A massive cache of leaked data reveals the inner workings of a stalkerware operation that is spying on hundreds of thousands of people around the world, including Americans.
The leaked data includes call logs, text messages, granular location data and other personal device data of unsuspecting victims whose Android phones and tablets were compromised by a fleet of near-identical stalkerware apps, including TheTruthSpy, Copy9, MxSpy and others.
These Android apps are planted by someone with physical access to a person's device and are designed to stay hidden on their home screens but will continuously and silently upload the phone's contents without the owner's knowledge.
Given that victims had no idea that their device data was stolen, TechCrunch extracted every unique device identifier from the leaked database and built a lookup tool to allow anyone to check if their device was compromised by any of the stalkerware apps up to April 2022, which is when the data was dumped.
TechCrunch has since analyzed the rest of the database. Using mapping software for geospatial analysis, we plotted hundreds of thousands of location data points from the database to understand its scale. Our analysis shows TheTruthSpy's network is enormous, with victims on every continent and in almost every country. But stalkerware like TheTruthSpy operates in a legal gray area that makes it difficult for authorities around the world to combat, despite the growing threat it poses to victims.
[...] The database has about 360,000 unique device identifiers, including IMEI numbers for phones and advertising IDs for tablets. This number represents how many devices were compromised by the operation to date and about how many people are affected. The database also contains the email addresses of every person who signed up to use one of the many TheTruthSpy and clone stalkerware apps with the intention of planting them on a victim's device, or about 337,000 users. That's because some devices may have been compromised more than once (or by another app in the stalkerware network), and some users have more than one compromised device.
About 9,400 new devices were compromised during the six-week span, our analysis shows, amounting to hundreds of new devices each day.
The database stored 608,966 location data points during that same six-week period. We plotted the data and created a time lapse to show the cumulative spread of known compromised devices around the world. We did this to understand how wide-scale TheTruthSpy's operation is. The animation is zoomed out to the world level to protect individuals' privacy, but the data is extremely granular and shows victims at transportation hubs, places of worship and other sensitive locations.
By breakdown, the United States ranked first with the most location data points (278,861) of any other country during the six-week span. India had the second most location data points (77,425), Indonesia third (42,701), Argentina fourth (19,015) and the United Kingdom (12,801) fifth. Canada, Nepal, Israel, Ghana and Tanzania were also included in the top 10 countries by volume of location data.
