A spy that just got spied. This is what best described the incident.
'LetMeSpy' is an Android app that allows its users to spy on others' smartphones. As a stalkerware with too many permissions requirements, the app is not allowed to be on Google's Play Store. But that doesn't mean it cannot gain significant amount of users.
This is because many people can easily download it from the developer's website, and sideload it to their targets' phones.
LetMySpy allows users to read others' SMS text messages, like seeing "who your child called and who is calling them and how long they talked," increase employers' control of their employee, and by reading "all the SMS messages and view call logs even if you do not have your phone with you!"
The app also allows users to know "exact location of a phone."
With thousands of customers that lets users spy on others' smartphones, LetMySpy has hoarded tons upon tons of sensitive information.
And this time, the app has been compromised and its sensitive user data stolen, the app’s manufacturer has confirmed.
In an announcement published on the app’s website, the company said that a "security incident" happened in late June 2023, where an unauthorized third party accessed the data of "website users."
"As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts," the announcement added.
According to reports, the "years of victims' call logs and messages" that can be traced back to 2013, have been stolen by hackers, meaning that the data is extremely extensive,
It's said that data of users from at least 13,000 devices have been stolen.
The data suggests that most victims live in the U.S., India, and Western Africa.
As if adding salt to the wound, LetMeSpy's master database was also compromised.
This particular database holds some additional 26,000 customers who used the app for free, as well as email addresses of those who paid for the subscription.
It's worth noting that earlier this 2023, it was reported that LetMeSpy was already tracking more than 236,000 devices.
It's worth noting that LetMeSpy was warned, but things were far too late.
According to a blog post by Polish security researchers at Niebezpiecznik who first discovered the breach, team contacted the people at LetMeSpy, but realized that the people who responded were the hackers themselves.
It was discovered that the hacker had taken over the app maker’s domain, and indeed, because the app’s website has a counter for the number of users, text messages, call logs, and locations being tracked, and all of these are showing zeroes.
Also, the majority of the site seems to be broken and non-functioning.
This was when the researchers was told, that the original LetMeSpy’s databases were already wiped from the servers, and that the hackers did that before leaking them online.
LetMeSpy confirmed that the breach was reported to the local law enforcement and data protection authority, but since the nature of the app is all about spying, it's difficult for the company to ever reach out to affected customers to tell them what happened, privately, without sparking any anger.
This is because LetMeSpy is an app purposefully built to spy on people, and that it must be installed on victim devices without their knowledge and consent, which makes this app deemed illegal in some parts of the world.
Hacks and data leaks like this, could open the possibilities of user data commodity, where bad actors are selling them for profit.
Bad actors who can get their hands on these sensitive information, can also use the data in an identity theft attack, or wire fraud.
LetMeSpy is one of the a bunch of the so-called stalkerware in the Android app market.
These apps, while intrusive in nature, are built to spy, on behalf of their real users.
Creators of these apps often advertise their products as a security measure, like for parents to keep track of their children, and those who wish to spy on their cheating spouse, for example. Users can also use this app for anything else, like stalking others they just know, and so forth
In this case, LetMeSpy works by uploading all text messages, allcall logs, and all location data, without notifying the device owner. The data is then shared with the person who installed the app, on a different device.
Because of this, apps like LetMeSpy is an ideal gateway for hackers looking to steal sensitive data.
And LetMeSpy suffered from this data breach because its security measures were poorly executed, and that the app also had bugs.
It's worth noting that the number of stalkerware apps in the market have increased by more than threefold over the past three years, following the COVID-19 pandemic.
According to Avast's Threat Researchers department, which is part of the Coalition Against Stalkerware, revealed that based on its telemetry, the possibility of being spied by stalkerware has increased 329% since 2020.