INSUBCONTINENT EXCLUSIVE:
A spyware app designed to &monitor everything& on a victim phone has been secretly installed on thousands of phones.
The app, KidsGuard,
claims it can &access all the information& on a target device, including its real-time location, text messages, browser history, access to
its photos, videos and app activities, and recordings of phone calls.
But a misconfigured server meant the app was also spilling out the
secretly uploaded contents of victims& devices to the internet.
These consumer-grade spyware apps — also known as &stalkerware& — have
come under increased scrutiny in recent years for allowing and normalizing surveillance, often secretly and without obtaining permission
Although many of these apps are marketed toward parents to monitor their child activities, many have repurposed the apps to spy on their
That prompted privacy groups and security firms to work together to help better identify stalkerware.
KidsGuard is no different
Its maker, ClevGuard, pitches the spyware app as a &stealthy& way to keep children safe, but also can be used to &catch a cheating spouse or
monitor employees.&
But the security lapse offers a rare insight into how pervasive and intrusive these stalkerware apps can be.
ClevGuard
website, which makes the KidsGuard phone spyware (Image: TechCrunch)
TechCrunch obtained a copy of the Android app from Till Kottmann, a
developer who reverse-engineers apps to understand how they work.
Kottmann found that the app was exfiltrating the contents of victims&
phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices
It believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with
a password.
Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a
network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmann findings.
The
app, which has to be bought and downloaded from ClevGuard directly, can be installed in a couple of minutes
(ClevGuard claims it also supports iPhones by asking for iCloud credentials to access the contents of iCloud backups, which is against Apple
policies.) The app has to be installed by a person with physical access to a victim phone, but the app does not require rooting or
The Android app also requires that certain in-built security features are disabled, such as allowing non-Google approved apps to be
installed and disabling Google Play Protect, which helps to prevent malicious apps from running.
Once installed, ClevGuard says its app
works in &stealth& and isn&t visible to the victim
It does that by masquerading itself as an Android &system update& app, which looks near-indistinguishable from legitimate system
services.
And because there no app icon, it difficult for a victim to know their device has been compromised.
KidsGuard is designed to look
like an Android app (Image: TechCrunch)
Because we only had the Android app and not a paid subscription to the service, we were limited in
Through our testing, TechCrunch found that the app silently and near-continually siphons off content from a victim phone, including what
stored in their photos and video apps, and recordings of the victim phone calls.
The app also gives whomever install the app access to who
the victim is talking to and when on a variety of apps, such as WhatsApp, Instagram, Viber and Facebook Messenger, and the app also boasts
the ability to monitor a victim activities on dating apps like Tinder
The app secretly takes screenshots of a victim conversations in apps like Snapchat and Signal to capture the messages before they are set to
disappear.
The spyware app maker can also record and monitor the precise location of a device, and access their browsing history.
Although
the app says it can access a victim contacts, the uploaded data stored in the exposed bucket did not include contact lists or easily
identifiable information on the victim, making it difficult for TechCrunch to notify victims in bulk.
But one victim we spoke to said she
found out just a few days earlier that spyware had been installed on her phone.
&It was my husband,& said the victim
The two had been separated, she said, but he was able to access her private messages by secretly installing the spyware on her phone
&I gave him the choice to show me how he was doing it or I was getting a divorce, so he finally showed me last night,& she said.
ClevGuard
shut down the exposed cloud storage bucket after we contacted the company
We also contacted Alibaba, which also alerted the company of the exposure.
&This is evidence that not only are spouseware and stalkerware
companies morally bankrupt, they are also often failing to protect their stolen user data once they have it,& said Cooper Quintin, senior
staff technologist at the Electronic Frontier Foundation, who also examined the app.
&The fact that this also includes the data of young
children is both alarming and sickening,& said Quintin
&This one tiny company had around 3,000 infections worldwide, which lays bare the massive scope of the spouseware and stalkerware
industry.&
It the latest in a long stream of spyware companies that have either had data breaches or exposed systems
Vice tech news site Motherboard has reported on many, including mSpy, Mobistealth and Flexispy
The Federal Trade Commission also launched legal action against one spyware app maker, Retina-X, which had two data breaches involving
sensitive victim data.
If you think you are a victim of KidsGuard, this is how you can identify and remove the malware.
Got a tip? You can
send tips securely over Signal and WhatsApp to +1 646-755&8849.
How to identify and remove KidsGuard ‘stalkerware& from your phone
