Technology

A spyware app designed to &monitor everything& on a victimphone has been secretly installed on thousands of phones.

The app, KidsGuard, claims it can &access all the information& on a target device, including its real-time location, text messages, browser history, access to its photos, videos and app activities, and recordings of phone calls.

But a misconfigured server meant the app was also spilling out the secretly uploaded contents of victims& devices to the internet.

These consumer-grade spyware apps — also known as &stalkerware& — have come under increased scrutiny in recent years for allowing and normalizing surveillance, often secretly and without obtaining permission from their victims. Although many of these apps are marketed toward parents to monitor their childactivities, many have repurposed the apps to spy on their spouses. Thatprompted privacy groups and security firms to work together to help better identify stalkerware.

KidsGuard is no different. Its maker, ClevGuard, pitches the spyware app as a &stealthy& way to keep children safe, but also can be used to &catch a cheating spouse or monitor employees.&

But the security lapse offers a rare insight into how pervasive and intrusive these stalkerware apps can be.

ClevGuardwebsite, which makes the KidsGuard phone spyware (Image: TechCrunch)

TechCrunch obtained a copy of the Android app from Till Kottmann, a developer who reverse-engineers apps to understand how they work.

Kottmann found that the app was exfiltrating the contents of victims& phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. Itbelieved the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.

Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmannfindings.

The app, which has to be bought and downloaded from ClevGuard directly, can be installed in a couple of minutes. (ClevGuard claims it also supports iPhones by asking for iCloud credentials to access the contents of iCloud backups, which is against Applepolicies.) The app has to be installed by a person with physical access to a victimphone, but the app does not require rooting or jailbreaking. The Android app also requires that certain in-built security features are disabled, such as allowing non-Google approved apps to be installed and disabling Google Play Protect, which helps to prevent malicious apps from running.

Once installed, ClevGuard says its app works in &stealth& and isn&t visible to the victim. It does that by masquerading itself as an Android &system update& app, which looks near-indistinguishable from legitimate system services.

And because thereno app icon, itdifficult for a victim to know their device has been compromised.

KidsGuard is designed to look like an Android app (Image: TechCrunch)

Because we only had the Android app and not a paid subscription to the service, we were limited in how much we could test. Through our testing, TechCrunch found that the app silently and near-continually siphons off content from a victimphone, including whatstored in their photos and video apps, and recordings of the victimphone calls.

The app also gives whomever install the app access to who the victim is talking to and when on a variety of apps, such as WhatsApp, Instagram, Viber and Facebook Messenger, and the app also boasts the ability to monitor a victimactivities on dating apps like Tinder. The app secretly takes screenshots of a victimconversations in apps like Snapchat and Signal to capture the messages before they are set to disappear.

The spyware app maker can also record and monitor the precise location of a device, and access their browsing history.

Although the app says it can access a victimcontacts, the uploaded data stored in the exposed bucket did not include contact lists or easily identifiable information on the victim, making it difficult for TechCrunch to notify victims in bulk.

But one victim we spoke to said she found out just a few days earlier that spyware had been installed on her phone.

&It was my husband,& said the victim. The two had been separated, she said, but he was able to access her private messages by secretly installing the spyware on her phone. &I gave him the choice to show me how he was doing it or I was getting a divorce, so he finally showed me last night,& she said.

ClevGuard shut down the exposed cloud storage bucket after we contacted the company. We also contacted Alibaba, which also alerted the company of the exposure.

&This is evidence that not only are spouseware and stalkerware companies morally bankrupt, they are also often failing to protect their stolen user data once they have it,& said Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, who also examined the app.

&The fact that this also includes the data of young children is both alarming and sickening,& said Quintin. &This one tiny company had around 3,000 infections worldwide, which lays bare the massive scope of the spouseware and stalkerware industry.&

Itthe latest in a long stream of spyware companies that have either had data breaches or exposed systems. Vice tech news site Motherboard has reported on many, including mSpy, Mobistealth and Flexispy. The Federal Trade Commission also launched legal action against one spyware app maker, Retina-X, which had two data breaches involving sensitive victim data.

If you think you are a victim of KidsGuard, this is how you can identify and remove the malware.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755&8849.

DigitalOcean, a cloud infrastructure provider targeting smaller business and younger companies, announced today that it has secured $100 million in new debt from a group of investors, bringing its 2016-era debt raise to a total of around $300 million. The companynearly $200 million debt raise in 2016 was preceded by an $83 million Series B in 2015.

TechCrunch spoke with DigitalOcean CEO Yancey Spruill (hired in 2019, along with a new, IPO-experienced CFO; the company added a new CMO earlier this year) to get under the skin of the new funding, and better understand the companyrevenue scale, its financial health and its future IPO plans.

The firm intends to use the new funds to invest in partnerships, boost product investment and grow what its CEO called an &early-stage& inside sales capacity.

For readers of our regular $100 million ARR club series, consider this something of a sister post. We&ll induct DigitalOcean later on. Today, letfocus on the companymomentum, and its choice of selecting debt over equity-derived fundraising.

Contextual growth

DigitalOcean is a large private company in revenue terms, with the former startup reporting an annualized run rate of $200 million in 2018 and $250 million toward the end of 2019. According to Spruill, all the companyrevenue is recurring, so we can treat those figures as effective annual recurring revenue (ARR) results.

Sticking to the financial realm, DigitalOcean told TechCrunch that it has a mid-20s percentage growth rate, and the company claims that its EBITDA (an adjusted profit metric) are in the low 20s. Citing a &strategy over the next several years to continue to focus very specifically on the SMB and developer communities,& Spruill told TechCrunch that DigitalOcean will scale to $1 billion in revenue in the next five years, and it will become free cash flow profitable (something the CEO also referred to, loosely, as profitability) in the next two.

All that and the company expects to reach a $300 million annualized run rate inside the first half of 2020. How has it done all of that without raising new capital since it put roughly $200 million in debt onto its book back in 2016? A good question. Lettalk about DigitalOceaneconomics.

Economic efficiency

DigitalOcean has a pretty efficient go-to-market motion, which in human terms means that it can attract new customers at relatively low costs. It does this, per the CEO, by attracting millions of folks (around four million, he said) to its website each month. Those turn into tens of thousands of new customers.

Because DigitalOcean is a self-serve SaaS business, folks can show up and get started without hand-holding from sales. Sales cycles are expensive and slow. But, while allowing small companies to sign up on their own sounds attractive, companies that often lean on this acquisition method struggle with churn. So, I asked Spruill about that, specifically digging into customer churn via graduation, the pace at which customers that joined DigitalOcean as small companies left it for other players like Azure and AWS as they themselves grew (quote slightly condensed for readability):

Like any self-serve, early-stage, or SMB-focused business, [the] first three to four months is critical for [customers]. But when you look at our customer base over time — we look at every cohort of the eight year history of our company — all of our cohorts have grown each year, and our churn, which is what [your graduation rate] question is, do customers leave our platform, is de minimis after customers have been on our platform for a year or more.

So it doesn&t appear that churn is a catastrophe at DigitalOcean, which gives it what I&d call pretty attractive economics: Customers come in at relatively low customer acquisition costs, and with churn slipping very low after an initial quarter or so, the company can extract gross margin from those customers for quite some time. What does it do with that cash? It reinvests it. Herehow Spruill explained that process:

The high retention rates of the customers and the strong revenue growth enable cash flow to support the growth and investment of the business and paying and supporting the debt. And when you think about the dilution, when you think about a business at our size and scale — the roughly $400 million of capital raised is probably the right proxy, if you look at our peers and our size and stage of company development — most of them the vast majority of the capital is equity. In our case, only a quarter of the capital, a little over quarter the capital is equity. So we&re going to use the cash flow leverage of the business to drive enormous returns to the equity in terms of not taking on that significant dilution, and still being able to grow the business in a in a responsible and exciting way.

The chorus sound effect you are hearing in the background are the companyearly-stage investors rejoicing at DigitalOcean not selling more shares to grow, concentrating the value-upside to existing shares. Shares that they own a lot of.

So letsum quickly: DigitalOcean is working to carve out an SMB and developer-focused cloud infra niche, keeping its economics in a good place by using low-CAC, self-serve revenue generation. The margins from that are paying for the companydevelopment, and its overall economics are good enough to allow it to leverage debt to invest in itself instead of equity. Overall, not what I expected to hear this morning, but thatthe fun part of news.

Whatin the future? Probably not an IPO any time soon. The company just raised more debt, money that it probably intends to use before debuting. The CEO told TechCrunch that &the IPO option for DigitalOcean is on the table,& going on to cite his companygrowth, growth rate, operating margins, &soon-to-be free cash flow margins& and scale as allowing the upstart &to have the conversation that this is a company that could go public.&

Next, adding DigitalOcean to the $100 million ARR club, and then I fancy a few more revenue milestones until an eventual S-1.