The U.S. Federal Trade Commission on Wednesday banned a stalkerware app company called SpyFone from the surveillance business over concerns that it stealthily harvested and shared data on people’s physical movements, phone use, and online activities that were then used by stalkers and domestic abusers to monitor potential targets.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection, in a statement. “The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security. This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security.”
Calling out the app developers for its lack of basic security practices, the agency has also ordered SpyFone to delete the illegally harvested information and notify device owners that the app had been secretly installed on their phones.
SpyFone’s website advertises the company as the “World’s Leading Spy Phone App,” and claims five million installations. Like other stalkerware services, SpyFone allowed purchasers to surreptitiously track photos, text messages, emails, internet browsing histories, real-time GPS locations, and other personal information stored in the devices, with the apps equipped with features that make it possible to remove the app’s icon from appearing on the mobile device’s home screen so as to hide the fact that the victim is being monitored.
On top of that, the company is said to have not implemented adequate protections to secure amassed data, thus leaving the personal information it stored unencrypted, in addition to exposing the data over the internet without any authentication and transmitting purchasers’ passwords in plaintext. Notably, the company suffered a data breach in August 2018 after a researcher accessed the company’s poorly-protected Amazon S3 bucket and obtained the personal data of roughly 2,200 consumers.
The development comes almost two years after the FTC barred Retina-X and its developers from selling stalkerware apps that were illegitimately used to spy on employees and children and installed on the victims’ devices without their knowledge or permission by circumventing smartphone manufacturer restrictions, thereby exposing the devices to security vulnerabilities and likely invalidated manufacturer warranties.