Naked Security Naked Security

Spyware app exposes private photos, hosting provider steps in

A hosting company has taken down a database owned by a mobile spying app after it was found displaying phone owners' intimate images online.

A hosting company took down a database operated by a spying app this week after it was found displaying thousands of intimate images and recordings online.

MobiiSpy, an Android app that can be used to track what people do on their phones, left over 95,000 images and 25,000 audio recordings on a publicly accessible database according to a report by Motherboard on 22 March.

Although the database didn’t include names or contact information, it did contain call records and photos that could be used to identify the phones’ owners.

According to researchers, the app’s developer had hardcoded the database URL directly into the app, which lets the operator read the target’s phone contacts and texts and even trigger remote recordings without the target’s knowledge.

The breach was so bad that Motherboard couldn’t name the company while the databases were still up.

Security researcher Cian Heasley found the database and notified the publication, which then tried to get the vendor to take it down. The company’s owner, John Nguyen, reportedly wouldn’t respond to emails sent to multiple addresses.

Meanwhile, the app was still in use and the pictures and audio recordings were stacking up every day. When Motherboard originally reported the story, the data had been publicly available for at least six weeks.

Motherboard also tried to alert GoDaddy, which is the domain registrar for the Mobiispy.com website, but the company reportedly said there wasn’t much it could do. At the time of publishing this article, the MobiiSpy website is inaccessible.

Codero, the hosting company that housed the exposed databases on its computers, wouldn’t return reporters’ emails, the publication said. However, it did leap into action after Motherboard published the story and finally taking down the database.

Dodgy app vendors 0 – Internet 2

This is the second case of negligent app developers failing to step up this month. Earlier this week, we wrote about React Apps Pty, whose Family Locator app enabled people to track family members online. It had failed to respond to journalist or researcher mails after leaving its database publicly exposed. That database included real-time user location data along with other personal information. Microsoft eventually intervened and took the site offline.

Aside from the fact that it was spewing peoples’ intimate data onto the internet for anyone to see, the MobiiSpy app was designed to track unwitting users. Archived versions of the site offered customers the chance to:

MobiiSpy makes it super easy for you to keep a monitor on your children and employees anywhere and all the time.

and…

Silently track text messages, GPS locations, call recorder, track WhatsApp without rooting.

This means that the highly-sensitive data could have been collected not only from children but from anyone else that the customer decided to stalk, without their consent or subsequent knowledge that their names, photos and other information has been made public. It’s difficult to imagine a more egregious breach of privacy, or a less forgivable lack of response on the developers’ part.