FTC bans 'brazen' stalkerware maker SpyFone, orders data deletion, alerts to victims

Insecure systems were compromised by miscreant, too, watchdog said

America's trade watchdog today banned stalkerware developer SpyFone and its CEO from the surveillance industry, effectively putting an end to its business.

The outfit makes an Android app that can be secretly installed on someone's smartphone; once in place, the software relays back information about the handheld and its user to SpyFone's systems so that whoever installed the program can remotely monitor their victim in real time, block other apps from being installed, send spoofed messages as the victim, and so on.

In effect, the FTC said, Support King LLC, which traded as SpyFone, and its CEO Scott Zuckerman, "secretly harvested and shared data on people’s physical movements, phone use, and online activities" and allowed "stalkers and domestic abusers to stealthily track the potential targets of their violence."

The watchdog added that the app could be used to “surreptitiously monitor photos, text messages, web histories, GPS locations, and other personal information of the phone on which the app was installed without the device owner’s knowledge.”

SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information

SpyFone charged $119.95 for three months, or $199.95 for twelve months, of remote access to email and message content, contacts, photos, and even video chats, not to mention precise location data. Its website domain name, spyfone.com, has since been bought by another maker of tracker-ware.

“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection.

What's more, SpyFone was insecure, and if miscreants knew where to look, they could also collect victims' personal info without any authorization required, according to the FTC. Subscribers' passwords were also sent over networks in plain text, and harvested data was not encrypted at rest, the agency added.

“The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security," Levine said. "This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy."

And indeed, someone did compromise SpyFone's back-end systems three years ago, we're told.

"After a hacker accessed the company’s server and obtained personal data of about 2,200 consumers in August 2018, the company promised purchasers that it would work with an outside data security firm and law enforcement authorities to investigate the incident," the agency said.

"The FTC, however, alleges that the company failed to follow through on this promise."

The watchdog went on:

To install its software, SpyFone required purchasers who used the apps on Android devices to bypass many of the phone’s restrictions. The stalkerware company also provided instructions on how to hide the app so that the device user was unaware the device was being monitored, the FTC alleged. In order to use some functions, such as monitoring email, purchasers had to “root” a phone on which the app is installed, which also could void warranties and expose the device to security risks.

Zuckerman and Support King are to be banned from "offering, promoting, selling, or advertising any surveillance app, service, or business" under the proposed settlement [PDF] between the FTC and the app maker.

The outfit is also required "to delete any information illegally collected from their stalkerware apps," and it must "notify owners of devices on which SpyFone’s apps were installed that their devices might have been monitored and the devices might not be secure."

In its seven-page administrative complaint against the app developer, the FTC noted that SpyFone's offerings were marketed at keeping tabs on children and employees [PDF].

It went on to assert that these types of apps are also “used by stalkers and domestic abusers to monitor their victims’ physical movements and online activities, as well as to obtain their sensitive personal information without authorization.”

As per usual, the FTC isn't looking for an admission of guilt. After a period of 30 days in which the public can comment on this settlement, the FTC will decide whether to finalize its deal with SpyFone to end the matter.

The FTC brings an administrative complaint when it believes a law has been broken – in this case, Section 5 of the FTC Act, which covers unfair or deceptive acts or practices, which the app maker allegedly violated by breaking its promises after the 2018 server intrusion.

A spokesperson for Support King was not immediately available to comment. ®

Similar topics

Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022