FTC bans 'brazen' stalkerware maker SpyFone, orders data deletion, alerts to victims

Insecure systems were compromised by miscreant, too, watchdog said

America's trade watchdog today banned stalkerware developer SpyFone and its CEO from the surveillance industry, effectively putting an end to its business.

The outfit makes an Android app that can be secretly installed on someone's smartphone; once in place, the software relays back information about the handheld and its user to SpyFone's systems so that whoever installed the program can remotely monitor their victim in real time, block other apps from being installed, send spoofed messages as the victim, and so on.

In effect, the FTC said, Support King LLC, which traded as SpyFone, and its CEO Scott Zuckerman, "secretly harvested and shared data on people’s physical movements, phone use, and online activities" and allowed "stalkers and domestic abusers to stealthily track the potential targets of their violence."

The watchdog added that the app could be used to “surreptitiously monitor photos, text messages, web histories, GPS locations, and other personal information of the phone on which the app was installed without the device owner’s knowledge.”

SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information

SpyFone charged $119.95 for three months, or $199.95 for twelve months, of remote access to email and message content, contacts, photos, and even video chats, not to mention precise location data. Its website domain name, spyfone.com, has since been bought by another maker of tracker-ware.

“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection.

What's more, SpyFone was insecure, and if miscreants knew where to look, they could also collect victims' personal info without any authorization required, according to the FTC. Subscribers' passwords were also sent over networks in plain text, and harvested data was not encrypted at rest, the agency added.

“The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security," Levine said. "This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy."

And indeed, someone did compromise SpyFone's back-end systems three years ago, we're told.

"After a hacker accessed the company’s server and obtained personal data of about 2,200 consumers in August 2018, the company promised purchasers that it would work with an outside data security firm and law enforcement authorities to investigate the incident," the agency said.

"The FTC, however, alleges that the company failed to follow through on this promise."

The watchdog went on:

To install its software, SpyFone required purchasers who used the apps on Android devices to bypass many of the phone’s restrictions. The stalkerware company also provided instructions on how to hide the app so that the device user was unaware the device was being monitored, the FTC alleged. In order to use some functions, such as monitoring email, purchasers had to “root” a phone on which the app is installed, which also could void warranties and expose the device to security risks.

Zuckerman and Support King are to be banned from "offering, promoting, selling, or advertising any surveillance app, service, or business" under the proposed settlement [PDF] between the FTC and the app maker.

The outfit is also required "to delete any information illegally collected from their stalkerware apps," and it must "notify owners of devices on which SpyFone’s apps were installed that their devices might have been monitored and the devices might not be secure."

In its seven-page administrative complaint against the app developer, the FTC noted that SpyFone's offerings were marketed at keeping tabs on children and employees [PDF].

It went on to assert that these types of apps are also “used by stalkers and domestic abusers to monitor their victims’ physical movements and online activities, as well as to obtain their sensitive personal information without authorization.”

As per usual, the FTC isn't looking for an admission of guilt. After a period of 30 days in which the public can comment on this settlement, the FTC will decide whether to finalize its deal with SpyFone to end the matter.

The FTC brings an administrative complaint when it believes a law has been broken – in this case, Section 5 of the FTC Act, which covers unfair or deceptive acts or practices, which the app maker allegedly violated by breaking its promises after the 2018 server intrusion.

A spokesperson for Support King was not immediately available to comment. ®

Similar topics

Other stories you might like

  • Heart FM's borkfast show – a fine way to start your day

    Jamie and Amanda have a new co-presenter to contend with

    There can be few things worse than Microsoft Windows elbowing itself into a presenting partnership, as seen in this digital signage for the Heart breakfast show.

    For those unfamiliar with the station, Heart is a UK national broadcaster with Global as its parent. It currently consists of a dozen or so regional stations with a number of shows broadcast nationally. Including a perky breakfast show featuring former Live and Kicking presenter Jamie Theakston and Britain's Got Talent judge, Amanda Holden.

    Continue reading
  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading
  • What do you mean you gave the boss THAT version of the report? Oh, ****ing ****balls

    Say what you mean

    NSFW Who, Me? Ever written that angry email and accidentally hit send instead of delete? Take a trip back to the 1990s equivalent with a slightly NSFW Who, Me?

    Our story, from "Matt", flings us back the best part of 30 years to an era when mobile telephones were the preserve of the young, upwardly mobile professionals and fixed lines ruled the roost for more than just your senior relatives.

    Back then, Matt was working for a UK-based fixed-line telephone operator. He was dealing with a telephone exchange which served a relatively large town. "I ran a reasonably ordinary, read-only command to interrogate a specific setting," he told us.

    Continue reading

Biting the hand that feeds IT © 1998–2021