This article is more than 1 year old
FTC bans 'brazen' stalkerware maker SpyFone, orders data deletion, alerts to victims
Insecure systems were compromised by miscreant, too, watchdog said
America's trade watchdog today banned stalkerware developer SpyFone and its CEO from the surveillance industry, effectively putting an end to its business.
The outfit makes an Android app that can be secretly installed on someone's smartphone; once in place, the software relays back information about the handheld and its user to SpyFone's systems so that whoever installed the program can remotely monitor their victim in real time, block other apps from being installed, send spoofed messages as the victim, and so on.
In effect, the FTC said, Support King LLC, which traded as SpyFone, and its CEO Scott Zuckerman, "secretly harvested and shared data on people’s physical movements, phone use, and online activities" and allowed "stalkers and domestic abusers to stealthily track the potential targets of their violence."
The watchdog added that the app could be used to “surreptitiously monitor photos, text messages, web histories, GPS locations, and other personal information of the phone on which the app was installed without the device owner’s knowledge.”
SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information
SpyFone charged $119.95 for three months, or $199.95 for twelve months, of remote access to email and message content, contacts, photos, and even video chats, not to mention precise location data. Its website domain name, spyfone.com, has since been bought by another maker of tracker-ware.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection.
What's more, SpyFone was insecure, and if miscreants knew where to look, they could also collect victims' personal info without any authorization required, according to the FTC. Subscribers' passwords were also sent over networks in plain text, and harvested data was not encrypted at rest, the agency added.
“The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security," Levine said. "This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy."
And indeed, someone did compromise SpyFone's back-end systems three years ago, we're told.
"After a hacker accessed the company’s server and obtained personal data of about 2,200 consumers in August 2018, the company promised purchasers that it would work with an outside data security firm and law enforcement authorities to investigate the incident," the agency said.
"The FTC, however, alleges that the company failed to follow through on this promise."
The watchdog went on:
To install its software, SpyFone required purchasers who used the apps on Android devices to bypass many of the phone’s restrictions. The stalkerware company also provided instructions on how to hide the app so that the device user was unaware the device was being monitored, the FTC alleged. In order to use some functions, such as monitoring email, purchasers had to “root” a phone on which the app is installed, which also could void warranties and expose the device to security risks.
Zuckerman and Support King are to be banned from "offering, promoting, selling, or advertising any surveillance app, service, or business" under the proposed settlement [PDF] between the FTC and the app maker.
The outfit is also required "to delete any information illegally collected from their stalkerware apps," and it must "notify owners of devices on which SpyFone’s apps were installed that their devices might have been monitored and the devices might not be secure."
- Romance in 2021: Using creepware to keep tabs on your partner or ex. Aww
- Google bans stalkerware apps from Android store. Which is cool but... why were they allowed in the first place?
- Google Play to require privacy labels on apps in 2022, almost two years after Apple
- Security giants line up behind push to stop stalkerware being used on smartphones
In its seven-page administrative complaint against the app developer, the FTC noted that SpyFone's offerings were marketed at keeping tabs on children and employees [PDF].
It went on to assert that these types of apps are also “used by stalkers and domestic abusers to monitor their victims’ physical movements and online activities, as well as to obtain their sensitive personal information without authorization.”
As per usual, the FTC isn't looking for an admission of guilt. After a period of 30 days in which the public can comment on this settlement, the FTC will decide whether to finalize its deal with SpyFone to end the matter.
The FTC brings an administrative complaint when it believes a law has been broken – in this case, Section 5 of the FTC Act, which covers unfair or deceptive acts or practices, which the app maker allegedly violated by breaking its promises after the 2018 server intrusion.
A spokesperson for Support King was not immediately available to comment. ®