A dangerous spyware application called “Spyhide” has targeted and compromised over 60,000 Android devices worldwide, allowing the attackers to steal sensitive data from unsuspecting victims. Operating in stealth mode, these spyware apps remain hidden on the victim’s device, making them difficult to detect.
Spyhide’s Vulnerability Exposed
A hacker known as “maia arson crimew,” based in Switzerland, discovered a critical vulnerability in the developers’ coding of Spyhide. This flaw exposed a portion of the app’s development environment, granting access to the source code of the web-based dashboard. The poorly coded dashboard allowed unauthorized access to its backend databases, leading to a massive leak of sensitive data belonging to numerous victims worldwide.
The extent of the Data Breach
The backend database of Spyhide contained records of approximately 60,000 compromised devices dating back to 2016. The stolen data encompassed call logs, text messages, location history, photos, and image metadata. The attackers used offline geospatial and mapping software, revealing clusters of thousands of victims across Europe and Brazil.
The severity of the Data Leak
The United States was significantly affected, with around 3,100 compromised devices. Among these, some of the most surveilled victims were traced through location data analysis. One particularly compromised device uploaded a staggering 100,000 data points, all within the U.S. The database also revealed 750,000 users planning to infect others with the spyware.
Types of Stolen Data
The compromised devices’ data included 3.29 million text messages, 1.2 million call logs, 312,000 recording files, 925,000 contact lists, 382,000 photos and images, and 6,000 ambient recordings. Among the text messages were highly sensitive information like Two-factor authentication codes and password reset links.
Identifying the Developers
Spyware administrators often attempt to conceal their identities to evade legal consequences. However, the source code of Spyhide led to two developers: Mostafa M and Mohammed A. Mostafa M was identified as residing in Dubai based on his LinkedIn profile, while the other developer lived in the same northeastern Iranian city.
Hosting and Takedown
Since spyware apps are banned from the Google Play Store, users have to download them from the software’s official website. Spyhide was hosted by the German-based provider Hetzner, but the domain was eventually seized after Hetzner reported the spyware hosting. The spyware apps disguise themselves as legitimate applications, using icons like “Google Settings” or “T.Ringtone” with musical cog icons.
To protect their devices, users are strongly advised to download applications only from reputable app markets like Google Play Store or App Store. Additionally, installing spyware detection apps such as Google Play Protect can help identify and prevent spyware from sending data.
The Spyhide spyware app represents a significant threat to Android users worldwide, compromising over 60,000 devices and stealing sensitive data. The breach highlights the importance of staying vigilant and taking appropriate precautions to safeguard personal information and prevent such attacks.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.