Image Credits: Bryce Durbin/TechCrunch

A spyware app designed to “monitor everything” on a victim’s phone has been secretly installed on thousands of phones.

The app, KidsGuard, claims it can “access all the information” on a target device, including its real-time location, text messages, browser history, access to its photos, videos and app activities, and recordings of phone calls.

But a misconfigured server meant the app was also spilling out the secretly uploaded contents of victims’ devices to the internet.

These consumer-grade spyware apps — also known as “stalkerware” — have come under increased scrutiny in recent years for allowing and normalizing surveillance, often secretly and without obtaining permission from their victims. Although many of these apps are marketed toward parents to monitor their child’s activities, many have repurposed the apps to spy on their spouses. That’s prompted privacy groups and security firms to work together to help better identify stalkerware.

KidsGuard is no different. Its maker, ClevGuard, pitches the spyware app as a “stealthy” way to keep children safe, but also can be used to “catch a cheating spouse or monitor employees.”

But the security lapse offers a rare insight into how pervasive and intrusive these stalkerware apps can be.

TechCrunch obtained a copy of the Android app from Till Kottmann, a developer who reverse-engineers apps to understand how they work.

Kottmann found that the app was exfiltrating the contents of victims’ phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. It’s believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.

Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmann’s findings.

The app, which has to be bought and downloaded from ClevGuard directly, can be installed in a couple of minutes. (ClevGuard claims it also supports iPhones by asking for iCloud credentials to access the contents of iCloud backups, which is against Apple’s policies.) The app has to be installed by a person with physical access to a victim’s phone, but the app does not require rooting or jailbreaking. The Android app also requires that certain in-built security features are disabled, such as allowing non-Google approved apps to be installed and disabling Google Play Protect, which helps to prevent malicious apps from running.

Once installed, ClevGuard says its app works in “stealth” and isn’t visible to the victim. It does that by masquerading itself as an Android “system update” app, which looks near-indistinguishable from legitimate system services.

And because there’s no app icon, it’s difficult for a victim to know their device has been compromised.

Because we only had the Android app and not a paid subscription to the service, we were limited in how much we could test. Through our testing, TechCrunch found that the app silently and near-continually siphons off content from a victim’s phone, including what’s stored in their photos and video apps, and recordings of the victim’s phone calls.

The app also exposes who the victim is talking to and when on a variety of apps, such as WhatsApp, Instagram, Viber and Facebook Messenger, and the app also boasts the ability to monitor a victim’s activities on dating apps like Tinder. The app secretly takes screenshots of a victim’s conversations in apps like Snapchat and Signal to capture the messages before they are set to disappear.

The spyware app maker can also record and monitor the precise location of a device, and access their browsing history.

Although the app says it can access a victim’s contacts, the uploaded data stored in the exposed bucket did not include contact lists or easily identifiable information on the victim, making it difficult for TechCrunch to notify victims in bulk.

But one victim we spoke to said she found out just a few days earlier that spyware had been installed on her phone.

“It was my husband,” said the victim. The two had been separated, she said, but he was able to access her private messages by secretly installing the spyware on her phone. “I gave him the choice to show me how he was doing it or I was getting a divorce, so he finally showed me last night,” she said.

ClevGuard shut down the exposed cloud storage bucket after we contacted the company. We also contacted Alibaba, which also alerted the company of the exposure.

“This is evidence that not only are spouseware and stalkerware companies morally bankrupt, they are also often failing to protect their stolen user data once they have it,” said Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, who also examined the app.

“The fact that this also includes the data of young children is both alarming and sickening,” said Quintin. “This one tiny company had around 3,000 infections worldwide, which lays bare the massive scope of the spouseware and stalkerware industry.”

It’s the latest in a long stream of spyware companies that have either had data breaches or exposed systems. Vice tech news site Motherboard has reported on many, including mSpy, Mobistealth and Flexispy. The Federal Trade Commission also launched legal action against one spyware app maker, Retina-X, which had two data breaches involving sensitive victim data.

If you think you are a victim of KidsGuard, this is how you can identify and remove the malware.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.