In recent years, a spyware named WebDetetive, designed to operate in Portuguese, has been utilized to compromise over 76,000 Android smartphones primarily in South America, with a focus on Brazil. WebDetetive is the latest in a series of phone spyware companies that have fallen victim to hacking attacks in recent months.
The hackers, whose identity remains unknown, discovered and exploited several security vulnerabilities to infiltrate WebDetetive's servers and gain access to its user databases. Additionally, they manipulated weaknesses in the spyware maker's web dashboard, which abusers use to access stolen phone data from their targets. Using this approach, the hackers managed to extract all dashboard records, including customer email addresses.
The hackers also utilized their dashboard access to remove victim devices from the spyware network, effectively severing the server-level connection and preventing further data uploads. In a statement, the hackers asserted their motivation was to combat such intrusive spyware.
The cache of stolen data, comprising over 1.5 gigabytes, did not include the actual content from the victims' phones. DDoSecrets, a nonprofit group dedicated to transparency and data exposure, received the WebDetetive data and shared it with TechCrunch for analysis.
The data disclosed that WebDetetive had already compromised 76,794 devices at the time of the breach. It also revealed 74,336 unique customer email addresses. Notably, WebDetetive does not verify customer email addresses during registration, making it challenging to analyze the user base.
The identity of the hackers behind the WebDetetive breach remains unknown, and no contact information was provided. TechCrunch independently verified the authenticity of the stolen data by cross-referencing device identifiers in the cache with a publicly accessible endpoint on WebDetetive's server.
WebDetetive is categorized as a phone monitoring application that is surreptitiously installed on a person's phone without their consent, typically by someone with knowledge of the phone's passcode. Once installed, it disguises itself on the phone's home screen, making it difficult to detect and remove. The spyware then immediately begins surreptitiously uploading the phone's contents, including messages, call logs, recordings, photos, microphone recordings, social media data, and real-time location information, to its servers.
Despite the extensive access these "stalkerware" or "spouseware" applications have to a victim's private data, they are known for their unreliable coding, which further jeopardizes the already stolen data.
Little is known about WebDetetive, as spyware makers often conceal their identities to avoid legal repercussions. However, it appears to have strong connections to OwnSpy, another widely used phone spying app. Analysis of WebDetetive's Android app revealed it to be a repackaged version of OwnSpy's spyware, even retaining references to OwnSpy in its user agent.
OwnSpy, developed in Spain by Mobile Innovations and run by Antonio Calatrava, has been in operation since at least 2010 and claims 50,000 customers. OwnSpy also offers an affiliate program for promoting the app, potentially creating operational links between OwnSpy and WebDetetive.
WebDetetive is the second spyware maker targeted by a data-destructive hack in recent months, highlighting the vulnerabilities inherent in these types of applications. Such attacks could have unintended consequences for victims of spyware, potentially putting them at risk.
The WebDetetive data breach has raised concerns about customer notification and the security of the stolen data. Victims of spyware are advised to seek support from organizations like the Coalition Against Stalkerware.
To identify and remove WebDetetive, users can look for its "WiFi" icon, which disguises itself as an Android system Wi-Fi app. When viewed in the app info, it is listed as "Sistema." Removing Android spyware should be done cautiously, and users are encouraged to ensure Google Play Protect is enabled for added security.