Xnspy stalkerware spied on thousands of iPhones and Android devices
A little known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority of whose owners are unaware that their data has been compromised.
Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child’s activities, but is expressly marketed to spy on a spouse or domestic partner’s devices without their consent. Its website boasts, “to catch a cheating spouse, you need Xnspy on your side,” and, “Xnspy makes reporting and data extraction simple for you.”
Stalkerware apps, also known as spyware, are secretly planted by someone with physical access to a person’s phone, bypass the security protections on the device, and are designed to stay hidden from home screens, making it difficult to track. Once installed, these apps will silently and continuously upload the contents of a person’s phone, including their call records, text messages, photos, browsing history and precise location data, giving the person who planted the app almost complete access to their victim’s give data.
But new findings show many stalkerware apps are riddled with security flaws and expose the data stolen from victims’ phones. Xnspy is no different.
Security researchers Vangelis Stykas and Felipe Solferini spent months decompiling several known stalkerware applications and analyzing the edges of the networks to which the applications send data. Their research, presented at BSides London this month, identified common and easy-to-find security flaws in several stalkerware families, including Xnspy, such as credentials and private keys left in the code by the developers and broken or non- existing encryption. In some cases, the bugs expose the victims’ stolen data, which is now sitting on someone else’s insecure servers.
During their research, Stykas and Solferini discovered clues and artifacts that identified the individuals behind each operation, but they refused to share details of the vulnerabilities with the stalkerware operators or disclose details of the flaws publicly for fear that it will benefit malicious hackers and beyond. harm victims. Stykas and Solferini said that all the bugs they found are easy to exploit and have likely been around for years.
Others have waded into darker legal waters by exploiting those easy-to-find vulnerabilities with the ostensible goal of exposing stalkerware operations as a form of vigilantism. A large cache of internal data taken from the servers of TheTruthSpy stalkerware and its affiliate apps and given to TechCrunch earlier this year allowed us to notify thousands of victims whose devices had been compromised.
Since our investigation into TheTruthSpy, TechCrunch has obtained further caches of stalkerware data, including from Xnspy, exposing their operations and the individuals who benefit from the surveillance.
Xnspy advertises its phone monitoring app for spying on a person’s spouse or domestic partner. Image credits: TechCrunch (screenshot)
Data seen by TechCrunch shows Xnspy has at least 60,000 victims dating back to 2014, including thousands of newer compromises recorded as recently as 2022. The majority of victims are Android owners, but Xnspy also has data taken from thousands of iPhones.
Many stalkerware apps are built for Android, as it’s easier to plant a malicious app than on an iPhone, which has tighter restrictions on what apps can be installed and what data can be accessed. Instead of planting a malicious app, stalkerware for iPhones taps a device’s backup stored in Apple’s cloud storage service iCloud.
Armed with a victim’s iCloud credentials, the stalkerware continuously downloads the device’s most recent iCloud backup directly from Apple’s servers without the owner’s knowledge. iCloud backups contain the majority of a person’s device data, which allows the stalkerware to steal their messages, photos, and other information. Enabling two-factor authentication makes it much more difficult for malicious individuals to compromise a person’s online account.
The data we saw contained more than 10,000 unique iCloud email addresses and passwords used to access a victim’s cloud-stored data, although many of the iCloud accounts were linked to more than one device. Of that number, the data contains more than 6,600 authentication tokens, which were actively used to exfiltrate victims’ device data from Apple’s cloud, although many have expired. Given the possibility of ongoing risk to victims, TechCrunch provided the list of compromised iCloud credentials to Apple prior to publication.
The Xnspy data we obtained was unencrypted. It also included information that further unmasked Xnspy’s developers.
Konext is a small development company in Lahore, Pakistan, staffed by a dozen employees, according to its LinkedIn page. The new company’s website says the company specializes in “custom software for businesses looking for all-in-one solutions,” and claims to have built dozens of mobile apps and games.
What Konext does not advertise is that it develops and maintains the Xnspy stalkerware.
The data seen by TechCrunch included a list of names, email addresses and scrambled passwords registered exclusively to Konext developers and employees for access to internal Xnspy systems.
The cache also contained Xnspy credentials for a third-party payment provider linked to the email address of Konext’s chief systems architect, according to his LinkedIn, and believed to be the lead developer behind the spyware operation. Other Konext developers used credit cards registered to their own home addresses in Lahore for testing the payment systems used for Xnspy and TrackMyFone, an Xnspy clone also developed by Konext.
Some of Konext’s employees are located in Cyprus, the data shows.
Konext, like other stalkerware developers, makes a concerted effort to conceal its activities and keep the identities of its developers from the public, likely to protect against the legal and reputational risks associated with facilitating covert surveillance on a massive scale. But coding errors left behind by Konext’s own developers further link its involvement in the development of stalkerware.
TechCrunch found that Konext’s website is hosted on the same dedicated server as the website for TrackMyFone, as well as Serfolet, a Cyprus-based entity with a conspicuously barebones website, which Xnspy says processes refunds on behalf of its customers. No other websites are hosted on the server.
TechCrunch contacted Konext’s chief systems architect by email for comment, both to his Konext and Xnspy email addresses. Instead, a person named Sal, whose Konext email address was also in the data but declined to provide their full name, responded to our email. Sal did not dispute or deny the company’s links to Xnspy in a series of emails with TechCrunch, but declined to comment. When asked about the number of devices compromised, Sal appeared to confirm his company’s involvement, saying in one email that “the numbers you quoted don’t match what we have.” When asked for clarification, Sal did not elaborate.
Xnspy is the latest in a long list of flawed stalkerware apps: mSpy, Mobistealth, Flexispy, Family Orbit, KidsGuard and TheTruthSpy have all exposed or compromised their victims’ data in recent years.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) offers free, confidential support to victims of domestic abuse and violence 24/7. If you’re in an emergency situation, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or [email protected] by email.