A year later it has been banned by the Federal Trade Commission, the notorious phone surveillance company is returning in all but name, a TechCrunch investigation has found.
In 2021, the FTC’s landmark order banned the stalkerware app SpyFone, its parent company Support King, and its CEO Scott Zuckerman from the surveillance industry. The settlement, approved unanimously by five sitting commissioners of the regulator, also required Support King to delete phone data it illegally collected and notify victims that its app was secretly installed on their device.
Stalkerware or spouseware are apps that are surreptitiously installed by someone with physical access to a person’s phone, often under the guise of family tracking or child monitoring, except that these apps are designed to hide from home screens while silently uploading. the contents of a person’s phone, including text messages, photos, browsing history, and specific location data.
But many stalkerware apps like KidsGuard, TheTruthSpy, and Xnspy have security flaws that put thousands of people’s personal phone data at risk of further compromise.
That includes SpyFone, whose insecure cloud storage server leaked personal data stolen from more than 2,000 victims’ phones, prompting the FTC to investigate and subsequently ban Support King and its CEO Zuckerman from offering, distributing, promoting or otherwise way to support sales. control applications.
TechCrunch has since obtained further tranches of data, including from the internal servers of a stalkerware application called SpyTrac, run by developers with ties to Support King.
Meet Aztec Labs!
With over 1.3 million compromised devices, SpyTrac is one of the most popular Android stalkerware operations, three times the number of victims trapped by TheTruthSpy. Despite its vast international reach, US visitors to SpyTrac’s website are blocked by a terse message stating “your country is not supported.”
But SpyTrac is like any other stalkerware app, including the ability to stay hidden on the victim’s device. SpyTrac’s website also does not identify the individuals who run the operation, which likely protects developers from the legal and reputational risks associated with stalkerware operation.
According to data and other public records seen by TechCrunch, SpyTrac is managed by developers who work for both Support King and a developer called Aztec Labs, which builds and maintains the SpyTrac stalkerware operation. Aztec Labs also maintains a nearly identical Spanish-language stalkerware app called Espía Móvil (which translates to “spy mobile”) and another cloning stalkerware app called StealthX Pro, the data shows.
Certain data found on SpyTrac’s server directly links SpyTrac to Support King.
One of the server files contained Amazon Web Services private keys that allow access to cloud storage associated with Support King and GovAssist, a website that claims to help immigrants obtain US visas and permanent residency. The keys also allow access to cloud storage for OneClickMonitor, the cloning stalkerware app that Support King shuts down at the same time as SpyFone.
Both Support King and GovAssist are led by CEO Scott Zuckerman.
When reached by email, Zuckerman told TechCrunch: We are investigating your claims that SpyTrac’s internal data stored AWS keys that could be connected to S3 buckets related to Support King, GovAssist, and OneClickMonitor. We take this very seriously and will comply with all provisions of the FTC’s order.”
Access logs seen by TechCrunch show at least two Aztec Labs developers accessing SpyTrac’s servers using different sets of credentials, but each from the same IP addresses. Both developers logged in from IP addresses registered to a Bosnian residential broadband provider using credentials associated with Aztec Labs, SpyTrac and Support King email addresses.
One of the developers is a technical lead at Aztec Labs, whose LinkedIn says he is based in Sarajevo. His other public freelance portfolios list his work as a project manager at Support King, a role he describes as “managing the entire IT team.”
According to LinkedIn profiles and other work portfolios, the technical lead and other SpyTrac developers are also working on Zuckerman’s latest venture, GovAssist.
The access logs also show a third developer accessing SpyTrac’s servers, also from their home IP address in Sarajevo, using different credentials associated with Support King, Aztec Labs, and GovAssist email addresses.
In response, Zuckerman told TechCrunch: “Neither I nor my business is affiliated with Aztec Labs, SpyTrac or [the technical lead, who] worked as an independent contractor for Support King from June 2019 to October 2021. We also do not have access to SpyTrac’s servers.”
SpyFone, the stalkerware app that was banned by the FTC in September 2021, is no longer available.
Internal SpyTrac data we’ve seen shows that SpyFone issued its last client license just days before the FTC banned it. The SpyFone domain name was sold to another phone surveillance manufacturer, SpyPhone. Customers trying to access SpyFone’s web console, which was used to access stolen victim data, were redirected to SpyPhone’s website instead.
The FTC’s 2021 order also required Support King to delete the data it illegally collected from SpyFone. But internal SpyTrac data seen by TechCrunch still contains thousands of records related to SpyFone licenses assigned to buyers’ emails. to the addresses.
Every SpyFone license was sold by a reseller with a Support King email address, the data showed.
SpyTrac has also caught the attention of security researchers Vangelis Stikas and: Felipe Solferini, whose months-long research found common and easy-to-find security flaws in several stalkerware families, including SpyTrac. Their findings, which they presented this month at BSides in London, involved decompiling the applications and mapping their server infrastructure using public Internet data. Their evidence links SpyTrac to supporting King.
Zuckerman replied: “Support King has deleted all data on its servers related to SpyFone and OneClickMonitor customers in compliance with the FTC’s order.”
Shortly after TechCrunch contacted Zuckerman for comment, SpyTrac’s website went offline with a “product temporarily unavailable” message. The websites of SpyTrac clone stalkerware apps StealthX Pro and its Spanish-language clone Espía Móvil were also taken offline. The Aztec Labs website also stopped loading.
Stalkerware is a difficult task to combat. These activities are secret by design, making it difficult for regulators to investigate or know under whose jurisdiction they are.
In 2020, the FTC took its first action against a stalkerware operator, Retina-X, which had been hacked several times and later shut down. The FTC’s second action was against Support King a year later.
Companies that violate the FTC’s orders can face significant civil penalties. Earlier this year, Twitter was ordered to pay $150 million for violating an FTC order from 2011.
Instead, most efforts against stalkerware and other commercial surveillance have been led by the tech industry, including device makers Apple and Google, which have banned stalkerware apps. In 2020, Google also banned ads from its search results that promote stalkerware. Anti-malware providers who are members of the Anti-Stalkerware Coalition, launched in 2019 to support stalkerware victims and survivors, are sharing signatures of known stalkerware apps and networks together to block them from running on their customers’ phones.
A former FTC attorney who reviewed our findings before publication told TechCrunch that the evidence points to a possible violation of the FTC’s ban. Whether Support King violated its agreement with the FTC will ultimately be up to the agency to decide.
When reached, an FTC spokeswoman declined to comment.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential 24/7 support for victims of domestic violence and abuse. If you are in an emergency, call 911. The Coalition Against Stalkerware also has resources if you think your phone has been compromised by spyware. You can reach this reporter via Signal and WhatsApp at +1 646-755-8849 or [email protected]