FTC bans stalkerware maker Spyfone from surveillance business

FTC has banned stalkerware maker Spyfone and CEO Scott Zuckerman from the surveillance business after failing to protect customers' devices from hackers and sharing info on their location and activity.

Stalkerware tech allows third parties to monitor your mobile device without your knowledge and collect sensitive info related to your location and online activity, which can be used for blackmail or other malicious purposes.

Such tools can lead to "gender-based and domestic violence, harassment and sexual abuse," according to the Coalition Against Stalkerware.

Ban comes after 2018 data breach

"Today, the Federal Trade Commission banned SpyFone and its CEO Scott Zuckerman from the surveillance business over allegations that the stalkerware app company secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack," the FTC said today.

"The company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence. SpyFone's lack of basic security also exposed device owners to hackers, identity thieves, and other cyber threats."

As Samuel Levine, Acting Director of the FTC's Bureau of Consumer Protection, explained, while the stalkerware was running on owners' devices without their knowledge, the information it collected was fully exposed to hackers.

Levine referred to a data breach revealed in August 2018 caused by Spyfone leaving an Amazon S3 bucket containing several terabytes of data harvested from more than 3,600 devices, including text messages, photos, audio recordings, and the users' web history.

The security researcher who discovered the exposed database also found that Spyfone's backend services could also be accessed without credentials, making it possible to create admin accounts and gain access to customer data.

Eva Galperin, Electronic Frontier Foundation's director of cybersecurity, told Motherboard, who first reported the breach, that "Spyfone appears to be a magical combination of shady, irresponsible, and incompetent."

While Spyfone promised customers that it would work with law enforcement authorities and an outside data security firm to investigate the breach, the FTC said it failed to follow through.

Stalkerware victims to be alerted their devices are not secure

As part of a proposed settlement, the FTC now requires Support King (the company behind Spyfone) to notify the owners of devices on which its apps were installed that their devices were monitored and likely no longer secure.

Spyfone and its CEO Scott Zuckerman will also have to delete any info illegally collected using the stalkerware apps.

"This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security," Levine added today.

"We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy."

Second time FTC took action against stalkerware

In October 2019, the FTC also blocked Retina-X Studios (Retina-X) from selling three stalkerware mobile apps (MobileSpy, PhoneSheriff, and TeenShield) unless they were used for legitimate purposes.

Retina-X stopped selling its apps in 2018 before the FTC settlement after its cloud storage was breached twice using unencrypted account credentials in February 2017 and with the help of 'obfuscated' credentials one year later.

The hacker stole data collected using the PhoneSheriff and TeenShield apps, "including login usernames, encrypted login passwords, text messages, GPS locations, contacts, and photos."

Before Retina-X stopped selling the three stalking apps, it managed to get customers to pay for 15,000 subscriptions (5,700+ for MobileSpy, 4,600+ for PhoneSheriff, and over 5,000 for TeenShield) in total for all three apps.

FTC is not the only one who took action against stalkerware. Google updated its Google Ads Enabling Dishonest Behavior policy to globally ban advertising for spyware and surveillance technology starting with August 11, 2020.

Related Articles:

US announces visa ban on those linked to commercial spyware

FTC orders Intuit to stop pushing "free" software that isn't really free

FTC to ban Avast from selling browsing data for advertising purposes

US offers up to $15 million for tips on ALPHV ransomware gang

Google: Spyware vendors behind 50% of zero-days exploited in 2023