Miscreants leak texts and info siphoned by Android stalkerware app LetMeSpy

It's bad enough there's some Android stalkerware out there with the not-at-all-creepy moniker LetMeSpy. Now someone's got hold of the information the app collects – such as victims' text messages and call logs – as well as the email addresses of those who sought out the software, and leaked it all.

The stolen data has been circulating online for at least a few days, we're told, and the spyware's users – those who got the app to put on someone else's device – reportedly include government workers and a ton of US college students.

The Polish developer of the app said the information was swiped in a "security incident" that happened on June 21, when someone obtained "unauthorized access" to its website's databases.

Yes, we appreciate the irony of the maker of a phone-monitoring app that boasts about secretly collecting call logs, text messages, and whereabouts while remaining "invisible to the user" admitting that someone else gained unauthorized access to their information.

Simply put, people can get a paid-for or free copy of LetMeSpy, install it on someone else's Android phone – think a partner, employee, relative, etc – have the app hide itself from view, and then collect from that device copies of their messages, logs, and other data. Now that information, accessible via LetMeSpy's website, along with details of those signing up for the software, has been exfiltrated.

"As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts," according to an alert on the LetMeSpy login page.

"In order to ensure security, all account-related functions of the website were disabled immediately after the incident was discovered," the notice continued. "They will be restored after the vulnerability exploited by the attackers is removed. Additional measures will also be taken to increase the level of data security."

The stalkerware slinger said it informed the cops and a data-protection watchdog about the privacy breach. LetMeSpy did not immediately respond to The Register's questions.

At least one security researcher, Maia Arson Crimew, said she received a link to the stolen data, and decided to take a look for part one of her new series, #FuckStalkerware.

The purloined data included call logs, messages, geolocations, IP addresses, payment logs, user IDs, email addresses, and customer account password hashes, Crimew wrote on their blog. 

Around 10,000 phones were registered for the spyware, though not all of them actually were spied upon, it appears. The app seems to only work for Android 4 to 7.

• US stalkerware developer fined $410,000 and ordered to modify apps so they reveal spying
• FTC bans 'brazen' stalkerware maker SpyFone, orders data deletion, alerts to victims
• One year after Roe v Wade overturned and 'uterus surveillance' looks grim
• Apple squashes kernel bug used by TriangleDB spyware

Additionally, a quick scan of email domains indicates that two Malaysian and one Jordanian government worker signed up for the spyware service, along with a Broussard police officer, and an employee from a competing stalkerware product, according to Crimew. 

"After a cursory glance at the dumped database and call/message logs it however doesn't appear like any of the above users have actually really used the product in any capacity," Crimew wrote. "Another concering [sic] thing i noticed however in the list of email addresses/domains is just how many US college students appear to be using stalkerware such as this, though i guess it does fit the US college culture to be spying on partners in such a manner."

For its part, LetMeSpy bills itself as a tool for parental and employee control — or even a helpful piece of software for absent-minded Android users prone to either losing or forgetting their phones. According to its "Why LetMeSpy" info on the website:

It does note that "phone control without your knowledge and consent may be illegal in your country," and advises that if you use the software on someone else's phone, "always inform about privacy restrictions." 

But somehow we have a hard time believing that all of its users are aboveboard.  ®