A widely used phone monitoring app called LetMeSpy has fallen victim to a hacking incident, resulting in the theft of intercepted messages, call logs, and locations, according to the company behind the spyware. LetMeSpy, marketed for parental control or employee monitoring, revealed in a notice on its login page that a security breach occurred on June 21, allowing unauthorized access to user data.
The spyware, also known as stalkerware or spouseware, is designed to remain hidden on Android phones, making it difficult to detect and remove. Once installed on a phone, LetMeSpy secretly uploads text messages, call logs, and precise location data to its servers, enabling the person who planted the app to track the device and its user in real-time. These types of surveillance apps, despite their intrusive access, are often plagued with security vulnerabilities and have a history of being hacked or exposing private data.
The breach was initially reported by Polish security research blog Niebezpiecznik, who reached out to LetMeSpy for comment but received a response from the hacker instead. The hacker claimed to have gained extensive access to the spyware maker’s domain. The motive behind the hack and the identity of the perpetrator remain unclear. The hacker suggested having deleted LetMeSpy’s databases stored on the server, and a copy of the hacked database later surfaced online.
DDoSecrets, a nonprofit transparency collective, obtained a copy of the compromised LetMeSpy data and shared it with TechCrunch. The database contained records on approximately 13,000 compromised devices, although some devices had limited or no data associated with LetMeSpy. The leaked data included personally identifiable information, raising concerns about privacy and security.
At its peak, LetMeSpy’s website claimed to track over 236,000 devices and collect vast amounts of call logs, text messages, and location data. However, the site’s counters now display zero, and the site’s functionality, including the spyware app itself, appears to be broken. Analysis of the LetMeSpy phone app’s network traffic showed that it was non-functional at the time of investigation.
The compromised database also exposed over 13,400 location data points for thousands of victims, with a majority of the victims located in the United States, India, and Western Africa. Additionally, the database contained LetMeSpy’s master database, including information on 26,000 customers who used the spyware for free and the email addresses of paying subscribers.
The developer behind LetMeSpy, Rafal Lidwin, based in Krakow, Poland, was identified through the leaked database. Lidwin did not respond to requests for comment. LetMeSpy stated that it had notified law enforcement and the Polish data protection authority regarding the breach, but it remains uncertain if the affected users will be individually notified.
Victims of spyware face challenges in identifying whether their data has been compromised, as the leaked LetMeSpy data lacks identifiable information. Moreover, notifying victims can potentially alert the perpetrators, posing safety risks. Android spyware apps, including LetMeSpy, are often disguised as system apps, but LetMeSpy is relatively easier to locate and uninstall under the name “LMS” with a distinct icon.
The incident serves as a reminder of the risks associated with phone monitoring apps and the importance of maintaining robust security measures to protect personal data from unauthorized access and potential abuse.
