New Security Flaw in TheTruthSpy Phone Spyware Poses Risk to Victims

A stalkerware developer, recognized for multiple data breaches, is currently grappling with a serious security vulnerability that allows unauthorized access to any user account, potentially leading to the theft of sensitive personal information, as reported by TechCrunch.

The flaw, identified by independent security researcher Swarang Wade, permits anyone to reset passwords for users of TheTruthSpy and its corresponding Android spyware applications, enabling account takeovers on the platform. Given the nature of TheTruthSpy, many users are likely running the software without obtaining consent from their targets, who may remain unaware that their phone data is being accessed by others.

This critical security concern highlights that creators of consumer spyware like TheTruthSpy—and its competitors—cannot be trusted with personal data. These surveillance applications enable illegal monitoring, often conducted by abusive partners, while demonstrating inadequate security practices that endanger the sensitive information of both victims and offenders.

TechCrunch has pinpointed at least 26 spyware operations that have compromised or exposed data in recent years, marking this as at least the fourth security issue associated with TheTruthSpy.

TechCrunch confirmed the vulnerability by providing Wade with usernames of several test accounts, which he quickly exploited to change the passwords. He attempted to inform TheTruthSpy’s owner about the flaw but received no reply.

When contacted by TechCrunch, Van (Vardy) Thieu, the operation’s director, claimed that the source code was “lost,” hindering his ability to rectify the issue.

As of publication, the vulnerability remains active, posing a significant risk to the thousands believed to have their phones unknowingly compromised by TheTruthSpy’s spyware.

In light of the public risk, we will not share further details about the vulnerability to prevent aiding malicious actors.

A concise overview of TheTruthSpy’s various security flaws

TheTruthSpy has functioned as a significant spyware entity for nearly a decade, previously ranking among the largest online phone surveillance operations.

Developed by 1Byte Software, a Vietnam-based spyware company headed by Thieu, TheTruthSpy has spawned numerous similar Android spyware applications, including Copy9 and once-operational apps like iSpyoo and MxSpy. All these applications utilize the same backend systems employed by TheTruthSpy’s customers to access illicit phone data.

As a result, any security weaknesses discovered in TheTruthSpy also affect users and victims of any spyware application employing its underlying code.

In a 2021 inquiry into the stalkerware industry, TechCrunch uncovered a security flaw in TheTruthSpy that exposed the private data of approximately 400,000 victims to the public internet, including intimate messages, photos, call logs, and historical location data.

Subsequently, TechCrunch obtained files from TheTruthSpy’s servers, shedding light on the operational mechanics of the spyware. These files contained a catalog of every Android device compromised by TheTruthSpy or its partner apps. Although the list did not provide enough information for the identification of each victim personally, it enabled TechCrunch to create a lookup tool for potential victims.

Further reporting, backed by hundreds of leaked documents from 1Byte’s servers sent to TechCrunch, revealed that TheTruthSpy was involved in a large-scale money-laundering operation using counterfeit documents and false identities, circumventing restrictions imposed by credit card processors on spyware activities. This scheme allowed TheTruthSpy to funnel millions of dollars from illicit customer payments into bank accounts globally controlled by its operators.

In late 2023, TheTruthSpy encountered another data breach, exposing the personal information of an additional 50,000 victims. TechCrunch received a copy of this data and updated its lookup tool accordingly.

TheTruthSpy continues data exposure and rebrands as PhoneParental

Currently, some initiatives under TheTruthSpy have halted, while others have rebranded to escape reputational damage. TheTruthSpy remains operational, still utilizing much of its insecure source code and vulnerable backend systems while adopting the new identity of a spyware app called PhoneParental.

Thieu continues to be involved in developing phone-monitoring software and facilitating surveillance activities.

An analysis of TheTruthSpy’s current web infrastructure using public internet records reveals that the operation still relies on a software framework developed by Thieu called JFramework (formerly the Jexpa Framework), which is used by TheTruthSpy and its associated spyware apps to transmit data back to its servers.

In an email, Thieu asserted that he was rebuilding the apps from the ground up, including a new application named MyPhones.app. However, a network analysis by TechCrunch indicated that MyPhones.app still depends on the JFramework for its backend operations, consistent with the system employed by TheTruthSpy.

TechCrunch offers guidance on identifying and removing stalkerware from your phone.

TheTruthSpy, akin to other stalkerware providers, remains a threat to victims whose phones have been compromised, not only due to the sensitive data it gathers but also because of its ongoing inability to safeguard its victims’ information.

—

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential support for victims of domestic abuse and violence. In emergencies, please dial 911. The Coalition Against Stalkerware provides resources for individuals suspecting their phones may have been compromised by spyware.