Support King, banned by the FTC, linked to a new stalkerware operation • TechCrunch
one year later was banned by the Federal Trade Commission, a notorious phone surveillance company is back in all but name, a TechCrunch investigation has found.
A groundbreaking order from the FTC in 2021 forbidden the stalkerware app SpyFone, its parent company Support King and its CEO Scott Zuckerman from the surveillance industry. The order, approved unanimously by the regulator’s five acting commissioners, also required Support King to delete phone data it illegally collected and notify victims that its app was secretly installed on their device.
Stalkerware, or spouse software, are apps that are surreptitiously installed by someone with physical access to a person’s phone, often under the guise of tracking family or monitoring children, except these apps are designed to stay hidden on home screens, while they load silently. the content of a person’s phone, including their text messages, photos, browsing history, and granular location data.
But many stalkerware applications, such as child guard, laverdadspia Y xnspy — have security flaws that put the personal phone data of thousands of people at further risk.
That also includes SpyFone, whose unsecured cloud storage server spilled the personal data stolen from the phones of more than 2,000 victims, prompting the FTC to investigate and subsequently ban Support King and his CEO Zuckerman so that they do not offer, distribute, promote or help sell surveillance applications.
Since then, TechCrunch has received more tranches of data, including from the internal servers of a stalkerware application called SpyTrac, which is run by developers linked to Support King.
Meet Aztec Labs
With over 1.3 million devices compromised, SpyTrac is one of the largest known active Android stalkerware operations, surpassing the number of victims caught by TheTruthSpy. more than triple. Despite its vast international reach, US visitors to SpyTrac’s website are blocked with an abrupt message that “your country is not supported.”
But SpyTrac is just like any other stalkerware app, including its ability to stay hidden on the victim’s device. The SpyTrac website also does not mention the people running the operation, likely to protect developers from legal and reputational risks associated with running a stalkerware operation.
According to data and other public records seen by TechCrunch, SpyTrac is run by developers who work for both Support King and a team of developers called Aztec Labs, which builds and maintains SpyTrac’s stalkerware operation. Aztec Labs also maintains a nearly identical Spanish-language stalkerware app called Espía Móvil (which translates to “spy mobile”), and another cloned stalkerware app called StealthX Pro, the data shows.
Some of the data found on the SpyTrac server directly connects SpyTrac to Support King.
One of the files on the server contained a set of Amazon Web Services private keys that allow access to cloud storage associated with Support King and GovAssist, a website that claims to help immigrants obtain US visas and permanent residence permits. . The keys also enable cloud storage access for OneClickMonitor, a cloned stalkerware app that was shut down by Support King at the same time as SpyFone.
Both support king Y GovAssist They are headed by CEO Scott Zuckerman.
When contacted by email, Zuckerman told TechCrunch: “We are investigating your claims that internal SpyTrac data was storing AWS keys that may be connected to S3 buckets related to Support King, GovAssist, and OneClickMonitor. We take this very seriously and will comply with all provisions of the FTC Order.”
Access logs viewed by TechCrunch show at least two Aztec Labs developers logging into SpyTrac’s servers using different sets of credentials, but each from the same IP addresses. Both developers logged in from IP addresses registered to a Bosnian residential broadband provider using credentials associated with Aztec Labs, SpyTrac, and Support King email addresses.
One of the developers is the technical lead at Aztec Labs, which LinkedIn says is based in Sarajevo. His other public freelance portfolios list his work as a program manager at Support King, a role he describes as “managing the entire IT team.”
According to LinkedIn profiles and other job portfolios, SpyTrac’s technical lead and other developers also work at Zuckerman’s latest company, GovAssist.
The access logs also show a third developer logging into SpyTrac’s servers, also from his home IP address in Sarajevo, using different sets of credentials associated with Support King, Aztec Labs, and GovAssist email addresses.
In response, Zuckerman told TechCrunch: “Neither I nor any of my businesses are affiliated with Aztec Labs, SpyTrac or [the technical lead, who] He worked as an independent contractor for Support King between June 2019 and October 2021. We also do not have access to the SpyTrac servers.”
The SpyFone connection
SpyFone, the stalkerware app banned by the FTC in September 2021, is no longer working.
The internal SpyTrac data we’ve seen shows that SpyFone issued its last client license just days before the FTC banned it. SpyFone’s domain name was sold out to another phone surveillance maker, SpyPhone. Customers who tried to log in to the SpyFone web panel, used to access the victim’s stolen data, were redirected to the SpyPhone website.
The FTC’s 2021 order also required Support King to remove data it had illegally collected from SpyFone. But SpyTrac’s internal data seen by TechCrunch still contains thousands of records associated with SpyFone licenses assigned to buying customers’ email addresses.
Each SpyFone license was sold by a reseller with a Support King email address, the data showed.
SpyTrac also caught the attention of security researchers. Vangelis Stykas Y Felipe Solferini, whose months-long investigation identified common and easy-to-find security flaws in several families of stalkerware, including SpyTrac. His findings, which they presented at BSide London this month, involved decompiling the applications and mapping their server infrastructure using public Internet data. Evidence from him links SpyTrac to Support King.
Zuckerman said in response: “Support King removed all data on its servers connected to SpyFone and OneClickMonitor clients pursuant to the FTC Order.”
Shortly after TechCrunch contacted Zuckerman for comment, SpyTrac’s website went offline with a message stating that “product is temporarily unavailable.” The websites of SpyTrac clone stalkerware apps, StealthX Pro and its Spanish clone Espía Móvil, also went offline. The Aztec Labs website also stopped loading.
Stalkerware is a difficult problem to combat. These operations are clandestine by design, making it difficult for regulators to investigate or know what jurisdiction they fall under.
In 2020, the FTC took its first action against a stalkerware operator, Retina-X, which was hacked multiple times and then to close. The FTC’s second action was against Support King a year later.
Businesses that violate the FTC’s orders can face significant civil penalties. Earlier this year, Twitter was organized to pay $150 million for violating a 2011 FTC order.
Instead, much of the effort against stalkerware and other commercial surveillance has been taken up by the tech industry, including device makers Apple and Google, which have banned stalkerware apps. In 2020, Google also banned ads in its search results that promote stalkerware. Anti-malware vendors that are members of the Coalition Against Stalkerware, which was launched in 2019 to support stalkerware victims and survivors, collectively share known stalkerware apps and network signatures to prevent them from working on their customers’ phones.
A former FTC attorney, who reviewed our findings prior to publication, told TechCrunch that the evidence points to a possible violation of the FTC’s ban. As to whether Support King broke its agreement with the FTC, it will ultimately be up to the agency to decide.
When contacted, an FTC spokesperson declined to comment.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free and confidential 24/7 support to victims of domestic violence and abuse. . If you are in an emergency situation, call 911. The Coalition Against Stalkerware You also have recourse if you think your phone has been compromised by spyware. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or email@example.com via email.