A significant security vulnerability has been identified in two popular mobile surveillance applications, Cocospy and Spyic, potentially exposing sensitive data of millions of individuals whose devices have been monitored without their knowledge. The flaw enables unauthorized access to various types of personal information, including messages, call logs, and photos collected by these applications. The discovery matches a broader pattern of security concerns with surveillance tools, similar to the EagleMsgSpy surveillance tool identified in Chinese law enforcement operations.
The vulnerability, discovered by a security researcher, affects applications that are marketed primarily for parental and employee monitoring purposes but are frequently deployed for covert surveillance. These apps typically operate by disguising themselves as system services on Android devices to avoid detection, using similar techniques to those seen in sophisticated banking trojans like the BRATA malware.
Beyond compromising the personal data of monitored individuals, the security flaw also exposes the email addresses of users who registered to use the monitoring services. Technical investigation has traced the applications to a Chinese developer using server infrastructure through Cloudflare and Amazon Web Services for hosting. Both service providers have not provided comment regarding potential actions against the spyware. The practice of using legitimate cloud services for malicious purposes resembles tactics seen in recent sophisticated phishing campaigns targeting corporate credentials.
The applications in question operate by collecting extensive personal data from monitored devices, including message content, telephony logs, and photographic material. The data collection capability, combined with the current security vulnerability, creates potential risks for unauthorized access to sensitive information. The scope of data collection raises concerns similar to those addressed in recent privacy lawsuits regarding unauthorized mobile data collection.
The discovery highlights the technical and privacy implications of mobile surveillance applications, particularly those designed to operate covertly. The exposure of both monitor and monitored users’ data demonstrates the broader security considerations inherent in surveillance software deployment, underscoring the growing challenges of balancing monitoring capabilities with privacy protection in mobile environments.
Sources: SC World
Follow Us