Cyber criminals have stolen text messages, call logs and location data from the popular phone monitoring app LetMeSpy.
It’s a cruel twist of fate for the software provider, whose product enables customers to monitor other people’s phone activity.
The technology is advertised to parents for keeping an eye on their children and to employers for monitoring their staff. However, they have got more than they bargained for, as the information they have surreptitiously captured is now also in the hands of cyber criminals.
In a notice on its login page, LetMeSpy said an unauthorised actor accessed its internal systems on 21 June.
The compromised information includes users’ email addresses and telephone numbers, as well as the content of messages collected on accounts.
The spyware who bugged me
LetMeSpy is a controversial product even if you discount its privacy woes. It is essentially a piece of spyware that lets people breach others’ privacy and monitor what they’re doing.
There might be an understandable reason to want this level of monitoring. LetMeSpy’s customers are ostensibly parents who want to protect their children from malign influences and employers preventing security threats.
In both instances, you can see why LetMeSpy would be useful. But there is something undeniably unpalatable about all of this. The software promotes itself on its lack of transparency, describing its product as “very light and […] invisible to the user”.
Elsewhere, it notes that its monitoring practices are designed to stay hidden, making it difficult to detect and remove.
It’s one thing to collect people’s personal data, but it’s something else to do so without informing them that you’re doing so – or how you’re doing it.
If the goal is to stop your children or your employees from accessing undesirable or unsafe content, there are easier and less intrusive methods than logging every single piece of activity on their device.
For instance, Google’s SafeSearch feature automatically filters out offensive and inappropriate material, while administrators can block access to certain websites.
These make for efficient and respectful solutions to the threat of dodgy Internet habits, whereas LetMeSpy offers not threat protection but entrapment. Users won’t necessarily know that certain websites are off-limits, and there are no barriers to prevent them from something that they are later confronted about.
Besides, the technology doesn’t only capture web browsing habits. It also tracks text messages, call logs and precise location data, which is uploaded to its servers and is available for the operator (the employer or the parent) to view in real time.
For instance, its website says that parents can “see who your child called and who is calling them and how long they talked. Find out where your kids are. Protect your children from being influenced by dangers of their environment”.
If the goal is to prevent threats (to security or morals), then this sort of software introduces far more problems than it solves.
That would be the case, of course, if software such as LetMeSpy was in fact designed for semi-legitimate purposes such as tracking employee behaviour.
However, there is a far bigger target market for this sort of technology – one where the app’s invisibility makes far more sense. So popular is this market that the technology is sometimes named after it: spouseware.
Designed for abuse
Although LetMeSpy is coy in its marketing about who its software is aimed at, its rivals are more direct in the benefits of installing undetectable spyware on someone else’s device.
One of those competitors, the eponymously named Spouseware, includes a video on its home page of a woman tracking her partner as he goes about his day.
She demonstrates her ability to listen in on his phone calls, hack into his front and rear camera, trace his GPS location, view his screen and listen to previous phone conversations.
The woman advertising the technology on Spouseware’s own website describes its features as “creepy”, while the site consistently refers to the person being spied on as “the victim”.
So that suggests some level of self-awareness. Unfortunately, the site assures users that their deception won’t be detected by claiming that “We take your privacy and anonymity very seriously”.
That’s wonderful news for the customers, but the safety and privacy of its victims is clearly less of an issue.
And, unfortunately, the number of victims of this technology is surging. Spouseware claims to have 1.8 million users, while LetMeSpy has been downloaded on more than 236,000 phones – although only 13,000 people have been compromised in this cyber attack.
In a breach notification, LetMeSpy said that it had notified law enforcement and the Polish data protection authority – where the organisation is based – but it’s unclear whether it has notified affected users.
That is perhaps not a surprise, because the true victims here are not the account holders but the people being spied upon. Notifying them of the breach would be difficult because LetMeSpy doesn’t process their information directly, nor does it have a lawful reason to do so.
More to the point, a notification would undermine LetMeSpy’s paying customers, who are using the product on the proviso that those affected don’t know that they’re being spied upon.
As soon as they were informed of the breach, they would learn that their personal data is the company’s product, and it has been abused in more ways than one.