Amazon still hanging onto spyware victims' data weeks after breach warning

Amazon is being a bit cheeky about not taking action against some shady phone surveillance apps that are storing people’s private data on Amazon’s servers. TechCrunch gave them a heads up about this weeks ago, but the apps Cocospy, Spyic, and Spyzie are still at it, uploading and storing photos taken from unsuspecting victims’ phones on Amazon Web Services.

What’s the deal with these apps?

A security researcher spilled the beans that these three Android apps are basically triplets, sharing the same source code and a major security flaw. They’ve exposed the private data of about 3.1 million people, many of whom have no clue their phones have been compromised. Yikes!

Should Amazon be doing something about this?

TechCrunch reached out to Amazon, who basically said they’re “following their process” but didn’t confirm if they’ll shut down the storage buckets being used by these apps. Come on Amazon, do something!

Why should we care?

Amazon’s own rules say they don’t allow spyware on their platform, but it seems like they’re dragging their feet on this one. It’s not up to journalists or anyone else to police Amazon’s platform, but they have the resources to enforce their policies and stop bad actors from abusing their service.

How did we find out about this?

When TechCrunch gets wind of a surveillance-related data breach, we dig deep to uncover the operations behind it. We try to help the victims and expose the creeps behind the surveillance. Our investigations can also reveal which platforms are being used to host the stolen data, like in this case with Amazon.

So, what now?

We’ve given Amazon the scoop on these sketchy apps, but it looks like they’re not rushing to do anything about it. Here’s hoping they step up and kick these apps off their servers.
The majority of victims of stalkerware were found to be Android device owners, so TechCrunch decided to dive in and investigate. By setting up a virtual Android device, we were able to install the Cocospy and Spyic apps without putting any real-world data at risk. Both apps cleverly disguised themselves as “System Service,” trying to fly under the radar among Android’s built-in apps.

Uncovering the Truth Behind Stalkerware

Using a network traffic analysis tool, we dug into the data being sent and received by the apps. This allowed us to see exactly what kind of information was being stealthily uploaded from our test device. And what we discovered was alarming – the stalkerware apps were sending victims’ data, including photos, to storage buckets hosted on Amazon Web Services.

Delving Deeper into the Dark World of Stalkerware

Logging into the user dashboards of Cocospy and Spyic revealed a chilling reality. These dashboards gave the creators of the stalkerware apps access to the stolen data from their targets. By purposely compromising our virtual device with the stalkerware apps, we were able to see our own photo gallery contents on the web dashboards. And to our dismay, the images loaded from web addresses linked to Amazon Web Services.

Unveiling Spyzie’s Data Breach

After news broke of Spyzie’s data breach, TechCrunch took a closer look at their Android app. Using a network analysis tool, we found that Spyzie was behaving in the same shady manner as Cocospy and Spyic. The app was also sending victims’ device data to its own storage bucket on Amazon’s cloud. We promptly alerted Amazon to this breach on March 10th.

If you or someone you know is experiencing domestic abuse or violence, reach out to the National Domestic Violence Hotline for free and confidential support at 1-800-799-7233. In case of emergency, dial 911. And if you suspect your phone has been compromised by spyware, the Coalition Against Stalkerware has resources to help.