A recently discovered security vulnerability in two phone-monitoring apps, Cocospy and Spyic, has put the personal data of millions of people at risk. The flaw, found by a security researcher, allows unauthorized access to sensitive information such as messages, photos, call logs, and more.

The vulnerability affects two differently branded mobile stalkerware apps that share largely the same source code. The bug not only exposes the personal data of victims but also reveals the email addresses of individuals who have signed up for these services to monitor others. These apps are designed to remain hidden on a victim’s device while secretly uploading their data to a dashboard accessible by the person who installed the app.

Similar to other forms of spyware, products like Cocospy and Spyic are often marketed as parental control or employee-monitoring tools but are frequently used to spy on spouses or romantic partners without their knowledge, which is illegal. Many phone owners are likely unaware that their devices have been compromised due to the stealthy nature of these apps.

The operators of Cocospy and Spyic have not responded to requests for comment, and the bug remains unfixed at the time of publishing. The vulnerability is relatively simple to exploit, and to prevent further exposure, specific details of the vulnerability will not be disclosed.

The security researcher who discovered the bug was able to collect 1.81 million email addresses of Cocospy customers and 880,167 email addresses of Spyic customers by exploiting the vulnerability. The researcher shared the data with Troy Hunt, who runs the data breach notification service Have I Been Pwned.

Hunt loaded a combined total of 2.65 million unique email addresses registered with Cocospy and Spyic into Have I Been Pwned, after removing duplicate email addresses. The data is marked as “sensitive,” meaning only the affected individuals can search to see if their information is included.

Cocospy and Spyic are the latest in a long list of surveillance products that have experienced security issues due to bugs or poor security practices. According to TechCrunch’s running count, these apps are among 23 known surveillance operations that have been hacked, breached, or otherwise exposed customers’ and victims’ sensitive data online since 2017.

Phone-monitoring apps like Cocospy and Spyic are typically sold as parental control or employee-monitoring apps but are often referred to as stalkerware or spouseware. These products are banned from app stores and usually require physical access to a device to be installed, often with prior knowledge of the device’s passcode.

Stalkerware with a China nexus

Little is known about the operators of Cocospy and Spyic, including their identities. Stalkerware operators often avoid public attention due to the reputational and legal risks associated with running surveillance operations.

Cocospy and Spyic were launched in 2018 and 2019, respectively. Based on the number of registered users, Cocospy is one of the largest-known stalkerware operations currently in operation.

Security researchers Vangelis Stykas and Felipe Solferini found evidence linking the operation of Cocospy and Spyic to 711.icu, a China-based mobile app developer. TechCrunch installed the apps on a virtual device and used a network analysis tool to understand how the spyware operations work and where the servers are located.

The analysis showed that the apps were sending data via Cloudflare, a network security provider that hides the true location and web host of the spyware operations. The web traffic also revealed that the apps were uploading some victims’ data to a cloud storage server hosted on Amazon Web Services.

Neither Amazon nor Cloudflare responded to TechCrunch’s inquiries about the stalkerware operations. The analysis also showed that the server would occasionally respond with status or error messages in Chinese, suggesting a connection to China.

What you can do to remove the stalkerware

The email addresses scraped from Cocospy and Spyic allow individuals who planted the apps to determine if their information and their victim’s data were compromised. However, the data does not contain enough information to notify individuals whose phones are compromised.

To check if your phone is compromised by Cocospy and Spyic, you can try entering ✱✱001✱✱ on your Android phone’s keypad and pressing the “call” button. This will make the stalkerware apps appear on-screen if they are installed.

You can also check your installed apps through the apps menu in the Android Settings menu, even if the app is hidden from view. TechCrunch has a general Android spyware removal guide that can help you identify and remove common types of phone stalkerware.

For Android users, switching on Google Play Protect can help protect against malicious apps, including stalkerware. Enabling two-factor authentication and using a password manager can also enhance security. iPhone and iPad users should check their Apple account settings and remove any unrecognized devices.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. The Coalition Against Stalkerware has resources available if you think your phone has been compromised by spyware.

Contact Zack Whittaker securely on Signal and WhatsApp at +1 646-755-8849. You can also share documents securely with TechCrunch via SecureDrop.