![[Security Scams]](https://cryptocoil.xyz/wp-content/uploads/2025/08/A-new-security-flaw-in-TheTruthSpy-phone-spyware-is-putting.webp)
A new security flaw in TheTruthSpy phone spyware is putting victims at risk | TechCrunch
Explore key highlights in the Bitcoin area. This article dives into: “A new security flaw in TheTruthSpy phone spyware is putting victims at risk | TechCrunch”.
A stalkerware maker with a historical past of a number of information leaks and breaches now has a essential security vulnerability that permits anybody to take over any consumer account and steal their sufferer’s delicate private information, TechCrunch has confirmed.
Independent security researcher Swarang Wade discovered the vulnerability, which permits anybody to reset the password of any consumer of the stalkerware app TheTruthSpy and its many companion Android spyware apps, resulting in the hijacking of any account on the platform. Given the character of TheTruthSpy, it’s doubtless that lots of its clients are working it with out the consent of their targets, who’re unaware that their phone information is being siphoned off to any individual else.
This fundamental flaw exhibits, as soon as once more, that makers of shopper spyware similar to TheTruthSpy — and its many rivals — can’t be trusted with anybody’s information. These surveillance apps not solely facilitate unlawful spying, typically by abusive romantic companions, however additionally they have shoddy security practices that expose the non-public information of each victims and perpetrators.
To date, TechCrunch has counted at least 26 spyware operations that’ve leaked, uncovered, or in any other case spilled information in latest years. By our depend, this is at least the fourth security lapse involving TheTruthSpy.
TechCrunch verified the vulnerability by offering the researcher with the username of a number of check accounts. The researcher rapidly modified the passwords on the accounts. Wade tried to contact the proprietor of TheTruthSpy to alert him of the flaw, however he didn’t obtain any response.
When contacted by TechCrunch, the spyware operation’s director Van (Vardy) Thieu mentioned the supply code was “lost” and he can’t repair the bug.
As of publication, the vulnerability nonetheless exists and presents a major risk to the hundreds of individuals whose telephones are believed to be unknowingly compromised by TheTruthSpy’s spyware.
Given the risk to most people, we’re not describing the vulnerability in extra element in order to not support malicious actors.
A transient historical past of TheTruthSpy’s many security flaws
TheTruthSpy is a prolific spyware operation with roots that return virtually a decade. For a time, the spyware community was one of many largest recognized phone surveillance operations on the net.
TheTruthSpy is developed by 1Byte Software, a Vietnam-based spyware maker run by Thieu, its director. TheTruthSpy is one in every of a fleet of near-identical Android spyware apps with totally different branding, together with Copy9, and since-defunct manufacturers iSpyoo, MxSpy, and others. The spyware apps share the identical back-end dashboards that TheTruthSpy’s clients use to entry their sufferer’s stolen phone information.
As such, the security bugs in TheTruthSpy additionally have an effect on clients and victims of any branded or whitelabeled spyware app that depends on TheTruthSpy’s underlying code.
As a part of an investigation into the stalkerware trade in 2021, TechCrunch discovered that TheTruthSpy had a security bug that was exposing the personal information of its 400,000 victims to anybody on the web. The uncovered information included the victims’ most private info, together with their personal messages, photographs, name logs, and their historic location information.
TechCrunch later acquired a cache of information from TheTruthSpy’s servers, exposing the interior workings of the spyware operation. The information additionally contained an inventory of each Android system compromised by TheTruthSpy or one in every of its companion apps. While the record of units didn’t include sufficient info to personally determine every sufferer, it allowed TechCrunch to construct a spyware lookup instrument for any potential sufferer to test whether or not their phone was discovered in the record.
Our subsequent reporting, based mostly on a whole lot of leaked paperwork from 1Byte’s servers despatched to TechCrunch, revealed that TheTruthSpy relied on an enormous money-laundering operation that used cast paperwork and false identities to skirt restrictions put in place by bank card processors on spyware operations. The scheme allowed TheTruthSpy to funnel hundreds of thousands of {dollars} of illicit buyer funds into financial institution accounts all over the world managed by its operators.
In late 2023, TheTruthSpy had one other information breach, exposing the personal information on one other 50,000 new victims. TechCrunch was despatched a duplicate of this information, and we added the up to date information to our lookup instrument.
TheTruthSpy, nonetheless exposing information, rebrands to PhoneParental
As it stands, a few of TheTruthSpy’s operations wound down, and different components rebranded to flee reputational scrutiny. TheTruthSpy nonetheless exists at this time, and it has saved a lot of its buggy supply code and weak back-end dashboards whereas rebranding as a new spyware app known as PhoneParental.
Thieu continues to be concerned in the event of phone-monitoring software program, in addition to the continuing facilitation of surveillance.
According to a latest evaluation of TheTruthSpy’s present web-facing infrastructure utilizing public web information, the operation continues to depend on a software program stack developed by Thieu known as the JFramework (beforehand often known as the Jexpa Framework), which TheTruthSpy and its different spyware apps depend on to share information again to its servers.
In an e-mail, Thieu mentioned he was rebuilding the apps from scratch, together with a new phone-monitoring app known as MyPhones.app. A community evaluation check carried out by TechCrunch exhibits MyPhones.app depends on the JFramework for its back-end operations, the identical system utilized by TheTruthSpy.
TechCrunch has an explainer on how one can determine and take away stalkerware out of your phone.
TheTruthSpy, very like different stalkerware operators, stays a risk to the victims whose telephones are compromised by its apps, not simply due to the extremely delicate information that they steal, however as a result of these operations regularly show that they can’t hold their sufferer’s information protected.
—
If you or somebody you recognize wants assist, the National Domestic Violence Hotline (1-800-799-7233) supplies 24/7 free, confidential assist to victims of home abuse and violence. If you might be in an emergency state of affairs, name 911. The Coalition Against Stalkerware has sources in case you assume your phone has been compromised by spyware.
You Might Also Like
Learn about key developments in the DeFi ecosystem. This article breaks down: “A new security flaw in TheTruthSpy phone spyware is putting victims at risk | TechCrunch”.
- Bitcoin market information & on-chain developments
- Altcoin picks, value strikes & ecosystem updates
- DeFi improvements, protocols & yield methods
- NFT & Web3 tasks reworking digital possession
- Airdrop & Bounty campaigns to assert and earn
- Mining & Staking guides, rewards & profitability ideas
- Exchanges & Wallets evaluations & security options
- Security & Scams to keep away from in crypto investing
- Price Analysis for smarter selections and insights
- AI & Blockchain merging intelligence with decentralization
- CBDCs & Stablecoins from banks and blockchain tasks
- Crypto Regulations and authorized frameworks shaping the trade
- Trading & Signals with methods and alerts
- Events & Conferences worldwide in the crypto area
Explore Our Crypto Network
- Explore BlockTrend for knowledgeable takes on blockchain developments & developments
- Visit SFBNEWS for information and auto-fed crypto headlines
- Check i-News for contemporary international crypto headlines & breaking tales
- Claim & earn with trusted drops on i-Coin — your faucet & incomes hub
- Learn crypto the good means on i-VIP — sensible tutorials, guides & ideas for rookies
[ad_3]
Content Reference
This article is tailored from techcrunch.com. We’ve restructured and rewritten the content material for a broader viewers with improved readability and search engine marketing formatting.
Your Crypto Tracker
Check out CryptoCoil for expert-written guides.
Our Sitemap
Find all articles and classes at CryptoCoil Sitemap — fast entry to all our content material.