LetMeSpy is a type of phone monitoring app that is marketed for parental control or employee monitoring. The app is also specifically designed to stay hidden on a phone’s home screen, making it difficult to detect and remove.
Also known as stalkerware or spouseware, these kinds of phone monitoring apps are often planted by someone — such as spouses or domestic partners — with physical access to a person’s phone, without their consent or knowledge.
It has been reported that hackers have stolen the messages, call logs and locations intercepted by a widely used phone monitoring app called LetMeSpy, according to the company that makes the spyware.
The phone monitoring app, which is used to spy on thousands of people using Android phones around the world, said in a notice on its login page that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users.”
“As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts,” the notice read (as quoted by Hacker News).
Ray Kelly, fellow at the Synopsys Software Integrity Group, tells Digital Journal: “This hack demonstrates the importance of security testing when it comes to mobile applications. However, mobile apps—especially ones downloaded from Apple’s App Store or Google Play—are more difficult to test than traditional web applications for security vulnerabilities.”
Kelly adds: “If a mobile app vendor wants to ensure that its app is secure, then it’s critical to examine three areas where malicious actors can take advantage: First, the app itself should be tested for things like unencrypted credentials and the leakage of personally identifiable information, which could be stollen by hackers.”
Next Klely, says: “Security testing should be conducted on the network layer to ensure the app is using a secure connection (SSL) and is not leaking data to third-party sites.”
The third point Kelly makes is: “Mobile app vendors must also test back-end systems, such as open storage buckets or API non-validated inputs that could lead malicious actors to carry out SQL Injection attacks and potentially steal an entire database; this is where it appears LetMeSpy’s weakness was found.”
No harmony for Discord
In related cybersecurity news, the company Discord recently suffered a data breach due to the unauthorized access of a third-party support agent’s account. As a result, the support agent’s ticket queue was compromised, leading to the exposure of user email addresses, messages exchanged with Discord support, and any attachments sent with the tickets.
Discord claimed they immediately addressed the issue by quickly eliminating the compromised account. However, cybercriminals are hard to pin down, so monitoring and forensics remain crucial even when the attack seems to be very limited in scope and reach.
Almog Apirion, CEO & Co-Founder of Cyolo says that: “In the case of Discord’s breach disclosed today, the company swiftly handled the compromised account, demonstrating its effective identity access control measures. However, cybercriminals are elusive, so monitoring and forensics remain crucial even when the attack seems to be very limited in scope and reach.”
In terms of lessons to be learned, Apirion recommends: “To enhance network security and mitigate further risks, Discord – and companies facing such third-party challenges – should implement key post-attack identity management procedures. This proactive approach includes assuming that other accounts are compromised and that attackers have potentially accessed other vital systems through the support ticketing system.”
Furthermore, Apirion says: “Companies in similar situations must evaluate the exposure of customer data in routine systems like support ticketing tools, ensuring that compromised accounts do not result in unauthorized disclosure of sensitive information. As a potential next step, Discord should also notify the companies relying on their services to monitor their systems for potential threats arising from this incident.”