A little-known phone surveillance operation known as Spyzie has affected over half a million Android devices and thousands of iPhones and iPads, as revealed by a security researcher.
Many of the device owners impacted by this operation are likely unaware that their phone data has been compromised.
The security researcher who discovered the issue stated that Spyzie shares the same vulnerability as Cocospy and Spyic, two similar stalkerware apps that have exposed the data of over 2 million individuals. This vulnerability allows unauthorized access to messages, photos, and location data from compromised devices.
The bug also exposes the email addresses of individuals who signed up to Spyzie to target someone else’s device.
The researcher exploited the bug to obtain 518,643 unique email addresses of Spyzie customers and shared this information with TechCrunch and Troy Hunt, the operator of the Have I Been Pwned data breach notification site.
This leak highlights the widespread use of consumer phone surveillance apps within society, even from relatively unknown operations like Spyzie. Despite being restricted by Google from running ads in search results, these apps have managed to gain thousands of paying customers.
Cocospy, Spyic, and Spyzie collectively have over three million users.
The leak also underscores the common flaws in stalkerware apps, which expose both the customer’s and the victim’s data to risks. Even in cases where parents use these apps to monitor their children, they inadvertently put their kids’ data at risk of being accessed by hackers.
Spyzie is now the twenty-fourth stalkerware operation since 2017 to have its victims’ sensitive data exposed due to security vulnerabilities.
The operators of Spyzie have not responded to TechCrunch’s request for comment, and the bug remains unfixed at present.
Planted Android apps and stolen Apple credentials
Apps like Spyzie, Cocospy, and Spyic are designed to remain hidden on the device, making them hard to detect by the victims. These apps continuously upload the victim’s device contents to the spyware’s servers, accessible to the individual who installed the app.
The shared data shows that the majority of affected Spyzie victims are owners of Android devices, which require physical access to install the Spyzie app, typically by someone who knows the device passcode.
These apps are often used in abusive relationships, where individuals are aware of their partner’s device passcode.
Spyzie has also been utilized to target at least 4,900 iPhones and iPads.
Apple devices have stricter app rules, so stalkerware often accesses victim’s data stored in iCloud using their Apple account credentials.
Some compromised Apple device owners date back to early 2020 to as recent as mid-2024 based on leaked Spyzie records.
How to remove Spyzie stalkerware
Individual victims of Spyzie’s surveillance could not be identified from the scraped data, but there are steps you can take to determine if your phone was compromised.
For Android users: Even if Spyzie is hidden, you can dial *#001# into your Android phone’s keypad and call button to check if Spyzie is installed.
This feature allows the individual who planted the app to access the phone and can also be used by the victim to detect the app.
TechCrunch has a guide on Android spyware removal to help identify and remove common phone stalkerware and secure your device settings.
It’s important to have a safety plan in place as deactivating spyware may alert the installer.
For iPhone and iPad users: Ensure two-factor authentication is enabled on your Apple account to protect against potential hacks. Also, remove any unrecognized devices linked to your Apple account.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. In emergency situations, call 911. The Coalition Against Stalkerware has resources if you suspect spyware has compromised your phone.
