Spyhide Stalkerware Spies on Tens of Thousands of Phones

An Iranian-developed Android spyware app, Spyhide Stalkerware has compromised 60,000 devices since 2016.

Spyhide Stalkerware Spies on Tens of Thousands of Phones
Spyhide Stalkerware Spies on Tens of Thousands of Phones

Spyhide Stalkerware Spies on Tens of Thousands of Phones

New data reveals that Spyhide, a phone surveillance app, secretly gathers private phone data from tens of thousands of Android devices globally. Spyhide, a commonly used stalkerware or spouseware app, gets installed on a victim’s phone, typically by someone who knows their passcode.

The app’s purpose is to remain concealed on the victim’s phone’s home screen, making detection and removal challenging. After installation, Spyhide quietly and continuously uploads the phone’s contacts, messages, photos, call logs, recordings, and real-time location details.

Stalkerware apps, despite having stealthy access to a victim’s phone data, are notorious for their bugs and tendencies to inadvertently expose or leak the stolen private data, highlighting the risks posed by phone surveillance apps.

Spyhide is the newest addition to this expanding list of spyware operations.

In a blog post, Hacker Maia Arson Crimew from Switzerland revealed that the spyware company inadvertently exposed part of its development environment, which provided access to the source code of the web-based dashboard used by abusers to view the stolen phone data of their victims. Crimew exploited a vulnerability in the poorly coded dashboard, gaining access to the back-end databases and revealing the inner workings of the secretive spyware operation and its suspected administrators.

Crimew shared a copy of Spyhide’s text-only database with TechCrunch for verification and analysis.

Years of Stolen Phone Data Recorded

The Spyhide database had extensive records from around 60,000 compromised Android devices, spanning from 2016 to the mid-July exfiltration date. These records encompassed call logs, text messages, and precise location history dating back several years. They also contained details about each file, including timestamps for when photos or videos were captured and uploaded, as well as the duration of recorded calls.

Spyhide’s database also had records of 750,000 users who registered with the intention of installing the spyware app on a victim’s device.

Despite the large number of users, the records indicate that most of them did not proceed to compromise a phone or make payments for the spyware, suggesting a limited actual use of surveillance apps.

That being said, although a single user controlled most of the compromised Android devices, our analysis revealed that over 4,000 users had control over more than one compromised device. A smaller number of user accounts managed dozens of compromised devices.

The data also contained:

  • 3.29 million text messages with sensitive information like two-factor codes and password reset links.
  • Over 1.2 million call logs, including receiver phone numbers and call duration.
  • Approximately 312,000 call recording files.
  • More than 925,000 contact lists with names and phone numbers.
  • Records for 382,000 photos and images.

Additionally, the data held information on nearly 6,000 ambient recordings secretly captured from the victim’s phone microphone.

Found Out to Be Produced in Iran, and Hosted in Germany

On its website, Spyhide doesn’t mention who operates the operation or where it originated. Due to the legal and reputational risks linked to selling spyware and enabling surveillance, it’s common for spyware administrators to attempt to conceal their identities.

However, despite Spyhide’s attempts to hide the administrator’s role, the source code revealed the names of two Iranian developers who benefited from the operation. Mostafa M., one of the developers, whose LinkedIn profile indicates he is currently in Dubai, previously resided in the same northeastern Iranian city as the other Spyhide developer, Mohammad A., as shown in registration records linked to Spyhide’s domains.

The developers did not reply to multiple email requests for comments.

Apps like Spyhide, which openly promote and endorse covert spousal surveillance, are prohibited from Google’s app store. Instead, users must obtain the spyware app from Spyhide’s website.

Researchers installed the spyware app on a virtual device and utilized a network traffic analysis tool to comprehend the data entering and leaving the device. This virtual setup allowed then to execute the app within a secure sandbox, devoid of any actual data, such as location. The traffic analysis demonstrated that the app transmitted the data from our virtual device to a server hosted by the German web hosting company Hetzner.

What Can You Do About Spywares

Android spyware apps frequently camouflage themselves as regular Android apps or processes, making their detection challenging. Spyhide takes on the guise of a Google-themed app named “Google Settings” with a cog icon, or it appears as a ringtone app called “T.Ringtone” with a musical note icon. Both of these apps seek permission to access a device’s data and promptly initiate the transmission of private data to their servers.

You can review your installed apps by accessing the apps menu in the Settings, even if the app is concealed on the home screen.

Frequently Asked Questions

How Can I Report Spyhide or Similar Apps?

If you come across stalkerware apps like Spyhide, you can report them to the appropriate authorities and cybersecurity organizations. Additionally, you can report them to the app stores where they are distributed to have them removed.

What are the Risks of Using Spyhide or Similar Apps?

Using stalkerware like Spyhide not only violates privacy and legal boundaries but can also lead to severe consequences, including legal actions. It can damage relationships, cause emotional distress, and result in criminal charges for the person using it.

How Can I Protect my Phone From Stalkerware Like Spyhide?

To protect your device from stalkerware, avoid downloading apps from unverified sources, regularly review app permissions, and keep your device’s software up to date. You can also use security apps that detect and prevent stalkerware installations.

What Should I do if I Suspect Spyhide is on My Phone?

If you suspect Spyhide or any stalkerware on your device, it’s crucial to take action immediately. Consider removing the app if you can do so safely. Additionally, consult with cybersecurity experts or legal authorities for guidance on addressing the situation.

Check These Out


Please enter your comment!
Please enter your name here