Retina-X Studios violates the FTC Act and COPPAR by producing stalkerware apps PhoneSheriff, TeenShield, and MobileSpy
On October 22, 2019, The US Federal Trade Commission released a press release about a settled case with Retina-X Studios, LLC, and its owner James N. Jones, Jr. The company was accused of producing stalkerware applications that violated users' privacy and rendered them vulnerable to cyberattacks. The apps were also breaching the FTC Act and Children's Online Privacy Protection Act Rule.
According to the official report, Retina-X Studios produced three apps under the names of MobileSpy, PhoneSheriff, and TeenShield that allowed recording and monitoring personal data on (primary) children's and employee's devices. Researchers claim that these programs were designed to operate in the background on mobile phone devices and illegally track users' private information:
Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses.
Even though Retina-X Studios stopped producing the three apps in 2018, there were over 15,000 subscriptions already performed, so the “stalkerware” possibly ended up on thousands of random users' mobile phone devices.
Users who installed the apps in question had to weaken the security of their phones
The compromising apps recorded user information such as the content of received SMS messages, pictures taken, phone numbers dialed and accepted, web browsing history, and even the current location:
The FTC alleges that the Retina-X apps allowed purchasers to access sensitive information about device users, including the user’s physical movements and online activities. At the same time, devices on which the apps were installed were exposed to security vulnerabilities.
Those who wanted to install one of these applications had to disable the restrictions set by the device that opened a loophole in the smartphone's security and allowed stalking apps to perform their activities. Additionally, some people might not even be aware of the program running on their phones as the app processing instructions came with a step that allowed potential attackers to prevent the app's icon from appearing on the screen.
The security incident in 2017 and 2018 resulted in apps users' private data compromise
FTC reports that Retina-X Studios failed to protect users' private information, including children. The company's policy claims that all harvested user information will be safely protected, however, the incident shows the opposite. Back in February 2017 and then February 2018, apps' database was breached by unknown attackers using compromised account credentials, and resulted of personal information leak of thousands of users.
Hackers gained access to information such as login details (usernames and encrypted passwords), the contact list, photos, current locations, etc. However, Retina-X Studios and the director did not take this incident seriously until a journalist contacted the company directly and reporting a hacking incident related to the firm's produced apps that touched the person directly:
The company and Johns did not learn about the first intrusion until April 2017 when they were contacted by a journalist, who was tipped off by the hacker.
The company and its director are demanded to ensure further user protection
The Federal Trade Commission claims that Retina-X Studios and the creator Johns are guilty of violating the FTC Act related to deceptive app uses and the Children's Online Privacy Protection Act. As a result, the company is required to develop high-end protection for their applications, especially from the point of view of children under thirteen.
The firm should ensure that private information is always kept safe and that the programs are “used only for legitimate purposes” and collected data removed from Retina-X Studios' databases. Additionally, the company needs to develop an app icon that can be removed from the screen of a child's mobile device only under the permission of the parent or guardian who installed the app in the first place.
According to the FTC, users need to be cautious and maybe even purchase a new mobile phone device if they have spotted any signs of stalkerware. The symptoms might include the decreasing quality of equipment operation, crashing applications, phone battery deterioration, the inability to turn off/on the device from the first try, and similar.