Spyzie stalkerware targets Android and iPhone users with secret spying

More than 500k devices affected

A dangerous type of malware called Spyzie is secretly spying on thousands of Android and iOS users around the world.^[1] Sold as a tool for parents to monitor their children’s phone activity, Spyzie is actually a form of stalkerware that can track private information like messages, calls, photos, and locations without the user’s knowledge.

This malware has severe security flaws that have exposed the data of over 500,000 victims and customers, putting their privacy at serious risk. It joins a relatively long list of stalkerware apps (mSpy,^[2] Cocospy, Spyic, etc.) that exposed user data in some way.

Malware can steal information about call logs, text messages, and more

Spyzie is malicious software that acts as stalkerware,^[3] monitoring phone activities in secret. The application functions as a parental control tool, but it also gives anyone the ability to monitor others against their will. After installation, the Spyzie system gains access to monitor various device data, including SMS texts and call recordings, as well as geographic tracking and device content such as images and videos.

The Spyzie application requires direct access to Android mobile devices to complete the installation. Ill-intentioned individuals typically activate Spyzie after briefly possessing a phone in order to install the tracking app on the victims' devices.

Spyzie becomes invisible to regular users after the installation process is completed, so they are unable to detect its presence. The application transfers all accumulated device data to its server base, which a third party can access from any remote location.

The Spyzie system works without the need to download software to iOS devices. The program uses the victim's iCloud account authentication details to gain unauthorized access to Apple's cloud database. Without directly accessing the victim's phone, sophisticated attackers can view and monitor all messages and photos stored in the iCloud system using stolen login information. Spyzie poses a global threat to users of both Android and iOS.

Spyzie software has a security vulnerability

In addition to its surveillance capability, Spyzie has a critical security vulnerability that risks victims and clients alike. Cyber researchers discovered a weakness in Spyzie's infrastructure that grants unauthorized users access to data gathered by it. These include highly personal information like SMS messages, call logs, and even physical location data for over half a million victims. To add insult, the vulnerability divulges the email address of over 518,000 paid subscribers.

Despite being informed of this issue, the company responsible for Spyzie has yet to rectify the situation. This is a sign that the data of thousands of individuals is still vulnerable and could be exploited by hackers or other nefarious actors. The breach is particularly hazardous because it compromises not only the victims being spied upon but also the customers who believed their activity on the app was confidential.

This security flaw underscores the broad spectrum of danger inherent in using stalkerware. Even individuals who believe they are in control of it – such as the customers who implement Spyzie – can find their own information compromised. Furthermore, this situation begs serious questions about the firm's dedication to user privacy and data.

Using Spyzie? Here's what to do next

Spyzie is hard to detect and uninstall, but there are certain steps that can be taken by users to safeguard themselves. The steps are different for Android and iOS since the malware behaves differently on both.

For Android users

One of the methods for checking if Spyzie is installed is to dial 001 on your phone keypad and then tap the call button. This code may unlock a secret menu if Spyzie is indeed installed. If you see this menu, the malware is in your device. To remove it, proceed to the settings of your phone, find the application (it will be hidden or disguised), and uninstall it immediately. After the app has been uninstalled, reset the passcode of your phone to prevent continued use.

For iOS users

Since Spyzie does not install a program on the device, it becomes harder to detect. The most effective way to safeguard yourself is to lock down your iCloud account. Utilize a strong, one-of-a-kind password and activate two-factor authentication (2FA) to render it more difficult for another person to get into your account. In case you believe that another person has your iCloud login details, reset your password right away and reach out to Apple support for assistance.

In addition, you should be careful when providing your passcode or account details, and be cautious of phishing emails that seek to get your login details. It is important that all users keep the software on their phone up to date, as updates usually contain security fixes aimed at keeping malware out. If you are certain that your phone is tapped, it is a good idea to perform a factory reset; however, you ought to back up important data first.^[4]