Victims suffer a “double whammy”: they have now lost their privacy to not only their stalker(s) but also cybercriminals!
Phone tracking app, LetMeSpy recently announced that they had been hacked. A notice to app users stated ““As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts.” The hacker(s) had even posted contents of the app’s hacked database on the Dark Web on the same day.
The app in question is marketed to be a parental control or phone spying/monitoring application, used for tracking phone activities, including location data. The app is designed to stay hidden in the target smartphone, and supposedly to be installed with the phone owner’s consent or knowledge.
Despite the potential for abuse of the spyware app’s functionality, the current data breach brings to light the dangers of people who were being stalked or spied upon now being in the gunsights of hackers and scammers.
Furthermore, this data breach demonstrates the importance of security testing when it comes to mobile applications, according to Kelly Ray, Principal Security Engineer, Synopsys Software Integrity Group. “If a mobile app vendor wants to ensure that its app is secure, then it’s critical to examine three areas where malicious actors can take advantage:
- The app itself should be tested for things like unencrypted credentials and the leakage of personally identifiable information (PII), which could be stolen by hackers.
- Security testing should be conducted on the network layer to ensure the app is using a secure connection (SSL) and is not leaking data to third-party sites.
- Lastly, mobile app vendors must also test back-end systems such as open storage buckets or API non-validated inputs that could lead malicious actors to carry out SQL Injection attacks and potentially steal an entire database; this is where it appears LetMeSpy’s weakness was found.
Ray also noted that mobile apps — especially those downloaded from official mobile app stores — “are more difficult to test than traditional web applications for security vulnerabilities.”
