by Danny Bradbury
A hosting company took down a database operated by a spying app this week after it was found displaying thousands of intimate images and recordings online.
MobiiSpy, an Android app that can be used to track what people do on their phones, left over 95,000 images and 25,000 audio recordings on a publicly accessible database according to a report by Motherboard on 22 March.
Although the database didn’t include names or contact information, it did contain call records and photos that could be used to identify the phones’ owners.
According to researchers, the app’s developer had hardcoded the database URL directly into the app, which lets the operator read the target’s phone contacts and texts and even trigger remote recordings without the target’s knowledge.
The breach was so bad that Motherboard couldn’t name the company while the databases were still up.
Security researcher Cian Heasley found the database and notified the publication, which then tried to get the vendor to take it down. The company’s owner, John Nguyen, reportedly wouldn’t respond to emails sent to multiple addresses.
Meanwhile, the app was still in use and the pictures and audio recordings were stacking up every day. When Motherboard originally reported the story, the data had been publicly available for at least six weeks.
Motherboard also tried to alert GoDaddy, which is the domain registrar for the Mobiispy.com website, but the company reportedly said there wasn’t much it could do. At the time of publishing this article, the MobiiSpy website is inaccessible.
Codero, the hosting company that housed the exposed databases on its computers, wouldn’t return reporters’ emails, the publication said. However, it did leap into action after Motherboard published the story and finally taking down the database.
Dodgy app vendors 0 – Internet 2
Author: Danny Bradbury