A critical vulnerability in the mobile surveillance apps Cocospy and Spyic is exposing the personal data of millions of individuals whose devices have been unknowingly compromised, TechCrunch reports.
According to a security researcher, the flaw allows unauthorized access to messages, call logs, photos, and other sensitive information collected by the apps. Additionally, it reveals the email addresses of those who signed up for the service to monitor others.
Despite previous security concerns surrounding spyware, Cocospy and Spyic remain active, with 2.65 million unique email addresses linked to them. The apps often evade detection by masquerading as system services on Android devices.
While typically marketed for parental or employee monitoring, they are frequently used for covert surveillance, raising legal and ethical concerns. Investigations have linked the apps to a Chinese developer, whose servers are being obscured through Cloudflare and Amazon Web Services. Both companies declined to comment on potential actions against the spyware.
