LetMeSpy is a form of phone monitoring app that may be used for parental control or employee surveillance, depending on how the program is promoted. The application has also been purposefully developed to conceal itself on the home screen of a mobile device, making it harder to find and eliminate. These types of phone monitoring applications, which are also known as stalkerware or spouseware, are often put on a person’s phone by someone with physical access to the person’s phone, such as a spouse or domestic partner, without the person’s agreement or knowledge. This practice is common in abusive relationships.
Once LetMeSpy has been planted, it will discreetly send the user’s text messages, call records, and exact location data to its servers. This will enable the person who planted the program to follow the target individual in real time.
Because of the high amount of access that these surveillance apps have to a person’s phone, they are renowned for having bugs and are recognized for making elementary security errors. Over the years, several spyware applications have been hacked, or have leaked and exposed the private phone data that was obtained from victims who were unaware that they were being monitored.
In a notification posted on the app’s login page, the phone monitoring software, which is used to spy on thousands of individuals using Android phones throughout the globe, said that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users.”
The website of LetMeSpy said in January that their malware has been used to monitor over 236,000 devices and had acquired tens of millions of call records, text messages, and location data points to this time. At the time this article was written, all of the counters on the website traffic showed a value of zero. It seems that a significant portion of the site’s functionality is broken, including the spyware application on its own.
As a direct consequence of the attack, the perpetrators of the crime acquired access to e-mail addresses, telephone numbers, as well as the contents of messages that were stored on accounts. It is not known who is responsible for hacking LetMeSpy or what their motivations are. The hacker gave the impression that they had erased the databases that LetMeSpy had saved on the server. Later on the same day, a copy of the database that had been hijacked was also posted online. The issue was first discovered by the Polish security research blog known as Niebezpiecznik. When Niebezpiecznik contacted the spyware company for response, the hacker apparently answered instead, claiming to have taken broad access to the spyware firm’s website. Niebezpiecznik requested the remark.
In its notification of the incident, LetMeSpy said that it had informed both police enforcement and the UODO, the Polish institution responsible for data security. It is unknown if LetMeSpy would tell the victims whose phones were hacked and spied on, or even whether the firm has the power to do so. It is also unclear whether the victims will get a notification.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.