Android based phone monitoring application LetMeSpy has disclosed a security breach that allowed unauthorized third parties to steal sensitive data associated with thousands of Android users.
“As a result of the attack, the criminals gained access to the email addresses, phone numbers, and message content collected on the account,” LetMeSpy said in an announcement on its website, noting the incident occurred on June 21, 2023.
Following the discovery of the hack, LetMeSpy said it has notified law enforcement and data protection authorities. It is also taking steps to suspend all account-related functions until further notice. The identity of the threat actors and their motives are currently unknown.
The work of Polish company Radeal, LetMeSpy is offered as a monthly subscription ($6 for Standard or $12 for Pro), allowing its subscribers to spy on others simply by installing the software on their devices. A Internet Archive Snippet from December 2013 indicates that it is billed as a tool for parental or employee controls.
LetMeSpy comes packed with features to collect call logs, SMS messages and geolocations, all of which can be accessed from websites. In an effort to avoid detection and removal, app icons can be hidden from the device’s home screen launcher.
As of January 2023, the stalkerware app has used to track 236,322 mobile phones worldwide, collecting more than 63.5 million text messages, 39.7 million call logs, and 43.2 million locations.
Polish security research blog, Niebezpiecznik, which first time reported breach and analyzed the stolen data dump, saying it included about 26,000 email addresses, 16,000 SMS messages, and a database of victims’ locations.
Further review of the leaked information by TechCrunch has been revealed that data goes back to 2013, when LetMeSpy started operating. The logs also contain data from at least 13,000 compromised devices. The majority of victims were in the US, India and parts of Africa.